Skip to main content

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Regulations

COPPA — Protecting Kids' Privacy Online

What the Children's Online Privacy Protection Act requires, who it applies to, and how to comply.

The Children’s Online Privacy Protection Act (COPPA) is a US federal law that protects the privacy of children under 13. Enacted in 1998, effective since 2000. It’s enforced by the Federal Trade Commission (FTC), and the FTC doesn’t play around.

If your site or app is directed at kids, or you know kids are using it, COPPA applies. The fines are brutal, and the FTC actively investigates.

Who must comply

COPPA applies if any of these are true:

  • Your website, app, or online service is directed at children under 13
  • You knowingly collect personal information from children under 13
  • You have actual knowledge that children under 13 are providing personal information

Extraterritorial: foreign-based services that collect data from US children must also comply.

What counts as personal information under COPPA

Extremely broad, rivaling the GDPR’s definition of personal data. Includes:

  • Names, addresses, email, phone numbers, screen names
  • Persistent identifiers: cookies, IP addresses, device IDs, processor serial numbers
  • Photos, videos, or audio files containing a child’s image or voice
  • Geolocation data sufficient to identify a street address
  • Information about the child or parents combined with any identifier above

Cookies are explicitly covered. If your site uses Google Analytics, ad pixels, or any persistent identifier (including some strictly necessary cookies) and children under 13 visit, you’re collecting COPPA-regulated data.

What you need to do

COPPA compliance has eight core requirements:

  1. Publish a clear privacy policy: what you collect, how you use it, who you share it with, and parental rights
  2. Notify parents directly: before collecting anything
  3. Get verifiable parental consent: signed forms, credit card verification, video calls, government ID
  4. Honor parental data requests: review, delete, refuse further collection
  5. Protect the data: encryption, access controls, security measures
  6. Limit retention: don’t keep data forever
  7. Restrict third-party sharing: any disclosure requires parental consent or strict contractual controls
  8. Don’t condition participation: you can’t require more data than is necessary for the service

Limited exceptions exist for:

  • One-time contact to obtain parental consent
  • Responding to a one-time child request (no data stored)
  • Protecting security or integrity of the service
  • Supporting internal operations
  • Protecting the child’s safety
  • Educational purposes with school authorization

But you still must comply with all other COPPA requirements even in these cases.

Penalties

The FTC can issue civil penalties of up to USD 50,120 per violation. Each instance of collecting data without consent counts as a violation.

YouTube paid USD 170 million in 2019 for tracking kids without parental consent. This is not theoretical.

COPPA 2.0?

A proposed update, the Children and Teens’ Online Privacy Protection Act, would expand protections to teens 13–16 and ban targeted advertising to minors. It hasn’t passed yet, but it’s coming.

How Zest handles it

Zest gives you the ability to detect and block third-party trackers, age-gate your consent flows, and configure consent screens specifically for COPPA compliance. If your site might attract under-13 users, you need this.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.