Growth Marketing Glossary

COPPA (Children's Online Privacy Protection Act)

C·O·P·P·Anoun (law)

No data from kids without a parent's say-so — the 1998 law with real teeth, freshly sharpened by the FTC's 2025 rule update.

u13no data withoutparental consentverified parentchildren's online privacy — consent before collection
Schematic — parental consent before collecting children's data
Term
COPPA (Children's Online Privacy Protection Act)
Is
Children's Online Privacy Protection Act
Enacted
1998, FTC rule effective April 21, 2000
Updated
Amended rule effective June 23, 2025

Forms & parts of speech

COPPA · noun
The children's privacy law.
"The quiz app collected birthdates from under-13s with no parental consent - a straight COPPA violation."

Definition in plain terms

COPPA — the Children's Online Privacy Protection Act — is the US federal law governing the online collection of personal information from children under 13. Enacted by Congress in 1998, implemented through an FTC rule effective April 21, 2000, it requires operators of child-directed sites and services (and anyone with actual knowledge they are collecting from under-13s) to post clear privacy notices and obtain verifiable parental consent before collecting, using, or disclosing a child's personal information. It is one of the few US privacy laws with decades of aggressive enforcement behind it.

The mechanics

COPPA turns on two questions. Is the service directed to children, judged by subject matter, visuals, music, child celebrities, and audience evidence — or does the operator have actual knowledge a user is under 13? If either answer is yes, obligations attach: verifiable parental consent before collection (the FTC approves methods from signed forms to ID checks), notice of what is collected and why, parental rights to review and delete, data minimization, retention limits, and security. 'Personal information' is broad — it includes persistent identifiers like cookies and device IDs, which is why BEHAVIORAL TARGETING aimed at children without consent is a violation even with no name attached. Enforcement is real: the FTC's record includes a $170 million settlement with Google and YouTube in 2019 and a $275 million penalty against Epic Games' Fortnite in 2022. The rule was amended in 2013 to cover the mobile era, and again in 2025 — the FTC published final amendments on April 22, 2025, effective June 23, 2025 — adding, among other things, opt-in parental consent specifically for disclosing children's data to third parties for targeted advertising, stronger data-retention limits, and expanded security requirements. For marketers the bright line is simple: no behavioral advertising to known under-13 audiences without verified parental opt-in, and contextual advertising is the safe harbor child-directed media actually runs on.

When it matters

COPPA matters to anyone whose product, content, or ad placements touch children — game studios, ed-tech, toy brands, family YouTube channels, and any advertiser buying against child-directed inventory. It matters even to general-audience services once they gain actual knowledge of under-13 users, which is why age gates and data flows need designing together. The discipline is conservative by default. Treat child-directed inventory as contextual-only, keep persistent identifiers out of kid data flows, verify consent through an approved method before any collection, and revisit compliance against the 2025 rule's tightened consent and retention requirements. The fines are large, but the deeper cost is trust — marketing to children is the one arena where 'move fast' reliably ends in a consent decree. (General information, not legal advice.)

Worked example. A mobile-game studio launches a colorful match-three title that never asks ages but ships standard ad SDKs passing device identifiers to ad networks for behavioral targeting. The art style, characters, and app-store category make it plainly child-directed — so those persistent identifiers are children's personal information collected without verifiable parental consent, the exact pattern behind the FTC's headline COPPA cases. Counsel orders a rebuild: a neutral age screen at first launch, under-13 players routed to a contextual-ads-only mode with no persistent identifiers, verifiable parental consent (card verification) gating any data-backed features, and retention pared to the 2025 rule's limits. Revenue per under-13 impression dips slightly on contextual rates; the consent-decree-sized risk disappears. The studio learned what every kids brand knows — in this market, contextual is the business model.
Failure modes to watch. Assuming no-name data is safe when persistent identifiers count as personal information; child-directed apps shipping behavioral ad SDKs by default; age gates designed to encourage lying; ignoring 'actual knowledge' signals on general-audience services; and missing the 2025 amendments' opt-in consent requirement for third-party ad disclosure.

Synonyms & antonyms

Synonyms

COPPAChildren's Online Privacy Protection Actchildren's privacy rule

Antonyms

adult-audience marketingunrestricted data collection

Origin & history

Congress passed the Children's Online Privacy Protection Act in 1998 amid the first wave of websites quietly profiling children; the FTC's implementing rule took effect April 21, 2000. Major amendments arrived in 2013 (covering mobile, plugins, and persistent identifiers) and again in 2025, when final-rule changes effective June 23, 2025 tightened consent, retention, and third-party disclosure for the social-and-streaming era.

Etymology: source.

Usage trends

Search interest for this term over the last five years:

View interest-over-time on Google Trends →

Common questions

What is COPPA?
The US federal law — enacted 1998, FTC rule effective April 21, 2000 — requiring verifiable parental consent before collecting personal information online from children under 13.
What counts as personal information under COPPA?
Far more than names — persistent identifiers like cookies and device IDs count, so behavioral ad targeting of children without parental consent violates the rule even when 'anonymous.'
What changed in the 2025 COPPA update?
FTC amendments effective June 23, 2025 added opt-in parental consent for disclosing children's data to third parties for targeted ads, tightened retention limits, and expanded security duties.

Related tools & calculators

Resources & people to follow

Curated, non-competitor resources verified per term.

Related training

Disciplines

Areas of marketing where coppa is a core concern:

Sources

  1. trendsGoogle Trends — "coppa"