COPPA Compliance: A Guide to Your Obligations & Tips to Meet Them

June 17, 2022

Children’s online privacy has been making headlines as lawmakers in California and Washington, DC  grapple with how to best protect children online. (See the CBS coverage here.) While we’ll need to wait and see whether these bills are enacted into law and what provisions they contain, it seemed like a good time to cover the existing Children’s Online Privacy Protection Act (COPPA).


What is COPPA?

The Children’s Online Privacy Protection Act is a U.S. federal law that has been in effect since 2000. It regulates the collection of personal information from children 13 and under by certain online services including websites, advertising, and mobile apps.

COPPA requires certain companies to obtain verified parental consent (“VPC”) before collecting personal information from a child. Photograph of a young child with black hair waving to a computer indicating that they are currently online and that COPPA compliance is required.

It’s important to note that the definition of personal information under COPPA is different than the definition under other privacy laws.

Under COPPA, personal info includes anything that can be used to track a child across sites, apps, or devices. Persistent identifiers are all considered personal information under COPPA, which means companies are barred from using or tracking any of the following information about children without parental consent: 

  • Cookies, 
  • Google Ad IDs, 
  • Precise geolocation, 
  • Full IP address, 
  • Full referrer URLs, 
  • Full user agents, 
  • Photos, 
  • Videos, and 
  • Voice recordings of children. 

What this means in practice is that COPPA bars behavioral advertising, retargeting, and user profiling. 


5 Quick COPPA Compliance Tips:

Restrict Advertising

As a content owner, COPPA restricts you to contextual advertising with partners that do not collect any personal information from children. 

Provide Parents with Direct Notice

Before collecting personal information from children under 13 you must provide parents with direct notice. Additionally, if you materially change your practices, you must provide updated direct notice to parents. The notice must inform parents: 

  • That you collected their online contact information for the purpose of getting their consent; 
  • That you want to collect personal information from their child; 
  • That their consent is required for the collection, use, and disclosure of the information; 
  • The specific personal information you want to collect and how it might be disclosed to others; 
  • A link to your online privacy policy; 
  • How to consent; and 
  • That if the parent does not provide consent within a reasonable time, you will delete the parent’s online contact information from your records.

Obtain Verifiable Parental Consent (VPC):

Obtaining VPC requires you to contact a parent, verify his or her identity, and then obtain his or her consent. (Find more information about how to do so in our blog post about Verifiable Parental Consent). 

Honor Parents’ Ongoing Rights Regarding their Children’s Information.

If a parent asks you to, you must: 

  • Enable them to review the personal information you have collected from their child;
  • Provide them with a way to revoke their consent and prohibit further processing of their child’s information; and 
  • Delete their child’s information.

Take Reasonable Measure to Protect the Security of Children’s Information

Basic principles include: 

  • Data Minimization: Minimizing what you collect. 
  • Third-Party Management: Ensuring any third parties (including service providers) with whom you share information are capable of maintaining its confidentiality, security, and integrity. 
  • Data Retention: Retaining children’s data only for so long as reasonably necessary. 
  • Disposal: Securely disposing of children’s information once you no longer need it.


If you’re uncertain about your obligations under the COPPA, reach out. Our privacy attorneys would be thrilled to help.


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you