COPPA

Children's Online Privacy Protection Act of 1998

Flag of US
United States (Federal)Opt-inSector-specific
Back to Regulations Guide

Key Facts

Effective Date
April 21, 2000
Enacted
October 21, 1998
Enforcing Authority
Federal Trade Commission (FTC); State Attorneys General
Consent Model
Opt-in
Applies To
Websites/online services directed at children under 13 or with actual knowledge of collecting from children under 13

Overview

COPPA is the primary US federal law protecting children's online privacy, requiring verifiable parental consent before collecting personal information from children under 13. Persistent identifiers — including cookies and device IDs — are classified as personal information under the rule, making COPPA relevant to any website that may be used by children.

What This Means for Your Website

  • Verifiable parental consent is required before collecting personal information from children under 13
  • Cookies and device IDs that recognize users over time are classified as personal information
  • A clear, comprehensive privacy policy must be prominently displayed
  • You cannot condition a child's participation on collecting more data than necessary
  • The 2025 amendments expanded the definition of personal information to include biometric data
  • COPPA 2.0 (passed Senate March 2026) would extend protections to teens under 17

Key Requirements

The FTC enforces COPPA with penalties of up to $53,088 per violation (adjusted annually for inflation). State Attorneys General can also enforce. Websites directed at children or with actual knowledge of collecting from children under 13 must obtain verifiable parental consent. The 2025 amendments strengthened data retention limits and added new mixed audience standards.

How ConsentStack Handles This

ConsentStack can detect when COPPA applies and adjust consent requirements accordingly, blocking data collection from children under 13 until verifiable parental consent is obtained.

Penalties

Up to $53,088 USD per violation (adjusted for inflation).

Maximum Fine
$53,088 per violation

Key Requirements

  • Verifiable parental consent required for children under 13
  • Clear comprehensive privacy policy required
  • Parents can access and delete child data
  • Cannot condition participation on excessive data collection
  • 2025 amendments expand PI to include biometric data and stricter data retention

Notable Provisions

  • COPPA 2.0 passed Senate March 2026 — would extend protections to teens under 17
  • Persistent identifiers (cookies, device IDs) classified as personal information
  • 2025 amendments add biometric data and mixed audience standards

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
CCPACalifornia, United States
The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

Frequently Asked Questions

Does COPPA apply to cookies?

Yes. Persistent identifiers including cookies and device IDs are classified as personal information under COPPA when they recognize users over time.

What are the COPPA penalties?

Up to $53,088 per violation, adjusted annually for inflation. The FTC and State Attorneys General enforce COPPA.

What is COPPA 2.0?

COPPA 2.0 (S.836) passed the Senate in March 2026 and would extend COPPA protections to teens under 17. It is pending House passage.

Who must comply with COPPA?

Websites or online services directed at children under 13, or those with actual knowledge of collecting personal information from children under 13.

Stay compliant with COPPA

ConsentStack helps you implement Opt-in consent for United States (Federal) automatically.

Get started free