Children's Online Privacy: COPPA Compliance Guide for App Developers

If you build apps, games, or connected devices that children might use, COPPA compliance is not optional — it is a legal requirement enforced by the Federal Trade Commission with penalties that can reach hundreds of millions of dollars. The Children's Online Privacy Protection Act was signed into law in 1998, but the FTC has aggressively modernized its enforcement to match how children actually use technology in 2026.

This guide covers everything app developers need to know, from the 2024 COPPA 2.0 rule changes to practical implementation strategies for age-gating, parental consent, and data minimization. Whether you are building a children's game, an edtech platform, or a general-audience app that children might access, these requirements affect you directly.

What COPPA Covers and Who It Applies To

COPPA protects children under 13 by regulating how commercial websites, online services, and mobile apps collect, use, and disclose their personal information. The law applies to three categories of operators:

• Operators of child-directed sites and apps — any service primarily designed for children under 13, determined by factors like subject matter, visual content, age of models, music, and app store categorization
• Operators with actual knowledge — general-audience services that know specific users are under 13, even if the service was not designed for children
• Third-party services collecting data through child-directed properties — ad networks, analytics SDKs, and plug-in operators that collect personal information through child-directed apps

The "actual knowledge" standard is critical because it means you cannot simply claim ignorance. If your app's analytics show a significant percentage of users are children, if users self-identify as under 13 during registration, or if your app appears in "Kids" categories in app stores, the FTC considers you on notice.

What Counts as Personal Information

COPPA defines personal information more broadly than many developers expect. The full list includes:

• Directly identifying information — first and last name, physical address, email address, phone number, Social Security number
• Visual and audio data — photographs, videos, or audio files containing a child's image or voice
• Precise geolocation — street-level location data (not general city or state)
• Persistent identifiers for behavioral tracking — cookies, device IDs, IP addresses, and IDFA/GAID when used to build profiles or serve targeted ads across sites or services
• Biometric data (added by COPPA 2.0) — fingerprints, facial feature maps, voiceprints, and iris scans
• Contact identifiers — screen names or usernames that function as online contact information

The persistent identifier category is where most developers get tripped up. If you use Firebase Analytics, Adjust, AppsFlyer, or similar SDKs that assign device-level identifiers, those identifiers are personal information under COPPA when used for anything beyond "support for internal operations."

COPPA 2.0: What Changed in 2024

The FTC finalized major updates to COPPA in 2024, often referred to as COPPA 2.0. These changes reflected how dramatically children's technology use has shifted since the original 1998 law. Here is what changed and what developers must implement:

Biometric Data Added to Personal Information

Fingerprints, facial feature maps, voiceprints, iris scans, and similar biometric identifiers are now explicitly classified as personal information. This affects apps that use Face ID or Touch ID for authentication, games with facial expression tracking (like AR filters), and voice-controlled interfaces. If your app processes biometric data from child users, even temporarily, you need verifiable parental consent.

Mandatory Data Retention Limits

Previously, COPPA required operators to retain children's data only as long as "reasonably necessary." COPPA 2.0 makes this concrete — operators must establish and publish specific retention periods, delete data promptly after the retention period expires, and implement automated deletion systems. The FTC expects retention periods measured in months, not years, and will scrutinize operators that retain children's data indefinitely.

Separate Consent for Targeted Advertising

Under COPPA 2.0, operators must obtain separate, specific parental consent before using children's personal information for targeted advertising. General consent to the app's privacy policy is not sufficient. The parent must specifically agree to advertising-related data use, and operators must provide a clear mechanism for parents to revoke that specific consent without affecting the child's access to the service.

Strengthened Safe Harbor Oversight

Safe harbor programs like kidSAFE, ESRB Privacy Certified, Aristotle's COPPA certification, and CARU must now demonstrate more rigorous oversight. The FTC increased reporting requirements for safe harbor organizations and clarified that an operator's safe harbor membership does not automatically shield them from FTC enforcement if their actual practices violate COPPA.

Third-Party Data Sharing Restrictions

Even with parental consent, operators face new restrictions on sharing children's data with third parties. Data shared for advertising purposes requires separate opt-in consent. Data shared for service functionality must be covered by contracts requiring COPPA compliance from the receiving party. Operators remain liable for third-party misuse of children's data they facilitated.

