The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law that (usually) requires companies to obtain verifiable parental consent before collecting, using or disclosing personal information from a child 13 and under. It has been in effect since 2000 and impacts companies providing online services including websites, advertising, and mobile apps. It was also recently amended and, while those changes won’t go into effect until June , the updated requirements are good practices and business will need to be in compliance with those changes by April 22, 2026. So if you’re seeing this now, it’s a good idea to learn about the updated requirements, particularly around strengthening verification methods and addressing new technologies.
However, the COPPA legislation leaves it up to companies to determine how they will collect verifiable parental consent. In this post, we’ll outline some general principles and acceptable methods for achieving this:
General Principles for Collecting Verifiable Parental Consent
Companies Must Obtain Parental Consent Before Collecting Personal Information
With very limited exceptions, companies must get verifiable parental consent before collecting any personal data online from children under 13.
There are a number of limited exceptions to the COPPA Rule. However, we wanted to elaborate on one exception that we regularly see clients misinterpret: the internal operations exception.
Internal Operations Exception: COPPA
The internal operations exception applies where personal information collected from a child is used to support internal operations, such as:
- Authenticating users;
- Personalizing content;
- Serving contextual advertising or frequency capping;
- Protecting the security or integrity of the user, website, or online service;
- Ensuring legal or regulatory compliance;
- Performing network communications;
- Maintaining or analyzing the functioning of the service; and
- Responding to a child’s specific request.
Under this exception, companies are not required to obtain verifiable parental consent where the collection of this information from children 13 or under is solely for the above purposes.
It’s important to note that this exception must be adopted with a very narrow interpretation.
Moreover, companies cannot use the information you collect to contact or amass a profile about a specific person. Nor can it be relied on if personal information other than a persistent identifier is collected.
Parties Permitted to Provide Verifiable Parental Consent
A child’s parents (or legal guardians) will typically be required to provide the verifiable consent, however, COPPA allows a child’s teacher, school, or school district (“educators”) to act as the parent’s agent and consent on a parent’s behalf in some circumstances.
The school’s authority to act on behalf of a parent is limited to the school context. This means that the school’s ability to consent is limited to situations in which the student’s personal data is used for the benefit of the school and for no other commercial purpose (such as behavioral advertising or building user profiles for commercial purposes).
The Consent Must Be Verifiable
The verifiability of the consent is a key element of COPPA compliance. While the FTC hasn’t prescribed exactly how companies can meet this requirement, they have offered guidance.
Whatever method you choose to get parental/educator consent “must be reasonably calculated, in light of available technology, to ensure that the parent/educator providing consent is the child’s parent/educator.” The updated rules also highlight the importance of security when it comes to the collection and storage of parental consent information.
Accepted Methods of Obtaining Verifiable Parental Consent
Examples of methods that meet this standard include:
- Print & Send. Providing a consent form to be signed by the parent/educator and returned by mail, fax, or by electronic scan;
- Credit/Debit Card. Requiring the parent, to use a payment card or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Telephone or Videoconference. Having the parent/educator call a toll-free telephone number staffed by trained personnel or having the parent/educator connect to trained personnel via video-conference; or
- Facial Recognition-Facilitated Photo Matching. Verifying a parent/educator’s identity by checking a form of government-issued ID against a recognized database of such information. Bear in mind that, if you use this method, you must be sure that you promptly delete the parent/educator’s identification after completing the verification.
- Knowledge-based Challenge Questions. Asking the parent/educator to answer a series of knowledge-based questions that would be difficult for someone other than him or her to answer. This method is codified under the 2025 amendments, but operators must offer dynamic, adequately difficult, multiple-choice questions where it’s unlikely that the child would be able to guess them correctly.
So long as you use a reasonably reliable method of contacting a parent/educator, you do not need to collect additional information to confirm that it is, in fact, the parent/educator and not another adult who is submitting consent for the child.
You may want to offer multiple methods for obtaining consent in case some parents/educators cannot or will not use your chosen consent method. For instance, if you choose to use a credit card or a telephone/video conference with a parent/educator as your primary verifiable parental consent method, you could also rely on the “print-and-send” consent form as a backup.
Finally, be sure you keep a record of having obtained verifiable parental/educator consent for each child from which you collect personal data.
The Email Plus & Text Plus Methods of Collecting Consent
Another method commonly used is the “email plus” method. The “email plus” method involves collecting parental/educator consent by simply sending an email to a parent/educator’s email address and having the parent/educator click an “I consent” link (and then following up with a second email to confirm consent – the “plus”).
You may use the “email plus” method if you use the information you collect from children solely for internal business uses and never display this information publicly. If you disclose children’s information to third parties or allow children to make the information publicly available then you cannot use the “email plus” method. If a company allows users to upload profile photos and otherwise displays children’s personal data publicly (e.g., via video feeds during online classes) this option is not available.
When the amended rules come into effect, you will also be able to collect verifiable consent using a ‘text plus’method. The method works similarly in practice to the email plus method, except the initial verification goes to the parent’s cell phone instead of their email address.
Text Plus or Email Plus Not Sufficient For Third Party Ad Consents
Another element of the amended rules that’s worth noting is that neither the email plus or text plus methods are adequate methods for gaining consent to disclose a child’s personal information to a third party for advertising purposes.
Obtain Updated Consents When Information Practices Change
Remember that if you change your information practices in a material way in the future, you will have to send a new Direct Notice and obtain updated consent to the new practices.
The updated notice must inform parents:
- That you collected their online contact information for the purpose of getting their consent;
- That you want to collect personal information from their child;
- That their consent is required for the collection, use, and disclosure of the information;
- The specific personal information you want to collect and how it might be disclosed to others;
- A link to your online privacy policy;
- How to consent; and
- That if the parent does not provide consent within a reasonable time, you will delete the parent’s online contact information from your records.
Action Items For Businesses Updating Their Verifiable Consent Mechanisms
Whether you need to make changes in response to the 2025 amendments to the COPPA rules when they come into effect, or you just want to improve your consent processes, here are some action items to consider:
- Audit your existing consent mechanisms. You should consider what consent mechanisms you currently use, whether they’re effective and compliant, and your data practices around gathering consent.
- Consider how your existing consent collection mechanisms may work when it comes to collecting separate opt-in consent for sharing children’s personal information with third-parties, once the amended COPPA rules come into effect. This is especially important for businesses that rely on email plus consents.
- With the separate opt-in requirements in mind, create a shortlist of improved practices for gaining verifiable consents.
- Document a timeline for implementing improved privacy practices, noting that mechanisms like ‘text plus’ may not be lawful until after the rules come into effect.
- Ensure your data deletion processes are documented, implemented, and effective, including the requirement to delete images of parents showing their government-issued ID.
If your business needs help adapting its practices to align with changing parental expectations and the amended COPPA rules, reach out. Our privacy attorneys are available to work with you.
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.