Who COPPA Actually Covers

COPPA applies to any commercial website, mobile app, connected device, or online service that is either directed to children under 13 or has actual knowledge that it is collecting personal information from a child under 13. The reach is broader than most publishers assume because the FTC interprets both prongs aggressively.

A service is directed to children based on a multi-factor analysis: subject matter, visual content, use of animated characters or child-oriented activities, music, age of models, presence of celebrities popular with children, language, advertising on the service that is itself child-directed, and competent and reliable empirical evidence about audience composition. A general-audience site can become a mixed-audience service the moment a section is built around child-oriented content.

Three things publishers consistently get wrong:

• Believing that a Terms-of-Service age gate at sign-up is sufficient. It is not, on its own, when the rest of the site signals child-directed intent.
• Assuming that no logged-in users means no COPPA exposure. Persistent identifiers — cookies, IP addresses, device IDs, advertising IDs — are personal information under COPPA when collected from a child.
• Treating COPPA as orthogonal to state privacy law. California's Age-Appropriate Design Code, Connecticut's child data law, and the federal proposals all build on top of COPPA's definitions; a clean COPPA program is the foundation of compliance with all of them.

What the 2025 Amendment Actually Changed

The FTC's January 2025 final rule, the first comprehensive update since 2013, modernised COPPA in five concrete ways that publishers must internalise.

Separate Opt-In for Third-Party Advertising

Operators can no longer roll third-party advertising disclosures into a single parental consent for using the service. Behavioural advertising on a child-directed service now requires a separate, opt-in verifiable parental consent distinct from the consent to use the service itself. Bundling — the historic norm for ad-supported children's apps and sites — is now expressly prohibited.

Expanded Personal Information

The amendment expanded the definition of personal information to include biometric identifiers capable of authenticating an individual, including fingerprints, voiceprints, retina or iris images, and templates of facial geometry. It also clarified that government-issued identifiers from any government, not just the U.S., qualify. Publishers running voice-search features, AI assistants, or photo-upload tools on child-directed services need to map these flows against the new definition.

Data Retention Limits

The new rule requires operators to publish a written retention policy that limits storage of children's personal information to what is reasonably necessary to fulfil the purpose for which it was collected. Indefinite retention is no longer permitted, and the policy must be linked from the privacy notice.

Strengthened Verifiable Parental Consent Methods

The amendment formalised the menu of acceptable VPC methods and added a knowledge-based authentication option using dynamic, multiple-choice questions answerable only by the parent. The classic methods — credit card transaction, signed form, video conference with a trained operator, government-ID verification — remain available but must be documented per consent event.

Notice of Material Change Triggers New VPC

Any material change to data practices — new data categories collected, new third-party recipients, new advertising arrangements — triggers a new verifiable parental consent. Operators cannot rely on a 2018 consent to authorise a 2026 advertising integration.

Verifiable Parental Consent in Practice

Verifiable Parental Consent is the heart of COPPA, and it is the part that publishers most often implement poorly. The legal standard is consent reasonably designed to ensure that the person providing consent is the child's parent — not merely consent collected at all.

The FTC-approved methods publishers should know:

• Credit or debit card transaction with a notification to the cardholder. A small charge or zero-dollar authorization is acceptable when paired with a transactional notice.
• Government-issued ID verification via a secure third-party identity vendor, with the ID destroyed promptly after verification.
• Knowledge-based authentication — the new option from the 2025 rule — using dynamic multiple-choice questions sourced from public records.
• Signed consent form returned by mail, fax, or electronic scan.
• Video conference with a trained operator who confirms identity against a presented government ID.
• Email-plus — only permitted for internal-use-only personal information, and requires a follow-up confirmation step. Do not rely on email-plus for advertising data.

The key operational question is documentation. For every child user, the operator must be able to show, at FTC request: which method was used, who the verifying parent was, what data categories were authorised, what third-party recipients were named, and the timestamp of consent. A modern FlexyConsent-style CMP should integrate with the VPC vendor and store this trail in the same audit log as cookie consent events.

Cookie Consent on Child-Directed Sites

COPPA and the cookie banner sit on different legal layers but must work together. Cookie consent banners under GDPR/ePrivacy or under state laws like CCPA do not satisfy COPPA, and verifiable parental consent does not exempt the operator from cookie-disclosure obligations. Operators serving children must run both layers in coordination.

Block Tracking Until VPC Is Captured

On a child-directed page, no advertising or analytics cookie may fire before VPC is captured for that user. A standard accept-all banner is the wrong tool — the default state must be nothing fires until parental consent is on file, and even then only for the categories the parent authorised.

Restrict Vendor List to COPPA-Safe Partners

The vendor list on a child-directed property is necessarily shorter than on a general-audience site. SSPs, DSPs, and analytics providers must contractually warrant that they do not use child data for behavioural targeting and do not pass the child to downstream behavioural networks. Most major SSPs publish a COPPA-compliant inventory mode; configure your stack to that mode and remove non-compliant partners.

Surface Parental Controls in the Footer

The privacy notice must include a clear, plain-language section addressed to parents with instructions to review, modify, or revoke consent for their child. A persistent footer link labelled something like For Parents meets the FTC's accessibility expectations and creates a defensible trail when an investigator runs a usability audit.