Verifiable Parental Consent Methods That Actually Work

Verifiable parental consent (VPC) is the single most challenging COPPA requirement for developers. The FTC does not accept a simple checkbox or "I am over 13" button. Here are the methods the FTC currently recognizes as valid:

Established VPC Methods

• Credit card transaction — charge a small amount (typically 0.50 to 1 dollar) to the parent's credit card, then void or donate it. The transaction verification confirms the cardholder is an adult. This is the most commonly used method
• Government-issued ID review — the parent submits a photo of their driver's license or passport, which is reviewed (manually or via automated verification) and then deleted
• Knowledge-based authentication (KBA) — asking the parent questions that only they can answer based on their credit history, like "Which of these addresses have you lived at?" Services like LexisNexis and Experian provide KBA APIs
• Signed consent form — the parent prints, signs, and mails or faxes a consent form. Still valid but rarely used due to friction
• Video conference verification — a trained agent verifies the parent's identity via live video call. Some safe harbor programs offer this as a service

Newer FTC-Approved Methods

• Facial age estimation — technology like Yoti or SuperAwesome's AgeCertainty estimates whether the person providing consent appears to be an adult. The FTC approved this method in late 2023 but requires that facial data be deleted immediately after verification
• Text-message based verification — sending a one-time code to a phone number, combined with checking the number against databases that identify the line holder as an adult. Must be combined with additional verification steps
• Email Plus — for limited data collection (not including sharing), an email to the parent asking them to respond with consent, followed by a confirmation with an option to revoke. Only valid for internal uses, not for sharing data with third parties

Implementation Recommendations

Most successful COPPA-compliant apps offer two or three VPC methods rather than just one. The credit card method has the highest completion rate (roughly 70 to 80 percent) because parents already have their payment methods saved on devices. Government ID verification has a slightly lower completion rate but higher security. Services like SuperAwesome KWS (Kids Web Services), Yoti, and AgeCheq handle the VPC flow end-to-end, which reduces your engineering burden and compliance risk.

Age-Gating: Design Requirements That Keep You Out of Trouble

The FTC has been increasingly strict about age-gating design. Developers cannot use techniques that subtly encourage children to lie about their age. Here is what the FTC requires and what they penalize:

Neutral Age Screen Requirements

• No pre-filled dates — the birthdate field must start blank. Do not pre-fill with an adult date or default to a year that would make the user 18+
• No coaching text — do not display messages like "You must be 13 to use this app" before the age input, because it tells children exactly what date to enter
• Free-form entry — use a date picker or text input where the user enters their full birthdate. Do not use a simple "Are you over 13? Yes/No" prompt
• Session persistence — if a user enters an age under 13, remember it. Do not let children reset the app and try again. Use device-level persistence (keychain, shared preferences) to prevent repeated attempts
• No reward for adult status — the age screen should not hint that adult users get exclusive features. Keep the interface neutral

What Happens After Age-Gating

When a user identifies as under 13, you have three options:

• Block access entirely — the simplest approach. Show a message that the app is not available for users under 13 and do not collect any data
• Offer a limited experience — provide a child-safe version with no personal data collection, no behavioral tracking, no third-party advertising, and limited social features. This requires separate data handling paths in your codebase
• Implement VPC flow — redirect the child's parent to the verifiable parental consent process, then activate the full experience once consent is obtained

The FTC's enforcement actions against Fortnite (Epic Games) showed that even incidental age data can trigger COPPA. Epic was penalized partly because Fortnite's voice chat and text chat created situations where children could disclose personal information without any COPPA protections in place.

FTC Enforcement: Major Cases Every Developer Should Know

Understanding FTC enforcement patterns helps you prioritize compliance efforts. Here are the cases that shaped current COPPA enforcement:

Epic Games / Fortnite (2022) — 520 Million Dollars Total

The largest COPPA enforcement action in history. Epic paid 275 million dollars for COPPA violations and 245 million dollars in consumer refunds through a separate FTC order. The FTC found that Epic enabled real-time voice and text communications for children without verifiable parental consent, used manipulative "dark patterns" for in-app purchases, and made destructive privacy settings the default (voice chat was on by default for all users, including children). The case established that voice chat in games creates COPPA liability because children can disclose personal information through conversation.

