Children Privacy & COPPA FAQ: Parental Consent, Age Verification & Compliance (2026)

The Children's Online Privacy Protection Act (COPPA), codified at 15 USC Section 6501-6506 and implemented through the FTC's COPPA Rule (16 CFR Part 312), is the primary federal law governing the online collection of personal information from children under 13 in the United States. Enacted in 1998 and significantly updated in 2013, COPPA reflects Congress's determination that children deserve special protections in the digital environment.

COPPA applies to two categories of operators:

• Operators of websites or online services directed to children under 13: Sites or services whose subject matter, visual content, use of animated characters, advertising, or other characteristics indicate they are designed for children. The FTC considers several factors including the service's purpose, whether it uses child-oriented activities and incentives, and whether advertising on the site targets children
• Operators of general audience sites with actual knowledge: Any commercial website or online service that has actual knowledge that it is collecting personal information from a user who is under 13. This means general audience sites cannot simply ignore children's use - if they have actual knowledge of a child user (e.g., through age gates or user communications), COPPA obligations are triggered

COPPA's requirements include: posting a clear, comprehensive privacy policy describing data practices for children's personal information, providing direct notice to parents about information practices, obtaining verifiable parental consent before collecting personal information from children, giving parents the ability to review and delete their child's information, not conditioning a child's participation on providing more information than reasonably necessary, and maintaining the confidentiality and security of children's data. Non-profit organizations are generally exempt from COPPA unless they operate for commercial purposes. Schools can consent on behalf of parents for educational purposes under the "school consent" exception.

Under COPPA, operators must obtain "verifiable parental consent" (VPC) before collecting, using, or disclosing personal information from children under 13. The consent mechanism must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent or legal guardian. The FTC has approved several consent methods:

FTC-Approved Consent Methods:

• Signed consent form: A paper consent form sent by the parent to the operator by mail, fax, or as a scanned attachment to an email
• Credit card or payment method: Requiring the parent to use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder. A nominal charge or reverse authorization can verify parenthood
• Toll-free telephone call: Having the parent call a toll-free number staffed by trained personnel who can verify the parent's identity
• Video conferencing: Connecting with the parent through video conference to verify identity and confirm consent
• Government-issued ID: Checking the parent's government-issued identification against databases of such information, with the ID deleted promptly after verification
• Knowledge-based challenge questions: Asking questions that would be difficult for someone other than the parent to answer, though this method has been criticized as potentially insufficient
• Email Plus: For internal use only (not disclosure to third parties), consent via email combined with an additional verification step (such as a delayed confirmatory email with a link to withdraw consent)

The FTC has emphasized that consent mechanisms must evolve with technology. The 2013 COPPA Rule update acknowledged that new methods may be proposed through the FTC's voluntary approval process. Operators should document their consent procedures carefully, as the adequacy of the consent mechanism is frequently scrutinized in FTC enforcement actions. Parents have the ongoing right to revoke consent at any time and to request deletion of their child's personal information.

The California Age-Appropriate Design Code Act (AB 2273), signed into law in September 2022, represents a significant expansion of children's online privacy protections beyond the federal COPPA framework. Modeled on the United Kingdom's Age Appropriate Design Code (also known as the Children's Code), AB 2273 extends protections to all children under 18, not just those under 13.

Key requirements of the California AADC:

• Data Protection Impact Assessments (DPIAs): Businesses must complete DPIAs for any online service, product, or feature likely to be accessed by children, addressing potential harms arising from data management practices
• Privacy by default: Default settings must offer the highest level of privacy, unless the business can demonstrate a compelling reason for a different default that is in the best interest of the child
• Prohibition on harmful uses: Businesses may not use children's personal information in ways that are detrimental to the child's physical health, mental health, or wellbeing. This includes prohibiting dark patterns that lead children to provide more personal information or lower their privacy protections
• Age estimation: Businesses must estimate the age of child users with a reasonable level of certainty, which may require implementing age estimation or age verification technology
• Prominent privacy information: Privacy information, terms of service, and community standards must be provided in clear, age-appropriate language
• Restrictions on profiling: Profiling children is prohibited by default unless there are appropriate safeguards and the profiling is necessary to provide the service

The AADC faced a significant legal challenge in NetChoice v. Bonta, where a federal district court issued a preliminary injunction in September 2023, finding that certain provisions likely violated the First Amendment. The case has been appealed and the ultimate enforceability of the law remains in litigation. Despite the legal uncertainty, the AADC represents the direction of children's privacy regulation, and similar legislation has been proposed in multiple other states and at the federal level. Businesses should monitor the litigation outcome and prepare for compliance with age-appropriate design principles.

The Family Educational Rights and Privacy Act (FERPA), codified at 20 USC Section 1232g and implemented through 34 CFR Part 99, protects the privacy of student education records maintained by educational agencies and institutions that receive federal funding from the U.S. Department of Education. Virtually all public schools and most private colleges and universities are subject to FERPA.

