COPPA
Children's Online Privacy Protection Act
COPPA regulates the online collection of personal information from children under 13. Operators of child-directed sites and services must give notice and obtain verifiable parental consent. The FTC's 2025 Rule amendments expanded covered personal information to include biometric and government identifiers.
Who it applies to
Operators of websites and online services directed to children under 13, and operators with actual knowledge they collect personal information from children under 13, including some third-party ad networks and plug-ins.
Identity requirements
- Obtain verifiable parental consent before collecting, using, or disclosing personal information from a child under 13
- Provide direct notice to parents and a clear online privacy policy describing data practices
- Treat biometric identifiers and government-issued identifiers as covered personal information under the amended Rule
- Obtain separate parental opt-in consent before disclosing children's data to third parties for targeted advertising
- Implement reasonable data security and retention-and-deletion procedures for children's information
- Honor parents' rights to review, delete, and stop further collection of their child's information
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Operators must capture and manage verifiable parental consent and consent withdrawal for children's data. |
| Identity verification (KYC/proofing) | Verifiable parental consent methods require reliably confirming the consenting adult's identity. |
| Audit, logging & accountability | Operators must document consent and data practices, and Safe Harbor programs face expanded transparency and reporting duties. |
| Breach notification | The amended Rule strengthens data security and retention obligations, raising accountability for protecting children's data. |
Penalties
Each COPPA violation can incur civil penalties up to the FTC's inflation-adjusted maximum (over 50,000 dollars per violation), and the FTC has obtained multimillion-dollar settlements.
COPPA: frequently asked questions
- What age does COPPA protect?
- COPPA protects the personal information of children under 13 years of age collected online.
- What changed in the 2025 COPPA Rule amendments?
- The amended Rule expanded personal information to include biometric and government-issued identifiers, required opt-in consent for third-party targeted advertising, and added data retention limits.
- What counts as verifiable parental consent?
- Operators must use a method reasonably designed to ensure the person giving consent is the child's parent, such as signed forms, credit card verification, or knowledge-based authentication.