Microsoft / Xbox (2023) — 20 Million Dollars

Microsoft agreed to pay 20 million dollars for collecting personal information from children who signed up for Xbox Live accounts without notifying parents or obtaining consent. The FTC found that Microsoft collected birth dates, email addresses, and other data from children during Xbox account creation, retained this data for years even after incomplete registrations, and failed to inform parents about data collection or obtain verifiable consent. Microsoft was also required to extend COPPA protections to third-party game publishers using Xbox services.

Edmodo (2023) — Banned From Using Children's Data for Ads

The edtech platform Edmodo was banned from using children's data for advertising purposes. The FTC found that Edmodo collected personal information from millions of children through its educational platform but used that data to serve targeted advertisements. The case was significant because Edmodo argued that teachers, not parents, could provide consent through "school consent." The FTC rejected this argument for advertising purposes — school consent is valid only for educational uses, not commercial ones.

Amazon / Alexa (2023) — 25 Million Dollars

Amazon paid 25 million dollars for violations related to its Alexa voice assistant and children's voice recordings. The FTC found that Amazon retained children's voice recordings indefinitely, used voice data to improve Alexa's algorithms even after parents attempted to delete it, and maintained geolocation data and device identifiers linked to child users. The case established important precedent around voice AI and children's data.

Enforcement Trends for 2026

Based on recent FTC speeches, enforcement priorities in 2026 include edtech platforms that blur educational and commercial data use, connected toys and IoT devices with always-on microphones or cameras, social media platforms that know children use their services despite 13+ age requirements, apps using persistent identifiers for cross-app tracking of children, and AI-powered features that process children's data for model training.

Technical Implementation Guide for COPPA Compliance

Here is a practical, step-by-step approach to building COPPA compliance into your app from the start:

Step 1: Age-Gating Implementation

Implement a neutral age screen as the first interaction before any data collection occurs. The age gate should render before any analytics SDKs initialize, before any advertising frameworks load, before any social login or account creation flows, and before any persistent identifiers are generated. Store the age-gate result using device-level storage (iOS Keychain, Android EncryptedSharedPreferences) so children cannot bypass it by clearing the app cache.

Step 2: Dual Data Pipeline

Build two parallel data handling paths in your app architecture. The adult path processes data normally with your standard analytics, advertising, and personalization stack. The child path strips all personally identifiable information before any data leaves the device, disables all third-party advertising SDKs, replaces behavioral analytics with aggregate-only counting, removes social features or limits them to pre-approved content, and disables push notification personalization.

Step 3: SDK Audit and Configuration

Audit every third-party SDK in your app for COPPA compliance. Common SDKs and their COPPA modes include:

• Firebase/Google Analytics — set the "COPPA" flag in your Firebase configuration to disable advertising ID collection and limit data for users flagged as children
• Facebook SDK — enable "Limited Data Use" mode and disable automatic event logging for child users
• Unity Ads — configure the "child-directed treatment" tag to serve only contextual ads
• AdMob — use the TFCD (Tag For Child-Directed Treatment) and TFUA (Tag For Users Under Age) parameters to limit ad targeting
• Adjust/AppsFlyer — disable device ID collection for child user segments

Step 4: Privacy Policy Requirements

Your COPPA privacy policy must be separate from your general privacy policy (or in a clearly identified section). It must disclose the specific personal information you collect from children, how each piece of information is used, whether information is shared with third parties and who they are, the parent's right to review, delete, and refuse further collection, and your data retention and deletion practices (specific timeframes). Write it in plain language. The FTC judges readability and will penalize policies that obscure children's data practices in legal jargon.

Step 5: Parental Dashboard

COPPA requires that parents can review their child's data, request deletion, and revoke consent at any time. Build a dedicated parental dashboard that shows what data has been collected about the child, provides one-click deletion of all the child's personal information, allows the parent to revoke consent (which must disable the data-collecting features, not delete the child's account entirely unless requested), includes a mechanism for the parent to contact your privacy team, and generates an export of the child's data in a readable format.

EdTech and the School Consent Exception

Educational technology platforms have a unique COPPA pathway: school consent. Under this exception, schools can provide consent on behalf of parents, but only for data collection that serves a legitimate educational purpose.

