COPPA and Children's Privacy: The $170 Million Mistake in "Kid-Friendly" Content

When YouTube settled with the Federal Trade Commission for $170 million in 2019, the message was unmistakable: children's privacy isn't an afterthought, and violations carry staggering costs. The settlement—one of the largest in COPPA history—demonstrated that even tech giants face consequences when they collect data from children without proper safeguards.

For parents, app developers, and educators, understanding COPPA (the Children's Online Privacy Protection Act) isn't optional. It governs how websites and online services interact with users under 13, establishing requirements that differ significantly from adult-oriented privacy practices. Violations don't just risk regulatory penalties—they risk exploiting children's vulnerability in ways that can affect their digital footprints for years.

What COPPA Actually Requires

Enacted in 1998 and significantly updated in 2013, COPPA applies to operators of websites and online services directed to children under 13, as well as those with actual knowledge they're collecting data from children. The law establishes specific requirements:

Verifiable Parental Consent

Before collecting personal information from children, companies must obtain verifiable parental consent. This isn't a checkbox or an email confirmation—it requires mechanisms that reasonably ensure the person providing consent is actually the child's parent.

Acceptable methods include:

• Credit card authorization with small charge verification
• Video conference with trained staff
• Signed consent forms with government ID verification
• Knowledge-based challenge questions (though these have limitations)
• Digital certificates (rarely used due to complexity)

The key word is "verifiable." COPPA requires more than good faith assumptions about who clicks "I agree."

Data Minimization

Companies can only collect information "reasonably necessary" to participate in the activity. If a game doesn't need a child's email address to function, it can't require one for registration. This principle limits the data footprint children create online.

Retention and Deletion Requirements

Personal information can only be retained as long as necessary for the purpose collected. When no longer needed, it must be securely deleted. Parents can also review their child's data and request deletion at any time.

Privacy Policy Requirements

COPPA-mandated privacy policies must include:

• What information is collected
• How it's used
• Disclosure practices
• Parental rights to review, delete, and refuse further collection
• Contact information for exercising these rights

No Conditional Collection

Children can't be required to provide more information than reasonably necessary to participate in an activity. A coloring app can't demand phone numbers or addresses to unlock features.

"Directed to Children": The Definition Challenge

COPPA applies to sites and services "directed to children." But what does that mean exactly? The FTC considers multiple factors:

Subject Matter

Content about cartoons, games, toys, early education, or child celebrities suggests child-directed status. But subject matter alone isn't determinative—many general interest topics appeal to children without making content child-directed.

Visual Content

Bright colors, animated characters, child-oriented design, and playful aesthetics signal child-directed content. The visual language of children's media is distinctive, and COPPA enforcement examines whether sites adopt this language.

Use of Child-Directed Music or Celebrities

Featuring popular children's music, child YouTube stars, or characters from children's media suggests targeting young audiences.

Age of Models

Using young children in promotional materials or demonstrations indicates child-directed content. Even if the product itself could appeal broadly, featuring children in marketing triggers COPPA scrutiny.

Competence of Child Audience

Content requiring reading or comprehension skills beyond young children's abilities may escape COPPA designation despite child-friendly topics. Conversely, content deliberately accessible to young children—even if also used by adults—may qualify.

The Mixed Audience Problem

Many platforms serve both children and adults. COPPA permits age-gates—screens asking users to confirm they're over 13. But age-gates must be effective, and platforms can't simply ignore when children lie about their age.

The FTC emphasizes that ineffective age-gates don't protect companies. If a platform knows or has reason to know users are under 13—through behavior patterns, reported ages in profiles, or other indicators—COPPA obligations attach regardless of what age-gate responses indicate.

What Changes Under COPPA

When COPPA applies, business practices must change significantly:

No Behavioral Advertising

Tracking children's online behavior to serve targeted advertising is prohibited. Children's data can't fuel the surveillance advertising model that dominates adult internet economics.

No Geo-Location Without Consent

Precise location data collection requires specific parental consent. Many child-directed apps simply don't collect location rather than implementing consent mechanisms.

No Push Notifications Without Consent

Engagement tactics like push notifications require parental consent, limiting how apps can re-engage child users.

Restricted Third-Party Sharing

Disclosing children's personal information to third parties is heavily restricted. The tracking pixels, analytics tools, and advertising networks ubiquitous in adult services largely disappear from COPPA-compliant offerings.

Data Minimization

COPPA forces companies to ask: Do we really need this information? For children, the default answer is usually no.

Recent Enforcement and Settlements

The YouTube settlement dominated headlines, but COPPA enforcement has accelerated across multiple platforms:

TikTok (2019): $5.7 Million

The FTC fined TikTok predecessor Musical.ly for collecting personal information from children without parental consent. The settlement included requirements to implement COPPA compliance measures and delete improperly collected data.

Epic Games (2022): $275 Million

The Fortnite creator received the largest COPPA penalty in history for collecting data from children under 13 without parental consent and enabling unauthorized charges. Epic also paid $245 million in consumer refunds for dark patterns that tricked children into making purchases.

OpenX (2022): $2 Million

The ad tech company settled for collecting personal information from children through child-directed apps, demonstrating that advertising infrastructure—not just content platforms—faces COPPA liability.

