COPPA: What Companies Actually Owe Your Child Under 13 (And Where the Law Fails)

Your 9-year-old signs up for a free game. She types in a fake birthday — October 15, 2005 — and the site waves her through. She’s now classified as an adult, and the company begins tracking her location, browsing behavior, and in-app purchases. The Children’s Online Privacy Protection Act was supposed to prevent this. So why didn’t it?

COPPA has been on the books since 1998, amended in 2013, and yet in 2023 the FTC found that major platforms were still collecting data from millions of children without verifiable consent. Understanding exactly what the law requires — and where it breaks down — is the first step to actually protecting your kid.

Key Takeaways

• COPPA applies to sites and apps directed at children under 13 or those with actual knowledge a user is under 13 — but “actual knowledge” is easy to avoid.
• Companies must get verifiable parental consent before collecting name, address, photos, location, or persistent identifiers from children under 13.
• The FTC enforces COPPA, but penalties average years apart, and the burden of age verification is deliberately vague.
• California’s Age-Appropriate Design Code (AADC) and proposed federal bills like KOSA are filling gaps COPPA left open.
• Parents have concrete rights: to review data, demand deletion, and revoke consent at any time.

What COPPA Actually Requires

The Children’s Online Privacy Protection Act places obligations on operators — companies running websites or online services directed at children under 13, or any service where operators have actual knowledge they’re dealing with a child. The law requires them to:

1. Post a clear privacy policy describing what personal information is collected, how it’s used, and who it’s disclosed to.
2. Provide direct notice to parents before collecting any personal information from a child.
3. Obtain verifiable parental consent before collection begins.
4. Give parents access to review and delete their child’s data.
5. Allow parents to revoke consent and stop further data collection.
6. Maintain reasonable security for the information they hold.

Personal information under COPPA is broadly defined and includes full name, home address, email, phone number, Social Security number, photos, videos, audio files containing a child’s voice, geolocation data, and persistent identifiers (like cookies or device IDs) used to track a child across websites.

Verifiable Parental Consent: The Weak Link

“Verifiable” is where COPPA loses most of its teeth. The FTC allows methods including:

• A signed consent form returned by mail or fax
• A credit card or debit card charge (even a $0.50 charge just to verify the card exists)
• A call to a toll-free number staffed by trained personnel
• Video conference or in-person review
• A government ID check

Notice what’s conspicuously absent: email confirmation. An email to a parent is explicitly NOT sufficient verifiable consent. In practice, most companies use credit card verification — which works when parents are actually in the loop, but fails entirely when a child uses a parent’s card or simply lies about age.

The Age-Verification Loophole

COPPA’s biggest structural weakness is that it only applies when a company has “actual knowledge” a user is under 13. This means a company can design its sign-up flow to accept any birth date and then legally claim it had no actual knowledge of the user’s age.

A 2022 study from the Annenberg School for Communication found that children under 13 routinely circumvent age gates on platforms including YouTube, TikTok, and Instagram. The platforms’ legal teams know this. By accepting a fake birth date, the platform shifts liability entirely to the child (or parent) who provided false information.

The FTC has targeted this behavior in recent actions. In 2023, the agency proposed significant rule updates including:

• Restricting behavioral advertising to children even with parental consent
• Limiting data collection for children to what’s strictly necessary for the service
• Banning push notifications designed to keep kids engaged
• Stronger requirements around data retention — companies couldn’t keep kids’ data indefinitely

These proposed rules represent the most significant COPPA update since 2013, but as of mid-2026, final implementation remains ongoing.

What the FTC Has Actually Done

Year	Company	Fine	Violation
2019	Musical.ly (TikTok)	$5.7 million	Collected data from children without parental consent
2020	Google/YouTube	$170 million	Allowed child-directed channels to track viewers with cookies
2022	Epic Games (Fortnite)	$275 million	Dark patterns tricking children into purchases; COPPA violations
2023	Amazon (Alexa/Ring)	$25 million	Retaining children’s voice recordings against parents’ deletion requests
2025	Meta	$1.4 billion (state-led)	Texas AG action; federal COPPA case ongoing

The fines sound large, but for companies with billion-dollar valuations, they function as cost-of-doing-business line items. The $275 million Epic Games fine was the largest COPPA penalty in history at the time — and Epic’s annual revenue that year exceeded $5 billion.

How State Laws Are Filling the Gaps

California Age-Appropriate Design Code (AADC)

California’s AADC, signed in 2022 and with enforcement beginning in 2024, goes further than COPPA in several ways:

• Applies to anyone under 18 (not just under 13)
• Requires companies to conduct Data Protection Impact Assessments for products children are likely to use
• Bans practices that are harmful to children’s mental health
• Requires privacy by default — the most protective settings must be on by default
• Mandates age-appropriate content across an entire platform, not just children’s sections

NetChoice v. Bonta challenged the AADC in court, and the case has moved through federal courts with mixed outcomes. As of 2026, enforcement is proceeding under modified terms following court guidance.