FERPA provides parents (and eligible students who are 18 or older or attending post-secondary institutions) with several key rights:

• Right to inspect and review: Parents and eligible students have the right to inspect and review the student's education records maintained by the school within 45 days of a request
• Right to request amendment: Parents and eligible students may request correction of records they believe are inaccurate or misleading. If the school refuses, the parent has the right to a formal hearing
• Right to consent to disclosure: Schools generally must obtain written consent before disclosing personally identifiable information from education records, with specific exceptions
• Right to file complaints: Parents and eligible students can file complaints with the U.S. Department of Education's Family Policy Compliance Office

Key exceptions allowing disclosure without consent include:

• School officials with legitimate educational interests (the most commonly used exception)
• Transfer to another school where the student seeks to enroll
• Certain audit, evaluation, or accreditation purposes
• Financial aid determinations
• State and local education authorities for education programs
• Health or safety emergencies
• Directory information (name, address, phone, etc.) - but parents must be notified and given the opportunity to opt out

FERPA interacts with COPPA in the school context: the FTC has recognized a "school consent" exception where schools can consent to the collection of student information on behalf of parents for educational purposes, provided the information is used solely for school-authorized educational purposes and not for commercial purposes.

The intersection of education technology and student privacy has become one of the most active areas of children's privacy law. EdTech companies that process student data through school-provided services face a complex web of federal and state requirements that affect how they collect, use, store, and share student information.

Federal Requirements:

• FERPA: EdTech providers that receive student education records from schools are subject to FERPA's restrictions as "school officials" when designated as such in the school's annual FERPA notification. They may only use education records for the purposes specified by the school
• COPPA: EdTech providers serving children under 13 may rely on the school consent exception, where the school consents on behalf of parents for the collection of student data solely for educational purposes. This consent does not extend to commercial use of student data

State Student Privacy Laws:

• California SOPIPA (SB 1177): Prohibits K-12 EdTech operators from using student data for non-educational commercial purposes, selling student information, using student data for targeted advertising, and creating advertising profiles of students
• New York Education Law Section 2-d: Requires EdTech vendors to maintain data privacy and security standards, submit to compliance audits, and complete Data Privacy Agreements with school districts
• Student Privacy Pledge: While voluntary, the Future of Privacy Forum's Student Privacy Pledge commits signatories to responsible data practices and is referenced in some state laws and school procurement requirements

Best Practices for EdTech Contracts:

• Include specific data privacy provisions defining what data is collected, how it is used, who has access, and when it is deleted
• Prohibit use of student data for non-educational purposes, including advertising, profiling, and sale to third parties
• Require data deletion or return upon contract termination
• Mandate breach notification to the school within a specified timeframe (typically 24-72 hours)
• Specify security requirements including encryption, access controls, and regular audits

Age verification is one of the most challenging aspects of children's privacy compliance, requiring operators to balance effective identification of child users against usability, privacy, and technical feasibility. Different regulatory frameworks impose different standards for age verification.

Common Age Verification Methods:

• Age gates (self-declaration): Asking users to enter their birth date or confirm they are over a specified age. This is the most common method but also the least reliable, as children can easily misrepresent their age. The FTC has recognized that neutral age gates (that do not prompt the "right" answer) satisfy COPPA's knowledge standard for general audience sites
• Facial age estimation: Using AI-powered technology to estimate a user's age from a selfie or video. Companies like Yoti and VerifyMy provide age estimation services that can estimate age within a margin of error. This method raises its own privacy concerns, as it involves collecting biometric data to verify age
• Government ID verification: Requiring users to submit a government-issued identification document. This is the most reliable method but raises privacy concerns about collecting sensitive documents and creates friction in the user experience
• Credit card verification: Using a credit card transaction (even a zero-dollar authorization) as a proxy for age, since minors generally cannot obtain credit cards. This method is accepted under COPPA for parental consent verification
• Digital identity solutions: Emerging approaches using digital identity wallets or trusted identity providers that can confirm age attributes without revealing other personal information

Regulatory Requirements by Framework:

• COPPA: Does not mandate a specific age gate method for general audience sites, but operators must not design age gates to encourage children to falsify their age. If an operator has actual knowledge of a child user (even through a failed age gate), COPPA obligations are triggered
• California AADC: Requires businesses to "estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business." This may require more than a simple age gate for higher-risk services
• EU Digital Services Act: Requires platforms to implement measures to ensure a high level of privacy, safety, and security of minors, which may include age verification
• UK Age Appropriate Design Code: Requires establishing the age of users with a level of certainty appropriate to the risks to children arising from the data processing

COPPA is enforced primarily by the Federal Trade Commission (FTC) under its authority to prevent unfair or deceptive acts or practices. The FTC can seek civil penalties, injunctive relief, and other remedies. State attorneys general may also enforce COPPA in federal court.

Major FTC COPPA Enforcement Actions:

• Epic Games/Fortnite (275 million, 2022): The largest COPPA penalty ever, for collecting personal information from children under 13 without parental consent and using manipulative dark patterns
• YouTube/Google (170 million, 2019): FTC and New York AG found YouTube illegally collected personal information from children via cookies for targeted advertising without parental consent
• Musical.ly/TikTok (5.7 million, 2019): For collecting personal information from children under 13 without parental consent
• Amazon/Alexa (25 million, 2023): For retaining children voice recordings and geolocation information in violation of COPPA
• Microsoft/Xbox (20 million, 2023): For collecting personal information from children who signed up for Xbox Live without parental consent

There is no private right of action under COPPA. However, COPPA violations can support related state law claims. FTC consent decrees typically require comprehensive privacy programs, independent assessments for 20 years, and deletion of improperly collected data.

