COPPA

Children's Online Privacy Protection Act (COPPA) + FTC COPPA Rule (16 CFR Part 312)

Baseline US children's data privacy regime. Applies to operators of websites/online services directed to children under 13, and to general-audience services with actual knowledge they collect personal info from under-13 users.

Jurisdiction

United States

Enacted

Oct 21, 1998

Effective

Apr 21, 2000

Enforcement

Federal Trade Commission (FTC) + State Attorneys General

eCFR — 16 CFR Part 312

Why It Matters

Applies to services that can attract under-13 users (games, companions, character chat, social features). Key US regulation requiring parental consent and data minimization. FTC actively enforcing against AI companies.

Recent Developments

FTC issued final COPPA Rule amendments January 2025; effective June 23, 2025; full compliance deadline April 22, 2026. Expands "personal information" definition, strengthens consent requirements, limits data retention.

At a Glance

Applies to

Social PlatformOnline PlatformGaming PlatformGeneral ChatbotAI CompanionCharacter Chatbot Minors-focused

Harms addressed

Child Exposure

Requires

Age Verification Data Minimization User Rights

Who Must Comply

Operators of child-directed websites/online services
Operators with actual knowledge they collect personal info from children under 13
Ad networks / plug-ins collecting from child-directed properties

Obligations fall on:

Operator — Operates the platform or service

Applicability thresholds:

Under 13 years old — Parental consent required for data collection

Safety Provisions

Provide clear/complete privacy notices for children's data practices
Obtain verifiable parental consent before collecting/using/disclosing personal information from children under 13
Give parents access/choice rights (review, delete, refuse further collection)
Data minimization: cannot condition participation on more data than reasonably necessary
Maintain reasonable security procedures for children's personal information
Retention limits: keep children's data only as long as reasonably necessary, then delete securely
Cannot disclose children's data to third parties without parental consent

Compliance & Enforcement

Key Dates

Apr 21, 2000

Initial COPPA Rule becomes effective

Jul 1, 2013

2013 amendments effective (expanded definitions, new parental consent requirements)

Jun 23, 2025

2025 amendments effective

Oct 22, 2025

Safe Harbor programs compliance deadline

Apr 22, 2026

Full operator compliance deadline for 2025 amendments

Penalties

$53K/violation

Primary Source

eCFR — 16 CFR Part 312

https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312

View on map

United States

Focus Areas

Mental health & crisis

Child safety

Algorithmic accountability

Active safeguards required

Compliance Help

Requires age-screening strategy (or strict no-collection-from-children guardrails), verifiable parental consent flow, parental rights workflows (access/delete), data minimization and retention deletion, and vendor/SDK controls to prevent silent third-party collection.

See how NOPE helps

Cite This

APA

United States. (1998). Children's Online Privacy Protection Act (COPPA) + FTC COPPA Rule (16 CFR Part 312).

Related Regulations

Pending US

COPPA 2.0

Would expand COPPA-style protections to teens (13-16) and add stronger constraints including limits on targeted advertising to minors. Often paired politically with KOSA.

Pending US

KOSA

Would establish duty of care for platforms regarding minor safety. Passed full Senate 91-3 in July 2024; passed Senate Commerce Committee multiple times (2022, 2023). Not yet enacted.

Enacted US-VT

VT AADC

Vermont design code structured to be more litigation-resistant: focuses on data processing harms rather than content-based restrictions. AG rulemaking authority begins July 2025.

In Effect FI

Finland AI Act

Finland's EU AI Act implementation using decentralized supervision model. Traficom serves as single point of contact and coordination authority. Ten market surveillance authorities share enforcement across sectors. New Sanctions Board handles fines over EUR 100,000.

In Effect HU

Hungary AI Act

Hungary's comprehensive AI law implementing the EU AI Act. Designates the National Media and Infocommunications Authority (NMHH) as the primary supervisory authority, with sectoral regulators for specific domains.

In Effect DK

Denmark AI Act

First EU member state to fully implement the EU AI Act. Designates three competent authorities, establishes penalty framework aligned with EU maximums, and grants inspection/enforcement powers. Does not add material requirements beyond EU AI Act.

All regulations Check if this applies to you

Last updated February 17, 2026. Verify against primary sources before relying on this information.