A consent-based regime for any commercial website or online service that knowingly collects personal information from children under 13. Eight statutory sections; one Rule that turns them into operating procedure.
An operator falls under COPPA in one of two ways. Either the service is directed to children as a matter of audience, or the operator has actual knowledge that a particular user is a child. Either trigger is enough.
A commercial website or online service, or a portion of one, that is targeted to children under 13. The FTC applies a multi-factor test:
Even on a general-audience platform, the moment an operator obtains actual knowledge it is collecting personal information from a child, the full COPPA regime attaches to that data.
"Actual knowledge" is fact-specific. Self-declared birth date, parent communications, reports from teachers, and obvious indicators in user content can all establish it. Wilful blindness will not insulate an operator from liability.
Ad networks, plugins, and SDKs embedded in a child-directed service inherit the same obligations. The 2025 amendments make third-party data-sharing a separately consented act.
The statute named seven categories in 1998. The Rule and its amendments have steadily expanded the perimeter to include biometric and government identifiers were added in 2025. If your system touches any of these for a child under 13, COPPA is in play.
Real-world identification of the child. A first name alone is generally not PI; a last name combined with other identifiers is.
A home or other physical address including street name and the name of a city or town. Sufficient to contact or locate.
Or any "online contact information" (a substantially similar identifier that permits direct contact with a person online).
Direct line of voice or text contact. Treated identically to email for the purposes of the consent and access regime.
The original statute called this out specifically. The Rule extends it to any government-issued identifier (added 2025).
Cookies, IP addresses, device IDs, processor or device serial numbers: anything that recognises a user over time and across services.
Geolocation information sufficient to identify street name and city or town. Both precise and approximate locations qualify.
A photograph, video, or audio file containing a child's image or voice. Even a frame in a livestream counts.
If the screen name or user name functions in the same manner as online contact information (i.e., it enables direct contact), it is PI.
Fingerprints, handprints, retina or iris patterns, voiceprints, facial templates, gait, and DNA-derived identifiers used for automated recognition.
Driver's license, passport, state ID, birth certificate numbers, added in the 2025 amendments to capture modern verification practices.
Information about the child or parents (even otherwise non-identifying data) collected online and combined with any identifier above becomes PI. § 1302(8)(G).
The statute reduces the entire COPPA compliance regime to four obligations on operators. Each one maps directly onto an implementing section in 16 CFR Part 312. Get all four right and you're substantively compliant.
Provide on the service a clear notice of what personal information is collected, how it is used, and the operator's disclosure practices. A direct notice must also reach parents before any collection.
Obtain consent from a parent, by a method reasonably designed to ensure the person consenting is the parent, before any collection, use, or disclosure of personal information.
On request and after proper identification, give a parent (i) a description of PI collected, (ii) the opportunity to refuse further use, and (iii) a reasonable means to obtain the actual data. Plus § 1303(b)(1)(C): no conditioning a child's participation on collecting more PI than is reasonably necessary.
Establish reasonable procedures to protect the confidentiality, security, and integrity of PI. The 2025 amendments harden this into a written information security program and a published retention policy.
The statute defines verifiable parental consent at § 1302(9) as "any reasonable effort, taking into consideration available technology." The Rule lists approved methods, calibrated to the sensitivity of the use. Tap any method to inspect.
The statute carves out narrow exceptions where collection of online contact information is permissible without verifiable parental consent. Each is bounded; read each one carefully before relying on it.
Online contact information used only to respond directly on a one-time basis to a specific request from the child, then not retained, not used to recontact, and not maintained in retrievable form.
The name or online contact information of a parent or child collected for the sole purpose of obtaining parental consent or providing the COPPA notice, and discarded if consent isn't obtained within a reasonable time.
Responding more than once directly to a specific request, but the parent must be notified of the contact information collected and given the chance to opt out before further responses.
Name and online contact information collected to the extent reasonably necessary to protect the safety of a child participant, used only for that purpose, not disclosed on the site, with parent notice.
Collection, use, or disclosure necessary to protect the security or integrity of the site, take precautions against liability, respond to judicial process, or assist law enforcement on matters of public safety.
A persistent identifier collected solely to support the internal operations of the service: authentication, fraud prevention, content delivery, network communications. 2025: additional notice now required and behavioural-advertising uses are out of scope.
COPPA is short. Eight sections do everything. Tap any block to see what that section does and where its provisions surface in the implementing FTC Rule.
COPPA is enforced through a layered architecture: the FTC at the centre, fifty State Attorneys General as parens patriae plaintiffs, sectoral regulators for industries the FTC doesn't cover, and self-regulatory Safe Harbour programs that operators can opt into for deemed compliance.
The primary enforcement authority. Treats COPPA Rule violations as unfair or deceptive acts under § 5 of the FTC Act.
As parens patriae for state residents, may sue in federal district court when an operator's practices threaten state residents.
For entities outside the FTC's general jurisdiction, enforcement runs through the agency that regulates the sector.
FTC-approved self-regulatory programs that grant operators a presumption of compliance. The 2025 amendments tightened transparency rules.
Civil penalties under COPPA are assessed under § 5(m)(1)(A) of the FTC Act, adjusted annually for inflation. Critically, the FTC and courts have treated each affected child's record as a separate violation, pushing total exposure into the eight and nine figures for large platforms.
Adjusted annually under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The 2024 figure was $51,744; the 2025 multiplier of 1.02598 brings it to $53,088.
In practice, the FTC negotiates lump-sum settlements that reflect the per-record arithmetic plus disgorgement, deletion orders, and ongoing compliance monitoring.
COPPA was enacted in October 1998 and became enforceable in April 2000. The FTC has updated the implementing Rule three times since, and operators are now in the run-up to a hard April 2026 compliance deadline.
A short walk through the same questions an FTC investigator would ask. This is education, not legal advice; for a real determination, consult counsel familiar with 16 CFR Part 312.