By the Legal Policy Generator team · Published 2026-04-10
COPPA Compliance Checklist for Websites and Apps (2026 Guide)
Each of these four areas maps directly to a COPPA requirement. At its core, the [COPPA Rule](https://www.govinfo.gov/content/pkg/CFR-2017-title16-vol1/xml/CFR-2017-title16-vol1-part312.xml) defines a "child" as anyone under 13 and requires operators to obtain verifiable parental consent before collecting, using, or disclosing a child's personal information. If you operate a child-directed service, each area below should be specifically addressed in your compliance review.
## COPPA for Mobile Apps: Additional Requirements
If you operate a mobile app that is directed to children, or where children are among the users, COPPA applies with equal force. App-specific considerations:
**App store categorization:** Apple and Google require apps in their kids' categories to comply with COPPA. Listing your app in a kids' section while collecting data without parental consent is high-visibility non-compliance.
**Third-party SDKs:** This is the leading source of COPPA violations in apps. Many analytics and advertising SDKs collect persistent identifiers (advertising IDs, device fingerprints) automatically. You are responsible for what these SDKs do inside your app, even if you did not build the data collection yourself.
Pixalate's Q2 2024 research found child-directed apps are **50% more likely** to transmit both GPS and IP address data in the open programmatic ad bid stream compared to non-child-directed apps. ([Pixalate, 2024](https://www.pixalate.com/blog/q2-2024-google-vs-apple-coppa-risk-scorecard-report)). That transmission, without parental consent, is a COPPA violation.
**App-specific checklist additions:**
- ☐ Review each third-party SDK for data collection behavior — advertising IDs, GPS, device fingerprinting
- ☐ Use child-safe versions of analytics SDKs where available (for example, Firebase Analytics with the COPPA flag enabled)
- ☐ Disable advertising ID collection for users in kids' apps
- ☐ Ensure your [privacy policy](/privacy-policy) specifically covers in-app data collection, not just your website
## Safe Harbor Programs: Reducing Enforcement Exposure
COPPA includes a safe harbor provision: operators participating in FTC-approved self-regulatory programs receive a presumption of compliance and reduced enforcement risk. The three main programs are:
| Program | Best for | Key requirement |
|---------|----------|-----------------|
| **CARU** (Children's Advertising Review Unit) | Consumer products, entertainment apps, general websites | Annual review, fee-based |
| **ESRB Privacy Certified** | Video games, gaming platforms | Annual audit, fee-based |
| **TrustArc** | Enterprise SaaS, B2B, general digital services | Annual audit, fee-based |
Under the [2025 rule amendments](https://www.govinfo.gov/content/pkg/FR-2025-04-22/html/2025-05904.htm), FTC-approved safe harbor programs face expanded transparency obligations — including publicly disclosing their membership lists and reporting additional information to the FTC — making the protection they offer more credible and meaningful.
For child-directed services or high-traffic platforms with child users, a safe harbor program is worth serious consideration. It demonstrates good-faith compliance and provides a defined process that regulators view favorably.
## Related Legal Documents
COPPA compliance intersects with several other legal documents your site should have in place:
- [Privacy Policy](/privacy-policy) — required by COPPA and must include child-directed disclosures
- [Terms of Service](/terms-of-service) — should include age restrictions and parental consent language
- [Cookie Policy](/cookie-policy) — cookies can be persistent identifiers under COPPA; your cookie practices must align
- [GDPR for Small Businesses Guide](/blog/gdpr-for-small-business-plain-english-guide-2026) — GDPR and COPPA requirements overlap significantly for sites with EU visitors
- [CCPA vs GDPR Explained](/blog/ccpa-vs-gdpr-differences-explained) — state laws, including CCPA's under-16 provisions, layer on top of COPPA
- [Privacy Policy for Mobile Apps](/blog/privacy-policy-mobile-apps-ios-android) — app-specific privacy policy requirements beyond COPPA
- [AI Privacy Policy Guide](/blog/ai-privacy-policy-what-your-app-needs) — if your service uses AI and may be used by children, you face compounding compliance obligations
## FAQ
**Q: Does COPPA apply to my site if I have an age gate blocking users under 13?**
A: An age gate reduces your exposure but does not automatically satisfy COPPA. To decide whether a service is "directed to children," the [COPPA Rule](https://www.govinfo.gov/content/pkg/CFR-2017-title16-vol1/xml/CFR-2017-title16-vol1-part312.xml) weighs factors such as subject matter, visual content, use of animated characters or child-oriented activities, music, the age of models, the presence of child celebrities, and the language used. If the content, design, or subject matter would appeal to children, an age gate alone is not a complete defense. That said, a well-implemented age gate paired with data deletion for users under 13 is strong evidence of good-faith compliance.
