COPPA Compliance: Complete Guide to Children’s Privacy Policies in 2026

If your app, website, or online service collects information from children, you need to understand COPPA. The Children’s Online Privacy Protection Act is one of the strictest privacy laws in the United States, with penalties reaching millions of dollars for violations. Whether you’re building an educational app, a gaming platform, or a general-audience website that attracts young users, COPPA compliance is non-negotiable.

This guide covers everything you need to know about COPPA in 2026, including who must comply, what the law requires, how it compares to international children’s privacy frameworks like GDPR-K and the UK Age Appropriate Design Code, and how to create a compliant children’s privacy policy.

What is COPPA?

The Children’s Online Privacy Protection Act (COPPA) is a US federal law enacted in 1998 and enforced by the Federal Trade Commission (FTC). COPPA imposes strict requirements on operators of websites and online services that collect personal information from children under 13 years of age.

The law was designed to give parents control over what information is collected from their young children online. COPPA applies to operators of commercial websites and online services (including mobile apps) directed to children under 13, and to operators of general-audience sites or services that have actual knowledge they are collecting personal information from children under 13.

Who Needs to Comply with COPPA?

COPPA applies to operators of commercial websites and online services that meet one or more of the following criteria:

• Directed to children: Your website or app is primarily targeted at children under 13
• Actual knowledge: You have actual knowledge that you’re collecting personal information from children under 13, even if your site is general-audience
• Mixed audience with child-directed sections: You operate a general-audience site or service with a separate section directed to children
• Third-party plugins and ad networks: If you operate a plug-in or ad network on a child-directed site and you collect personal information from users, COPPA applies to you as well

Importantly, COPPA has extraterritorial reach. If you’re based outside the United States but your website or app is directed to US children or knowingly collects data from US children, you must comply with COPPA.

When Does COPPA Apply? Understanding “Directed to Children”

Determining whether your service is “directed to children” is critical. The FTC uses a multi-factor test, considering:

• Subject matter and visual content (cartoons, child-oriented activities)
• Use of animated characters or child-oriented activities
• Age of models in photographs or videos
• Language or other characteristics of the site
• Whether advertising on the site is directed to children
• Competent and reliable empirical evidence about the age of the audience
• Evidence regarding the intended audience (app store age rating, marketing materials)

The “Actual Knowledge” Standard

Even if your service is not directed to children, COPPA applies if you have actual knowledge that you’re collecting personal information from a child under 13. This includes situations where:

• A user self-identifies as being under 13 during registration
• You receive information from a third party (like a parent) that a user is under 13
• A child’s age is publicly available on their profile or account

Many general-audience platforms use age gates or age screening mechanisms to avoid obtaining actual knowledge. However, if you knowingly allow children under 13 to create accounts or use your service, COPPA applies.

Key COPPA Requirements

COPPA imposes several core obligations on covered operators:

1. Privacy Policy Requirements

You must post a clear and comprehensive privacy policy that describes your information practices for children’s personal information. The policy must be prominently displayed and include:

• A list of all operators collecting or maintaining children’s personal information
• Contact information for each operator (address, phone, email)
• The types of personal information collected from children (name, address, email, photos, geolocation, persistent identifiers)
• How the information is collected (directly from child, passively via cookies/tracking)
• How the information is used
• Whether personal information is disclosed to third parties, and if so, which types of third parties and how they use the information
• Parental rights (right to review, delete, and refuse further collection)
• A statement that you will not condition participation in activities on disclosure of more information than is reasonably necessary

2. Verifiable Parental Consent

Before collecting, using, or disclosing personal information from a child, you must obtain verifiable parental consent. This is the cornerstone of COPPA. Acceptable methods include:

• Signed consent form (scanned/faxed/mailed)
• Credit card or payment transaction
• Video conference with parent
• Government-issued ID verification
• Knowledge-based authentication (answering questions only a parent would know)

For internal uses only (not disclosing data to third parties), you may use email-plus consent, where a parent receives an email and must confirm via reply or clicking a link.

3. Data Minimization and Conditional Access

You cannot require a child to provide more personal information than is reasonably necessary to participate in an activity. You also cannot condition a child’s participation on providing more information than is needed.

4. Parental Access Rights

Parents must be able to:

• Review the personal information collected from their child
• Refuse to permit further collection or use of their child’s information
• Request deletion of their child’s personal information

You must provide a reasonable way for parents to exercise these rights, described in your privacy policy.

5. Data Security

You must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of children’s personal information. This includes administrative, technical, and physical safeguards appropriate to the sensitivity of the data.

6. Data Retention and Deletion

You must retain children’s personal information only as long as is reasonably necessary to fulfill the purpose for which it was collected, and then securely delete it.