What School Consent Covers

• Student account creation for classroom use
• Collection of student work, grades, and educational progress
• Communication between teachers, students, and parents through the platform
• Educational analytics used to improve instruction

What School Consent Does NOT Cover

• Advertising or marketing to students (the Edmodo case proved this)
• Selling student data to third parties
• Cross-product profiling (using data from an educational context to build profiles for non-educational products)
• Data retention beyond the school's relationship with the platform

If your edtech platform serves multiple purposes (educational and commercial), you need separate data handling for each context. School consent covers only the educational side. Any commercial data use requires direct verifiable parental consent.

Student Privacy Pledge

The Future of Privacy Forum's Student Privacy Pledge is a voluntary commitment that signals serious privacy practices to schools. While not legally required, most school districts now require pledge compliance before approving edtech vendors. The pledge commits operators to not sell student data, not use student data for targeted advertising, support schools in meeting their FERPA obligations, and implement reasonable security measures appropriate to the data's sensitivity.

Connected Toys and IoT Devices

Connected toys, smart speakers with child profiles, wearable kid trackers, and other IoT devices face amplified COPPA requirements because they often collect data continuously and passively.

Key Compliance Challenges

• Always-on microphones — devices like smart speakers process voice data continuously. For child users, this creates ongoing COPPA exposure. Amazon's 25 million dollar Alexa settlement demonstrated the risk
• Geolocation tracking — children's GPS watches and trackers collect precise location data, which is always personal information under COPPA
• Camera-equipped toys — toys with cameras that can capture and transmit photos or video of children require VPC before activation
• Data transmission security — the FTC expects encryption in transit and at rest for all children's data. Unsecured Bluetooth connections or unencrypted HTTP transmissions are compliance failures

IoT-Specific Best Practices

Process voice commands on-device when possible rather than transmitting audio to cloud servers. If cloud processing is necessary, transmit only text transcriptions rather than raw audio. Implement automatic data deletion — voice recordings should be purged within hours, not days. Provide a physical mute button or hardware disconnect for microphones and cameras. Default to the most privacy-protective settings (microphone off, location tracking off) and require explicit parental activation.

Common Compliance Mistakes Developers Make

Based on FTC enforcement actions and industry audits, here are the most frequent COPPA compliance failures:

• Relying on Terms of Service age restrictions — simply stating "this app is for users 13 and older" in your ToS does not absolve you of COPPA obligations if children actually use the app. The FTC evaluates whether you should have known children were using the service
• Treating mixed-audience apps as adult-only — if your app appeals to children (cartoon characters, simple gameplay, educational content), you likely have COPPA obligations regardless of your stated age requirement
• Using "Email Plus" for data sharing — Email Plus consent is only valid for internal uses. If you share any children's data with third parties, you need a stronger VPC method
• Forgetting third-party SDKs — every SDK in your app that collects persistent identifiers creates COPPA liability. This includes crash reporting (Crashlytics), analytics (Mixpanel), attribution (Adjust), and A/B testing (Optimizely) tools
• Indefinite data retention — under COPPA 2.0, you must have specific retention periods and automated deletion. "We retain data as long as necessary" is not compliant
• No parental deletion mechanism — parents must be able to delete their child's data. If your only option is "email our privacy team," you are failing the accessibility requirement
• Dark patterns in age gates — any design that nudges children toward entering an older age violates COPPA, even if the age gate technically exists

Complete COPPA Compliance Checklist for 2026

Use this checklist to audit your app before launch or to evaluate existing compliance:

Before Launch

• Determine if your app is child-directed or mixed-audience (evaluate subject matter, visual content, app store categories)
• Implement neutral age-gating with session persistence
• Select and integrate at least two VPC methods
• Build dual data pipelines for adult and child users
• Audit all third-party SDKs and enable COPPA modes
• Write a child-specific privacy policy in plain language
• Build a parental dashboard with review, deletion, and consent revocation
• Establish specific data retention periods and implement automated deletion
• Secure all data transmission (TLS 1.3, encrypted storage)
• Train your team on COPPA requirements and incident response

Ongoing Compliance

• Review SDK updates quarterly for changes that might affect COPPA compliance
• Monitor FTC enforcement actions and guidance for new requirements
• Conduct annual privacy assessments of your children's data practices
• Maintain records of all VPC activity (consent given, revoked, dates)
• Test your parental consent and deletion flows regularly
• Update your privacy policy whenever data practices change
• Consider safe harbor membership (kidSAFE, ESRB Privacy Certified) for additional guidance and some protection from direct FTC enforcement