The FTC's Enforcement Pattern in 2024–2026

Enforcement under COPPA has accelerated since the 2019 YouTube settlement reset the FTC's appetite for large-publisher cases. Patterns from recent consent decrees offer a roadmap for what the FTC actually looks for in an investigation.

• Persistent identifiers as the smoking gun. The FTC routinely subpoenas the operator's ad logs and correlates them with audience data to show that ad-tech IDs were assigned to identifiable child users without VPC. Internal documents calling the audience "kids" or "children" while the privacy program treats it as general audience are catastrophic.
• Vendor mismanagement as a multiplier. When an operator forwards child data to a non-COPPA-compliant SSP, both parties become liable. The FTC has pursued primary operators and downstream networks in parallel actions.
• Pattern-of-conduct findings. A single VPC failure may be a finding; a pattern of failures across product surfaces becomes a deceptive-practices count under Section 5 of the FTC Act, expanding both the penalty and the consent decree's scope.
• Civil penalty escalation. The maximum per-violation civil penalty under the FTC Improvements Act has been adjusted upward annually; in 2025 it sat above $50,000 per violation, with each child treated as a separate violation in some matters.

Building a COPPA-Ready Stack

Implementing COPPA in a way that actually withstands FTC scrutiny is a coordination problem across product, engineering, ad ops, and legal. The work breaks into roughly six workstreams.

1. Classify Every Property and Surface

For each domain, subdomain, app, and connected-device endpoint, decide whether it is child-directed, mixed-audience, or general-audience. Document the analysis. A mixed-audience surface — for example, a homepage with both adult and child content — must apply COPPA only to users who self-identify as under 13 through a neutral age gate, not to all users.

2. Build the Age Gate the Right Way

A neutral age gate asks for date of birth in a way that does not signal that older users get more access. Asking are you 13 or older? is non-neutral and the FTC has flagged it. A simple month-day-year picker, used once per device with a tamper-resistant cookie, is the standard approach.

3. Integrate a VPC Vendor

Unless your product team intends to operate VPC in-house, integrate a specialist vendor — there are several FTC-approved providers — and make the integration callable from your CMP, sign-up flow, and parent-consent management portal. Store the per-event audit record in the CMP's database, not in the VPC vendor's silo.

4. Configure Ad and Analytics Stacks for COPPA Mode

Google Ad Manager, AdMob, IronSource, Unity Ads, Meta Audience Network, and the major DSPs all offer a tag for child-directed treatment flag. Set it on every ad call originating from a child-directed surface or an under-13 authenticated user. Verify with vendor documentation that the flag actually triggers contextual-only delivery, not merely a documentation reduction.

5. Wire Parental Controls and Deletion

Parents have the right to review, modify, and delete their child's data on demand. Build a parent portal reachable from the privacy notice that authenticates the parent, displays the data on file, and offers granular controls. Deletion must propagate to all third parties listed in the consent record within a reasonable time window — most operators commit to 30 days.

6. Audit Quarterly

Run a quarterly review covering: vendor list changes, new product surfaces, retention compliance, consent-decree refresh, and FTC guidance updates. The FTC publishes COPPA business guidance updates regularly; subscribing your privacy team to the FTC's mailing list is the cheapest possible compliance investment.

Common Pitfalls to Avoid

Repeated patterns of failure show up across publisher audits and FTC consent decrees:

• Treating COPPA as a sign-up problem. Most COPPA exposure comes from anonymous ad-tech identifiers on child-directed pages, not from registered accounts.
• Assuming "contextual ads" means COPPA-safe by default. Some "contextual" ad networks still set persistent identifiers in the background; verify the actual cookie behaviour.
• Letting product launches outrun privacy review. A new feature added without consent-decree review can void your entire program. Add a privacy gate to your release process.
• Forgetting connected-device and CTV surfaces. COPPA explicitly covers smart TVs, voice assistants, and game consoles. Many publishers still miss this in their inventory.
• Stale consent records. A material change to data practices voids prior VPC. Publishers running ad-tech changes monthly need a process to refresh VPC, or they accumulate exposure.

What COPPA Looks Like in 2027 and Beyond

Two trajectories will reshape this space within the next eighteen months. First, federal proposals like KOSA — the Kids Online Safety Act — would layer additional duties of care on top of COPPA, including content design obligations and stricter age-assurance requirements. Whether KOSA passes intact or in pieces, the regulatory direction is more obligation, not less. Second, the state-by-state expansion of children's design codes — California, Connecticut, Maryland, and others queued up — creates a patchwork that publishers must satisfy alongside federal COPPA. The operators who treat 2026 COPPA compliance as the baseline, with extra capacity to layer state requirements, are the ones who will not be re-architecting in 2027.

The Bottom Line

COPPA in 2026 is no longer a niche requirement for kids' app developers — it is mainstream privacy infrastructure for any publisher whose audience includes children, even partially. The 2025 amendment closed the loopholes that publishers used to live in, especially the bundled-consent shortcut for advertising. Run a defensible age gate, integrate a verifiable parental consent vendor, configure your ad stack for COPPA mode, and document everything in a CMP audit log alongside your standard cookie consent events. Do this well and child-directed traffic remains monetisable. Do it badly and you will be reading your own consent decree on the FTC's website with a multi-million-dollar civil penalty attached.