What a Children’s Privacy Policy Must Include

A COPPA-compliant children’s privacy policy must be more detailed than a standard privacy policy. It should include:

• Operator contact information: Name, address, phone number, and email for all operators collecting children’s information
• Types of information collected: Exhaustive list including persistent identifiers (device IDs, cookies), geolocation, photos, audio, usernames, etc.
• Collection methods: Whether collected directly (registration forms) or passively (cookies, analytics)
• Use of information: Internal purposes (personalization, analytics) vs. external disclosure (ad networks, third-party services)
• Third-party disclosure: List of third-party categories (ad networks, analytics providers, cloud storage) and their uses
• Parental consent process: How consent is obtained (email-plus, credit card verification, etc.)
• Parental rights: How parents can review, delete, or refuse further collection of their child’s information
• No conditioning statement: Confirmation that you won’t condition participation on unnecessary data collection

The policy must be written in clear, understandable language and be easily accessible from your app or website’s homepage or app store listing.

COPPA Fines and Enforcement

The FTC has broad enforcement powers under COPPA and has not hesitated to use them. Violations can result in civil penalties of up to $51,744 per violation (as of 2026). Given that each affected child can constitute a separate violation, penalties can quickly escalate into the millions.

Notable COPPA Enforcement Cases

• YouTube (2019): $170 million settlement for collecting children’s personal information without parental consent through cookies and persistent identifiers used for targeted advertising
• TikTok (2019): $5.7 million penalty for illegally collecting personal information from children, including names, email addresses, and location data
• Amazon (2023): $30 million combined settlement with FTC for Alexa and Ring violations, including COPPA violations related to children’s voice data retention
• Epic Games (2022): $275 million settlement for COPPA violations related to Fortnite, including default settings that enabled real-time voice and text chat for children

These cases demonstrate that both startups and tech giants are subject to enforcement. The FTC actively monitors child-directed apps and services, particularly in the education, gaming, and social media sectors.

COPPA vs. GDPR-K: International Children’s Privacy Frameworks

While COPPA applies to US children under 13, the European Union’s General Data Protection Regulation (GDPR) provides enhanced protections for children under 16 (or younger, depending on member state law). Often called “GDPR-K,” these provisions include:

• Age threshold: Higher age of consent (typically 13-16) for processing children’s data in the context of information society services
• Parental consent: Similar requirement for verifiable parental consent for children below the age threshold
• Data protection by design: Specific requirement to implement age-appropriate privacy protections by default
• Clear language: Privacy policies must be written in clear, plain language that children can understand

If you operate globally, you may need to comply with both COPPA (for US children under 13) and GDPR (for EU children under 16). Many companies adopt the stricter standard across the board to simplify compliance.

UK Age Appropriate Design Code (Children’s Code)

The UK’s Age Appropriate Design Code, effective since 2020, sets 15 standards for online services likely to be accessed by children under 18. Key requirements include:

• Best interests of the child: Design with the best interests of children in mind
• Data minimization: Collect and retain only the minimum amount of personal data necessary
• Privacy by default: High privacy settings by default (geolocation off, sharing limited)
• Transparency: Provide clear, age-appropriate privacy information
• No nudge techniques: Don’t use nudge techniques to encourage children to provide unnecessary personal data or weaken privacy protections
• Limited data sharing: Turn off options to share location and personal data by default
• No profiling by default: Profiling must be off by default unless you can demonstrate a compelling reason and appropriate safeguards

The UK Information Commissioner’s Office (ICO) can impose significant fines for violations under data protection law. While the Children’s Code applies to UK children, many global platforms have adopted its standards more broadly due to its influence and the difficulty of maintaining different product versions by jurisdiction.

Best Practices for Apps and Websites Targeting Children

Beyond legal compliance, consider these best practices when building services for children:

1. Age Gating and Verification

Implement robust age gates at registration. If you’re a general-audience service, use neutral age gates (asking for birth date) rather than asking “Are you under 13?” which may encourage false responses. Consider using age estimation technology for additional verification where appropriate.

2. Separate Children’s Experiences

Create separate, simplified experiences for users under 13 with enhanced privacy protections, limited data collection, and no behavioral advertising. YouTube Kids and YouTube’s supervised experiences are examples of this approach.

3. Privacy by Design for Children

Build privacy protections into your product from the start:

• Disable location sharing by default
• Limit communication features (no direct messaging for young children)
• Restrict profile visibility
• Avoid collecting unnecessary data like phone numbers or photos
• Use pseudonymous identifiers rather than real names where possible

4. Transparent and Simple Privacy Communications

Write privacy information that both parents and children can understand. Consider creating:

• A detailed privacy policy for parents (legal compliance)
• A simplified, visual privacy notice for children (icons, short text, videos)
• Just-in-time disclosures when collecting sensitive information

5. Regular Privacy Audits

Conduct regular audits of your data practices, third-party integrations, and SDK implementations. Many COPPA violations occur through third-party analytics or advertising SDKs that collect persistent identifiers without proper consent.