Other State Laws

State	Law	Key Provision
California	AADC (AB 2273)	Under-18 protections, privacy by default
Texas	SCOPE Act	Parental consent for social media under 18
Arkansas	Social Media Safety Act	Age verification for under-18 accounts
Florida	HB 3	Bans social media accounts for under-14
Utah	Social Media Regulation Acts	Parental consent + curfews for minors

The Kids Online Safety Act (KOSA)

KOSA passed the Senate in 2024 with bipartisan support and would impose a duty of care on platforms — requiring them to prevent harm to minors, not just protect their data. KOSA would require platforms to default to the most protective privacy settings for users under 17, restrict addictive features, and provide parents with tools to limit their child’s experience.

As of mid-2026, KOSA is pending in the House. Its progress matters for parents because it would cover a much wider age range than COPPA and address harms like algorithmic amplification that COPPA doesn’t touch.

Your Rights Under COPPA Right Now

Right to Review Your Child’s Data

If a website or app is directed at children and has collected data from your child, you can request to see it. The company must respond. Start by locating the site’s privacy policy — COPPA requires it to be prominently linked on the homepage — and find the “parental rights” or “data subject request” section.

Right to Demand Deletion

You can request that a company delete your child’s personal information. Under COPPA, they must comply unless the data is needed to protect the child’s safety or is required by law.

Right to Revoke Consent

If you previously gave consent, you can revoke it. After revocation, the company must stop collecting data and delete what it has — though some platforms will terminate the account entirely when consent is revoked.

How to File an FTC Complaint

If you believe a company is violating COPPA, report it at ReportFraud.ftc.gov or ftc.gov/complaint. The FTC doesn’t act on individual complaints, but patterns of complaints trigger investigations. Include the company name, URL, what data was collected, and how you became aware of it.

What to Watch For Over 3 Months

• Check your child’s installed apps monthly. For each app, find its privacy policy and check whether it claims to be COPPA-compliant. Many free games are not.
• Audit connected accounts. In month one, identify every account your child under 13 has. In month two, submit data review requests to the three most concerning ones. In month three, revoke consent or request deletion for any that collected excessive data.
• Monitor the KOSA status. If KOSA passes, platforms your teen uses may be required to change their default settings — know what those changes mean for your family.
• Check state law updates. Your state may have passed legislation after this article was written. Search “[your state] child online privacy law 2026” quarterly.

Frequently Asked Questions

Does COPPA apply to apps, or just websites?

COPPA applies to websites, mobile apps, and any online service directed at children under 13. If your child uses a game app that collects any personal information, COPPA requirements apply. “Online service” has been interpreted broadly to include connected toys that transmit voice data.

What happens if my child lied about their age to sign up for a service?

Once a platform discovers a user is under 13 — through any means — COPPA obligations kick in immediately. However, if the child never discloses their real age and the platform has no reason to know, the platform may legally claim no COPPA violation. The child (and parent) who provided false age information bear the risk.

Can I tell a company to delete all my child’s data, or just some of it?

You can request deletion of all personal information, and the company must comply. They may retain data needed to comply with legal obligations or protect security. A blanket deletion request is your strongest tool — companies cannot charge you to fulfill it.

Are school-issued apps covered by COPPA?

Schools can consent on behalf of parents for educational platforms used for school purposes — this is called the “school official exception.” However, those platforms can only use the data for educational purposes, not marketing. Many ed-tech companies have violated this restriction; check your child’s school app list against the FTC’s complaint database.

What’s the difference between COPPA and FERPA?

COPPA covers commercial online services directed at children. FERPA (Family Educational Rights and Privacy Act) protects student education records held by schools. They overlap for school-issued apps but serve different purposes. FERPA gives parents the right to review and correct their child’s school records and restricts disclosure to third parties.

Sources

1. Federal Trade Commission. (2023). Complying with COPPA: Frequently Asked Questions. FTC.gov. https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions
2. Federal Trade Commission. (2023). FTC Proposes Sweeping Changes to Children’s Online Privacy Protection Rule. FTC.gov. https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-sweeping-changes-childrens-online-privacy-protection-rule
3. Radesky, J. S., et al. (2020). Overstimulated consumers or next-generation learners? Report of AAP Council on Communications and Media. Pediatrics, 145(4). https://doi.org/10.1542/peds.2020-0214
4. Common Sense Media. (2022). The Common Sense Census: Media Use by Tweens and Teens. Common Sense Media.
5. Auxier, B., et al. (2020). Parenting Children in the Age of Screens. Pew Research Center. https://www.pewresearch.org/internet/2020/07/28/parenting-children-in-the-age-of-screens/
6. California State Legislature. (2022). AB 2273: California Age-Appropriate Design Code Act. California Legislative Information.

---

Ricky Flores is the founder of HiWave Makers and an electrical engineer with 15+ years of experience building consumer technology at Apple, Samsung, and Texas Instruments. He writes about how kids learn to build, think, and create in a tech-saturated world. Read more at hiwavemakers.com.