State Laws That Go Beyond COPPA

COPPA is the federal floor, but several states have enacted stronger children's privacy protections that developers must also consider:

• California Age-Appropriate Design Code (CAADCA) — requires data protection impact assessments for any service "likely to be accessed by children," which courts have interpreted as services that appeal to children even if not designed for them. Covers users under 18 (not just under 13). Currently facing legal challenges but may take effect
• Maryland Age-Appropriate Design Code — similar to California's CAADCA but signed into law in 2024. Requires default high privacy settings for child users and prohibits using children's data in ways harmful to their wellbeing
• Utah Social Media Regulation — requires social media platforms to verify age, obtain parental consent for users under 18, and implement curfew features that limit nighttime access for minors
• New York Education Law 2-d — imposes strict requirements on edtech vendors handling student data in New York schools, including data security plans, breach notification requirements, and parental access rights

These state laws raise the compliance bar above COPPA in important ways — particularly by protecting teenagers up to 18, not just children under 13. Developers building apps with teen appeal need to track these requirements alongside COPPA compliance.

Safe Harbor Programs: Added Protection for Compliant Developers

COPPA-approved safe harbor programs offer a framework that can reduce (but not eliminate) FTC enforcement risk. If your organization participates in and follows a safe harbor program's guidelines, the FTC generally allows the safe harbor to handle compliance oversight first rather than taking direct enforcement action.

Active Safe Harbor Programs

• kidSAFE Seal Program — the largest children's privacy safe harbor, covering apps, games, educational platforms, and connected devices. Requires detailed assessments and ongoing monitoring
• ESRB Privacy Certified — operated by the Entertainment Software Rating Board, focused on gaming and interactive entertainment
• Aristotle COPPA Safe Harbor — offers identity verification and parental consent solutions alongside safe harbor membership
• CARU (Children's Advertising Review Unit) — operated by BBB National Programs, focused on advertising practices in children's media
• TrustArc / TRUSTe — provides COPPA certification as part of broader privacy program management
• PRIVO — specializes in COPPA compliance for digital platforms, offering both safe harbor membership and technical VPC solutions

Safe harbor membership costs typically range from 3,000 dollars to 15,000 dollars annually depending on the program and your organization's size. For many developers, this cost is insignificant compared to the legal exposure of non-compliance — and safe harbor programs provide expert guidance that helps you build compliance correctly from the start.

Practical Tools and Services for Implementation

These tools and services help app developers implement COPPA compliance without building everything from scratch:

• SuperAwesome KWS (Kids Web Services) — end-to-end COPPA compliance platform including age verification, parental consent management, and a kid-safe authentication system. Used by major gaming and entertainment companies. Part of Epic Games since 2020
• PRIVO iD — provides age verification, parental consent, and teacher consent management. Integrates via API and SDK for mobile and web platforms
• AgeCheq / PRIVO Hub — mobile-focused parental consent and age gate solutions
• Yoti — age estimation technology using facial analysis. Approved by the FTC for VPC. Also provides document verification
• OneTrust — consent management platform with specific COPPA compliance modules for managing parental consent records and privacy policies
• Osano — consent management platform with COPPA-specific configurations for blocking third-party scripts until consent is obtained

The Future of Children's Privacy: What Is Coming Next

Several legislative and regulatory developments will shape children's privacy requirements beyond 2026:

• KOSA (Kids Online Safety Act) — passed the Senate in 2024 with strong bipartisan support. Requires platforms to act in the "best interest of minors" and provide tools for parents to supervise usage. If enacted, it would add duty-of-care requirements beyond COPPA's data-focused protections
• COPPA 2.0 expansion to teens — multiple Congressional proposals would raise COPPA's age threshold from 13 to 16 or even 17, dramatically expanding the law's reach
• AI-specific children's protections — the FTC has signaled that AI tools used by children (chatbots, AI tutors, generative AI) will face specific scrutiny around data collection, content safety, and algorithmic manipulation
• International convergence — the UK's Age Appropriate Design Code, EU's Digital Services Act, and similar laws worldwide are creating a global expectation that apps protect young users by default. Developers building for international markets may find COPPA is actually the least restrictive standard they need to meet

The trend is clear: children's privacy protections are expanding in scope (older ages), depth (more requirements per covered entity), and enforcement (larger penalties). Developers who invest in robust compliance infrastructure now will be best positioned as requirements continue to grow.