COPPA's definition of "personal information" is broader than many operators realize. Under 16 CFR Section 312.2, personal information includes any individually identifiable information about a child collected online:

• Full name: A child's first and last name
• Physical address: Home or other physical address including street name and city
• Contact information: Email address or similar identifier permitting direct contact
• Telephone number
• Social Security number
• Persistent identifiers: Cookie values, IP addresses, device IDs, unique identifiers - when used for functions other than internal operations
• Photographs, videos, and audio: Files containing a child's image or voice
• Geolocation data: Sufficient to identify street name and city or town
• Combined information: Any information combined with the above identifiers permitting child identification

The "internal operations" exception is important: operators may collect persistent identifiers without parental consent if used solely for supporting internal operations (contextual advertising, frequency capping, legal compliance, site analysis). However, using these identifiers for behavioral advertising or building user profiles requires parental consent.

Children's online privacy is a global concern, and numerous countries and regions have enacted laws specifically protecting minors' data. Understanding the international landscape is essential for companies operating globally or serving users across borders.

European Union - GDPR (Articles 8 and Recital 38):

• Article 8 requires parental consent for processing personal data of children in relation to information society services. The default age threshold is 16, but member states may lower it to as young as 13
• Actual implementations vary: Ireland, France, and the Netherlands set the age at 16; the UK, Spain, and Denmark set it at 13; Germany and Croatia set it at 16; Italy at 14
• Recital 38 states that children merit "specific protection" because they may be less aware of risks and consequences of data processing
• The GDPR requires age verification with "reasonable efforts" using available technology

United Kingdom - Age Appropriate Design Code (2021):

• Applies to information society services likely to be accessed by children under 18
• Establishes 15 standards including: best interests of the child assessment, age-appropriate application, transparency, detrimental use prohibition, default privacy settings, data minimization, data sharing limitations, geolocation restrictions, parental controls, profiling prohibition, nudge techniques prohibition, connected toys requirements, and online tools for exercising rights
• Enforced by the Information Commissioner's Office (ICO) with GDPR-level penalties

Other International Frameworks:

• Australia - Online Safety Act (2021): Established the eSafety Commissioner with powers to require removal of harmful content and issue penalties. Includes Basic Online Safety Expectations for social media, messaging, and gaming services
• South Korea - PIPA: Requires separate consent from legal guardians for processing data of children under 14, with verification of guardian identity
• Brazil - LGPD (Article 14): Processing of children's personal data must be performed in their best interest, with specific and prominent consent from at least one parent or legal guardian
• China - Personal Information Protection Law (PIPL): Classifies data of minors under 14 as sensitive personal information requiring parental consent and separate data protection impact assessments

Building COPPA-compliant applications requires integrating privacy protections into the design and development process from the outset, rather than treating compliance as an afterthought. Developers should follow a privacy-by-design approach that minimizes data collection and maximizes child safety.

Development Compliance Checklist:

1. Conduct COPPA applicability assessment: Determine whether your service is "directed to children" by evaluating subject matter, visual content, use of animated characters, age of models, presence of child celebrities, advertising content, and presence of child-oriented features. If the service is general audience but may attract children, implement a neutral age gate
2. Implement neutral age gates: If your service is general audience, implement an age gate that does not encourage children to falsify their age. Do not allow retry after indicating an age under 13. Use persistent cookies or device identifiers to prevent circumvention
3. Build parental consent flows: Implement one or more FTC-approved verifiable parental consent methods. Document the consent process thoroughly. Provide parents with ongoing access to review, modify, and delete their child's information
4. Minimize data collection: Do not collect more personal information than is reasonably necessary for the child to participate in the activity. Disable features that require unnecessary data collection for child users
5. Audit third-party SDKs: Review all third-party SDKs, analytics tools, and advertising networks integrated into your application. Many common SDKs (analytics, crash reporting, advertising) collect persistent identifiers that constitute personal information under COPPA. Use only COPPA-compliant SDK configurations
6. Disable behavioral advertising: Do not serve behaviorally targeted advertising to known child users. Contextual advertising (based on page content rather than user data) is permitted
7. Implement data security: Encrypt all personal information in transit and at rest. Implement access controls limiting who can access children's data. Conduct regular security assessments
8. Build data deletion capabilities: Implement systems to delete children's personal information upon parental request or when no longer needed for the purpose collected. This includes data held by third-party service providers
9. Create a COPPA-compliant privacy policy: Post a clear, comprehensive privacy policy that specifically addresses children's data practices, is accessible from every page where children's information is collected, and is written in language parents can understand
10. Establish COPPA-safe harbor participation: Consider joining an FTC-approved COPPA safe harbor program (such as kidSAFE, PRIVO, or ESRB) that provides guidelines and independent assessments of compliance