Google/YouTube (2019): $170 Million

The landmark settlement involved YouTube channels directed to children where Google collected data and served targeted advertising without parental consent. The settlement required YouTube to implement COPPA compliance systems and provide clearer guidance to content creators.

These enforcement actions establish that COPPA violations carry real consequences—and that both platforms and supporting services face liability.

The YouTube Settlement's Lasting Impact

The YouTube settlement created ripple effects across the platform economy. Key implications:

Content Creator Responsibility

YouTube now requires creators to designate whether their content is directed to children. This designation triggers COPPA-mandated restrictions on data collection and advertising. Creators face potential FTC liability for misdesignation.

Reduced Monetization for Children's Content

Because behavioral advertising is prohibited on child-directed content, creators of children's videos see reduced ad revenue. This has shifted content economics, with some creators moving away from child-directed topics.

Platform-Wide Design Changes

YouTube implemented system-wide changes to data collection on child-designated content, demonstrating that COPPA compliance often requires fundamental platform architecture changes.

Education and Awareness

The settlement generated unprecedented awareness of COPPA among content creators, many of whom had never considered privacy law relevant to their work.

Parental Rights Under COPPA

COPPA grants parents specific rights regarding their children's data:

Review Rights

Parents can review personal information collected from their children. Companies must provide this access upon request.

Deletion Rights

Parents can request deletion of their children's personal information. While subject to some exceptions (legal obligations, security needs), deletion requests must be honored promptly.

Consent Refusal Rights

Parents can refuse further collection or use of their child's information. Companies must comply, though this may limit service functionality.

Notification Requirements

Companies must directly notify parents about their information practices before collecting children's data. This notice must be clear, prominent, and separate from general privacy policies.

Developer Compliance Checklist

For app developers and website operators, COPPA compliance requires systematic attention:

Determine Applicability

Honestly assess whether your service is directed to children or has actual knowledge of child users. The FTC considers the totality of circumstances, not just stated intentions.

Implement Verifiable Parental Consent

Choose consent mechanisms appropriate for your user base and risk profile. Document your consent procedures and verification processes.

Collect Only Necessary Data

Audit every data element you collect from children. Eliminate anything not reasonably necessary for the specific activity.

Establish Data Retention Limits

Define how long you'll retain children's data and implement deletion procedures. Don't retain data indefinitely "just in case."

Review Third-Party Integrations

Analytics tools, advertising networks, social media plugins—all may collect children's data. Either implement parental consent for these integrations or remove them from child-directed portions of your service.

Provide Direct Notice to Parents

Don't bury COPPA disclosures in privacy policies. Provide clear, standalone notices about your data practices.

Enable Parental Rights

Establish procedures for parents to review, delete, and refuse collection. Make these processes accessible and responsive.

Monitor for Actual Knowledge

If users indicate they're under 13—through profile information, behavior, or direct communication—you have actual knowledge triggering COPPA obligations regardless of age-gate responses.

The Broader Context: Beyond COPPA

While COPPA sets the federal floor, additional protections apply to children's privacy:

State Laws

California's Consumer Privacy Act provides enhanced protections for consumers under 16. Several states are considering children's privacy legislation that may exceed COPPA requirements.

School Contexts

FERPA (Family Educational Rights and Privacy Act) governs educational records in school settings. When edtech services receive student data through schools, additional restrictions apply.

International Standards

The GDPR provides enhanced protection for children's data in Europe, generally requiring parental consent for processing children's data under 16 (with member states able to lower to 13). Many platforms apply GDPR children's protections globally rather than maintaining separate systems.

Emerging Legislation

Proposals like the UK's Age Appropriate Design Code and California's Age-Appropriate Design Code Act extend beyond COPPA's information collection focus to require child-friendly design practices and default privacy protections.

Conclusion

COPPA represents an early recognition that children deserve enhanced privacy protections online. The law's requirements—verifiable parental consent, data minimization, and restricted third-party sharing—create meaningful barriers against commercial exploitation of children's data.

But COPPA is also showing its age. Drafted in 1998 and updated in 2013, it predates current platform business models and emerging technologies. The distinction between "child-directed" and general audience content struggles with platforms serving mixed audiences. And the verifiable consent requirement, while essential, creates friction that some services avoid by simply excluding children entirely.

Enforcement, however, has strengthened. The massive settlements against YouTube, TikTok, and Epic Games demonstrate that COPPA violations carry consequences even for the largest platforms. For developers and operators, compliance isn't optional—it's a cost of serving young audiences.

For parents, COPPA provides tools to protect children's privacy, but vigilance remains necessary. Not all services comply. Not all that claim COPPA compliance actually achieve it. And the law's protections, while substantial, don't eliminate all privacy risks children face online.

The $170 million YouTube settlement wasn't just a penalty—it was a message. Children's privacy matters. Violations will be punished. And the era of treating children's data like adult data is definitively over.

---

Related Articles:

• Privacy Policy Red Flags to Watch For
• Understanding GDPR Children's Protections
• Data Sharing With Partners: What "Partners" Really Means

Sources:

• 16 CFR Part 312 (COPPA Rule)
• FTC COPPA Guidance and FAQ
• FTC Enforcement Actions: YouTube (2019), TikTok (2019), Epic Games (2022)
• Safe Harbor Program Requirements