Children’s Online Privacy Protection Act (COPPA)

If your online platform is directed toward children under 13 or knowingly collects their data, COPPA requires you to: Post a clear privacy policy detailing data practices for children’s information. Get verifiable parental consent before collecting personal data from children. Allow parents to review or delete their child’s personal information. Secure children's data with reasonable protection practices. Disclose any third parties with whom the data is shared. Even businesses not based in the U.S. must comply if they target or serve U.S. children.

COPPA’s main rules require companies to clearly inform parents about the personal data they collect from children under 13. They must get parental consent before collecting any data, limit collection to what’s necessary, allow parents to review and delete their child’s information, and ensure the data is protected with proper security measures.

Violating COPPA can result in civil penalties of up to $50,120 per child, per violation. In recent years, several companies have faced multi-million dollar fines for non-compliance—for example, YouTube (Google) was fined $170 million in 2019, and TikTok (formerly Musical.ly) was fined $5.7 million the same year. Beyond the financial penalties, non-compliance can also harm your brand’s reputation and erode trust with families.