**Q: What counts as "actual knowledge" that a user is under 13?**
A: The FTC has found actual knowledge in several ways: a user self-reporting a birth date under 13 during registration; a parent contacting the operator to report their child has an account; or internal analytics showing a significant portion of users are under 13. The [2024 TikTok lawsuit](https://www.ftc.gov/news-events/news/press-releases/2024/08/ftc-investigation-leads-lawsuit-against-tiktok-bytedance-flagrantly-violating-childrens-privacy-law) alleged actual knowledge based on internal data showing millions of users were under 13 despite the platform's stated age restriction.
**Q: I operate a B2B SaaS company — does COPPA apply to me?**
A: Generally no, if your service is sold to and used solely by businesses. But if any business customer uses your service to collect or process data from children under 13 — for example, a school using your learning management system, or a children's brand using your CRM — COPPA can apply to that use case. Under longstanding FTC guidance, a school can authorize the collection of a student's personal information on a parent's behalf, but only for a school-authorized educational purpose and not for any commercial purpose. Note that the FTC ultimately [did not finalize](https://www.govinfo.gov/content/pkg/FR-2025-04-22/html/2025-05904.htm) the proposed ed-tech and school-authorization changes in the 2025 amendments, deferring to a separate Department of Education FERPA rulemaking, so this area remains governed by existing guidance rather than new rule text.
**Q: What should I do if I receive an FTC civil investigative demand?**
A: A civil investigative demand (CID) is a pre-lawsuit investigation tool, and the stakes are real — COPPA violations are assessed as FTC Act penalties, which currently carry a maximum of [$53,088 per violation](https://www.govinfo.gov/content/pkg/FR-2025-01-17/html/2025-01361.htm) (an amount the FTC adjusts annually for inflation). You are required to preserve all documents specified, respond within the stated deadline, and not destroy potentially relevant records. Engage a privacy attorney immediately. Do not respond to a CID without legal counsel. Document preservation obligations are not negotiable.
**Q: What is the April 22, 2026 compliance deadline, and what happens if I miss it?**
A: The amended COPPA Rule took effect June 23, 2025, and regulated entities generally have [until April 22, 2026 to comply](https://www.govinfo.gov/content/pkg/FR-2025-04-22/html/2025-05904.htm). The amendments require separate verifiable parental consent before disclosing a child's data to third parties for targeted advertising, expand the definition of personal information to include biometric identifiers, and add data retention and deletion requirements. Missing the deadline creates regulatory exposure. The FTC generally pursues enforcement based on patterns of violations and harm to children rather than purely technical deadline misses. The correct response is to remediate as quickly as possible and document your compliance efforts.
## Generate Your COPPA-Ready Privacy Policy
A COPPA-compliant [privacy policy](/privacy-policy) must include specific disclosures about children's data collection, parental rights, and parent contact methods — disclosures that a standard privacy policy template will not include.
Our free Privacy Policy Generator creates a policy covering COPPA, GDPR, CCPA, and more in under two minutes. No signup required.
**[Generate your COPPA-ready privacy policy →](/)**
---
*Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for advice specific to your jurisdiction and circumstances.*