Policy & Law

COPPA in 2026: What US Children's Privacy Law Actually Covers

July 2, 2026 8 min read Haven Team

The Children's Online Privacy Protection Act is the law most US parents assume is doing more work than it is. It regulates the collection of personal information from children under 13 by services that know they're dealing with a child. Almost every clause in that sentence is narrower than it sounds, and the narrowness is where most of the actual exposure lives.


COPPA became law in 1998 and its implementing rule took effect in 2000, which makes it one of the oldest privacy statutes still in active enforcement in the United States. It predates smartphones, app stores, social media as we know it, and the entire behavioral-advertising industry that now funds most of the free internet. The FTC has amended the implementing rule several times to keep pace, most recently with a significant update finalized in early 2025 that expanded coverage of third-party advertising SDKs and tightened parental-consent mechanics. The core structure of the law, however, hasn't changed, and that structure has three load-bearing limits worth understanding before you rely on it.

The "Actual Knowledge" Problem

COPPA applies to operators of websites or online services directed at children under 13, or operators who have actual knowledge they're collecting personal information from a child under 13. That second clause is the crack most services live in. A general-audience app with no age gate, no children's content, and no reason to believe a 9-year-old is using it typically isn't covered, even if 9-year-olds are in fact using it in large numbers, because "actual knowledge" is a specific legal standard, not a statistical inference. This is why so many services set their terms of service minimum age at 13: not primarily to protect children, but to construct plausible deniability against actual knowledge. A platform that never asks for age, and never learns it, has a defensible argument that it doesn't have actual knowledge of underage users, even while its own engagement algorithms may be optimized in ways that particularly reward child-typical usage patterns.

The age that matters legally isn't the age that matters developmentally

COPPA's bright line sits at 13, a number chosen for legal administrability in 1998, not a developmental threshold. A 14-year-old and a 17-year-old have essentially zero COPPA protection, and fall instead under a much thinner patchwork of state laws, most of which are newer, narrower, and currently being challenged in court.

What Verifiable Parental Consent Actually Requires

For services that are covered, the operative mechanism is verifiable parental consent (VPC) before collecting, using, or disclosing a child's personal information. The FTC has approved several methods over the years: a signed consent form returned by mail or fax, a credit card transaction, a video call with a trained reviewer, or a knowledge-based identity verification question. In practice, most consumer apps implement the cheapest compliant option, which historically has been a low-friction "enter a credit card number for a $0.01 charge" flow or an email-plus-checkbox pattern that the FTC has periodically flagged as insufficiently verifiable. The 2025 rule update pushed toward stronger methods for higher-risk data uses (biometric data, precise geolocation) while leaving the email-based "consent" mechanism intact for lower-risk collection, which means the practical strength of "parental consent" varies enormously by what's actually being collected.

What COPPA Does Not Regulate

This is the section that surprises most people. COPPA does not give a general right to have a child's data deleted outside the specific context it governs, does not regulate services aimed at teenagers 13 and over, does not cover data collected by a school on a school-issued device under a legitimate educational purpose (that runs through FERPA and state student-privacy laws instead), and does not regulate the sale of aggregate or de-identified data derived from children's usage patterns, provided the operator can show the data no longer identifies an individual child. It also doesn't reach content moderation, algorithmic recommendation design, or addictive-engagement patterns at all; those live in an entirely separate, much less settled area of state and proposed federal legislation.

Question Covered by COPPA
Under-13 personal data collection by a child-directed app Yes, with VPC required
Under-13 data collected by a general-audience app with no actual knowledge No
13-to-17-year-old data collection, any service No, falls to state law instead
School-issued device data under an educational purpose No, governed by FERPA instead
Algorithmic engagement design, recommendation feeds No, not addressed by COPPA at all

Where This Leaves Enforcement

Enforcement runs through the FTC, and settlements over the past several years show the agency taking a fairly aggressive reading of the "actual knowledge" and "directed at children" tests, especially against platforms with substantial documented child audiences and internal data showing awareness of that audience, gaming and social platforms being the recurring targets. A large settlement doesn't retroactively give affected families a private right of action, though, because COPPA does not include one; only the FTC (and, for certain provisions, state attorneys general) can bring an enforcement action. If you're a parent looking for individual recourse after a specific data-collection incident, COPPA's enforcement structure isn't built to give you one directly. State comprehensive privacy laws, several of which now include minor-specific provisions layered on top of the general regime we cover in our CCPA-vs-GDPR comparison, are increasingly where individual-level rights actually live for US families.

COPPA was built to regulate a specific transaction: an operator knowingly collecting data from a young child. It was never built to regulate the ambient data economy a teenager, or an unflagged 9-year-old, moves through every day. Both gaps are real and both are currently the subject of active litigation and legislative proposals that haven't settled yet.

What Actually Reduces Exposure for a Family

Given the gaps above, the practical levers sit mostly outside the law itself. Setting accurate ages on accounts, where the platform actually enforces different data practices by age tier, does more than most people expect, because it can shift a child from "no actual knowledge, no protection" into "actual knowledge, COPPA applies." Reviewing what a school's device-management vendor collects and retains, since FERPA's protections are narrower and less actively enforced than COPPA's, matters for the growing share of a child's digital footprint that runs through education technology. And for communication specifically, using services with genuine end-to-end encryption and minimal metadata retention removes an entire category of data from the table regardless of what any single statute happens to require that quarter, related to the broader point we made in data minimization as a design principle: the strongest privacy guarantee isn't a compliance certificate, it's data the operator never had to begin with.

Haven doesn't market to children and isn't designed as a children's product, but the architectural choice that would matter for any family evaluating a communication tool applies regardless of the user's age: message content is end-to-end encrypted client-side, so there's no plaintext sitting on a server to be swept up by a data breach, a subpoena, or a future rule change nobody's written yet.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →