If children under 13 can access your website — even accidentally — you may be subject to COPPA (Children's Online Privacy Protection Act). This US federal law carries fines of up to $50,120 per violation, and the FTC has been aggressively enforcing it against websites, apps, and advertising networks.
Who Must Comply with COPPA?
| You Must Comply If: | Example |
|---|---|
| Your site is directed at children under 13 | Kids games, educational platforms, children's content |
| You have actual knowledge of collecting data from children | User profile indicates age under 13 |
| Your site enables children to publicly share personal information | Social features, comments, user profiles |
| You use third-party services that collect children's data | Analytics, ads, or social plugins on a kids' site |
What COPPA Requires
- Privacy policy specifically for children's data: Must describe what information is collected, how it's used, and disclosure practices
- Verifiable parental consent (VPC): Before collecting personal information from children, you must obtain verifiable parental consent
- Parental access rights: Parents must be able to review, modify, and delete their child's data
- Data minimization: Only collect data reasonably necessary for the activity
- Security: Maintain reasonable procedures to protect children's data
- Data retention limits: Only retain data as long as necessary for its purpose
Verifiable Parental Consent Methods
The FTC accepts several methods for obtaining VPC:
| Method | How It Works | Strength |
|---|---|---|
| Signed consent form | Parent signs and returns by mail/fax/email scan | Strong |
| Credit card transaction | Charge a small amount to verify card ownership | Strong |
| Government ID | Parent provides and ID is verified | Strong |
| Video call | Live verification with parent | Strong |
| Knowledge-based questions | Questions only a parent would answer | Moderate |
| Email Plus | Email confirmation + follow-up verification step | Moderate (limited uses) |
Common COPPA Violations
- Tracking cookies on kids' sites: Analytics and advertising cookies that collect persistent identifiers are "personal information" under COPPA
- Third-party ad networks: Running behavioral ads on children's content violates COPPA unless parental consent is obtained
- Social features without VPC: Chat, comments, or user profiles that allow children to disclose personal information
- YouTube embeds: Standard YouTube embeds set tracking cookies — use youtube-nocookie.com instead
- Failing to update privacy policy: COPPA requires specific disclosures that generic privacy policy generators often miss
COPPA Beyond the US
Other jurisdictions have similar children's privacy rules:
| Jurisdiction | Law | Age Threshold | Key Requirement |
|---|---|---|---|
| EU (GDPR) | Article 8 | 16 (member states can lower to 13) | Parental consent for information society services |
| UK | Age Appropriate Design Code | 18 | Best interests of the child must be primary consideration |
| California | CPRA / CAADCA | 16 (for data sales) | DPIA required for services likely used by children |
| China | PIPL | 14 | Separate consent and impact assessment required |
Audit Your Site for Children's Data
Even if your site isn't aimed at children, third-party scripts on your pages may collect data from minors who visit. Run a PrivacyChecker scan to identify every tracker and cookie on your site, then assess whether any could capture children's data.