6. Staff Training

Ensure your product, engineering, and customer support teams understand COPPA requirements and your company’s children’s privacy policies. Create internal processes for handling parental access requests and deletion requests.

How to Create a COPPA-Compliant Privacy Policy

Creating a COPPA-compliant children’s privacy policy requires careful attention to the specific requirements outlined in the COPPA Rule. Here’s a step-by-step approach:

Step 1: Conduct a Data Inventory

Document all personal information you collect from children, including:

• Registration data (email, username, age)
• User-generated content (posts, comments, images, videos)
• Technical data (IP addresses, device identifiers, cookies)
• Geolocation data
• Audio/video recordings

Step 2: Map Third-Party Data Sharing

Identify all third parties that receive children’s personal information, including:

• Analytics providers (Google Analytics, Mixpanel, etc.)
• Cloud storage providers (AWS, Google Cloud, etc.)
• Advertising networks
• Customer support platforms
• Payment processors

Step 3: Define Your Parental Consent Process

Document how you will obtain and verify parental consent. Will you use email-plus, credit card verification, or another FTC-approved method? Your privacy policy must describe this process clearly.

Step 4: Establish Parental Rights Procedures

Create processes for parents to:

• Request access to their child’s personal information
• Request deletion of their child’s personal information
• Revoke consent for further collection or use

Include contact information (email, phone, mailing address) for parents to submit these requests.

Step 5: Draft or Generate Your Policy

You can draft a privacy policy from scratch using the FTC’s sample privacy policy as a template, or use an automated privacy policy generator that understands COPPA requirements. LegalForge streamlines this process by generating customized, COPPA-compliant children’s privacy policies based on your specific data practices, saving hours of legal drafting time.

Step 6: Review and Update Regularly

Your privacy policy should be a living document. Review and update it whenever you:

• Add new features that collect additional data
• Integrate new third-party services or SDKs
• Change your data retention practices
• Modify your parental consent process

Common COPPA Compliance Mistakes

Even well-intentioned operators make mistakes when implementing COPPA compliance. Here are the most common pitfalls to avoid:

1. Relying on Self-Certification of Age

Simply asking “Are you 13 or older?” is not sufficient if your service is directed to children. The FTC considers this a violation if you have actual knowledge (or should have knowledge) that children are using your service despite self-certifying as older.

2. Ignoring Persistent Identifiers

Many developers don’t realize that device IDs, advertising IDs, cookies, and other persistent identifiers are considered personal information under COPPA when used for tracking across websites or apps. Collecting these requires parental consent unless they’re used solely for internal operations support (like security or site functionality).

3. Using Email-Plus Consent for External Disclosure

Email-plus consent (where a parent confirms via email) can only be used for internal operations. If you disclose children’s information to third parties (like ad networks or analytics platforms that use the data for their own purposes), you need a more stringent consent method like credit card verification or signed forms.

4. Failing to Vet Third-Party SDKs

Integrating third-party SDKs (especially advertising and analytics SDKs) without understanding their data collection practices is a major compliance risk. You’re responsible for any personal information collected through your app or site, including by third-party plugins. Always review SDK documentation and configure them to be COPPA-compliant (many offer child-directed modes).

5. Unclear App Store Age Ratings

Setting your app store age rating to 4+ or 9+ signals that your app is directed to children, which can trigger COPPA obligations. Be strategic about your age rating and ensure it aligns with your actual target audience and compliance posture.

6. Insufficient Privacy Policy Disclosure

Generic privacy policies that don’t specifically address children’s data or that fail to list all operators and third parties are non-compliant. Your policy must be comprehensive and specific about practices related to children under 13.

7. Not Providing Easy Access to Privacy Policy

Your privacy policy must be clearly and prominently posted on your website or app. Burying it in a settings menu or requiring multiple clicks to access can be considered non-compliant.

8. Retaining Data Longer Than Necessary

COPPA requires that you delete children’s personal information once it’s no longer needed for the purpose for which it was collected. Indefinite retention or failure to implement deletion procedures is a violation.

Conclusion: Protecting Children’s Privacy in 2026

COPPA compliance is essential for any business that collects information from children under 13. The regulatory landscape is only getting stricter, with heightened enforcement from the FTC, new state-level children’s privacy laws, and growing international frameworks like GDPR-K and the UK Age Appropriate Design Code.

The key to compliance is transparency, minimal data collection, strong security, and genuine respect for parental rights. Start with a comprehensive, accurate privacy policy that clearly discloses your data practices and provides parents with meaningful control.

Whether you’re launching a new educational app, adding kid-friendly features to an existing platform, or simply want to ensure your general-audience service is compliant, LegalForge can help you generate a COPPA-compliant children’s privacy policy in minutes. Our AI-powered platform creates customized policies tailored to your specific data practices, ensuring you meet all legal requirements while protecting the privacy of your youngest users.