Latest Insights/Back to Generator
PUBLISHED ON 2026-04-10

COPPA Compliance Guide: How to Protect Children's Privacy on Your Website (2026)

How to Write a COPPA-Compliant Privacy Policy

Your privacy policy is the cornerstone of COPPA compliance. According to the 2025 Global Privacy Sweep, 59% of children's platforms required an email address to access full functionality — yet most lacked a privacy policy that met legal standards. Here is exactly what yours must contain.

Required Elements of a COPPA Privacy Policy

  1. Operator identification — name, mailing address, phone number, and email for each operator collecting children's data
  2. Complete list of information collected — every type of personal information your service collects from children, including persistent identifiers
  3. Purpose of collection — why each type of information is collected and how it is used, including use of persistent identifiers (new 2026 requirement)
  4. Third-party disclosures — specific categories of third parties with whom children's data is shared and the purpose of each disclosure (new 2026 requirement)
  5. Parental rights — how parents can review, correct, or delete their child's information and revoke consent
  6. Retention period — how long children's data is retained and the basis for that period (new 2026 requirement)
  7. Voice data handling — if you collect audio files containing children's voices, how you use and dispose of those files (new 2026 requirement)
  8. Contact information — a designated contact point for parents to exercise their rights

The policy must be written in plain language, prominently posted on your homepage, and linked from every page where personal information is collected. If you operate a mobile app for iOS or Android, it must also appear in the app store listing.

If you are building an AI-powered app that children may use, COPPA requirements layer on top of your AI data handling obligations — both must be addressed in your privacy policy.

Generate Your COPPA Privacy Policy

Our free privacy policy generator creates a fully customized, COPPA-compliant policy covering all 2026 amendment requirements — including third-party disclosure categories, data retention periods, and parental rights — in under 5 minutes. Generate your COPPA policy now →

COPPA Penalties and Recent Enforcement Actions

The FTC can impose civil penalties of up to $53,088 per violation per day under COPPA. Each child whose data is improperly collected may represent a separate violation — meaning an app with thousands of underage users could face tens of millions in exposure. According to the FTC's enforcement history, recent settlements have ranged from $10 million to $20 million even for companies that cooperated with investigations.

Recent Notable COPPA Enforcement Actions

Disney — $10 million (2025)
The FTC alleged Disney failed to correctly label child-directed videos on YouTube, resulting in the collection of children's personal information without required protections. The settlement requires Disney to comply with COPPA and establish a 10-year Audience Designation Program to review every video it uploads.

HoYoverse (Genshin Impact) — $20 million (January 2025)
The FTC charged the developer of Genshin Impact with collecting personal information from children and teens without parental consent and selling loot boxes to minors under 16 without parental approval. The company is banned from selling loot boxes to users under 16 without parental consent going forward.

NGL Labs (2024)
The FTC took action against anonymous messaging app NGL for unfairly marketing its service to children and teens — a reminder that marketing practices, not just data collection, can trigger COPPA enforcement.

For a broader view of your website's legal obligations beyond COPPA, see our complete legal pages checklist and our GDPR guide for small businesses, which covers the parallel European children's data framework.

COPPA vs. State Children's Privacy Laws

Federal COPPA is a floor, not a ceiling. Several states have enacted stricter children's privacy laws that apply independently:

  • California Age-Appropriate Design Code (AADC) — Applies to services "likely to be accessed by children" (broader than COPPA's under-13 threshold) and requires default high-privacy settings and data protection impact assessments
  • Texas Children's Privacy Law — Extends COPPA-like protections to teens under 18
  • Florida's Digital Bill of Rights — Covers users under 18 and includes parental consent requirements for certain data processing activities

If your site sells products or services to consumers across multiple states, review our e-commerce legal requirements guide to understand how state privacy laws intersect with your online store obligations.

Frequently Asked Questions About COPPA Compliance

Does COPPA apply if I don't intentionally target children?

Yes — if you have "actual knowledge" that you are collecting personal information from a child under 13, COPPA applies regardless of whether your site is designed for children. The FTC considers factors like subject matter, visual content, animated characters, and celebrity appeal when determining whether a site is "directed to children." If a user self-identifies as under 13 during registration, COPPA obligations attach immediately. According to the 2025 Global Privacy Sweep, 45% of children's services used age assurance mechanisms, but the majority could be easily circumvented — meaning many operators had far more child users than their systems acknowledged.

What is the COPPA penalty per violation in 2026?

The FTC can seek civil penalties of up to $53,088 per violation per day. In enforcement, each child whose data is improperly collected may constitute a separate violation. The $20 million HoYoverse settlement and $10 million Disney settlement in 2025 illustrate the potential scale of liability for companies with large underage user bases. Aggravating factors — such as prior violations, large numbers of children affected, or particularly sensitive data types — can push penalties higher.

My app only collects data for "internal operations" — am I exempt from COPPA?

The "support for internal operations" exception permits operators to use persistent identifiers for limited purposes (such as contextual advertising or site analytics) without verifiable parental consent — but only if the data is not used for behavioral advertising or combined with other personal information. Under the 2026 amendments, this exception has narrowed: targeted advertising now requires a separate opt-in regardless of how data is categorized internally. 70% of children's apps globally collected personal identifiers, suggesting most operators cannot rely on this exception for all their data practices.

What documents do I need beyond a COPPA privacy policy?

A COPPA privacy policy is mandatory, but compliance also requires: a parental notice and consent workflow, a written data retention and deletion policy, third-party vendor agreements governing children's data, and internal employee training documentation. Our complete legal pages checklist covers all the documents a compliant website should have — COPPA-specific and otherwise. If you publish sponsored content or affiliate links on a site children might access, review our FTC affiliate disclosure requirements guide as well.

Getting COPPA-Compliant: Where to Start Today

The April 22, 2026 compliance deadline for the COPPA amendments has passed. If your site or app could be accessed by children under 13 and you have not yet updated your privacy policy, consent flows, and data retention practices, you are currently exposed to FTC enforcement.

Here is a practical starting sequence:

  1. Audit your data collection — identify every touchpoint where your service collects user information and flag those that could involve children under 13
  2. Assess your legal status — are you a child-directed service, a mixed audience service, or a general-audience site with potential child users?
  3. Update your privacy policy — ensure it names specific third-party categories, states a retention period, and addresses parental rights and voice data handling
  4. Upgrade your consent flow — implement a separate opt-in for targeted advertising and verify your consent method qualifies as "verifiable parental consent"
  5. Implement deletion workflows — give parents a clear, accessible path to review and delete their child's data
  6. Review third-party integrations — confirm that advertising partners, analytics providers, and other third parties are not using children's data in ways that require consent you have not obtained
  7. Document everything — retain records of consent, retention policies, and vendor agreements

Our free legal document generator creates a customized COPPA-compliant privacy policy covering all 2026 amendment requirements in under 5 minutes. You can also explore our guide on website disclaimers for additional legal protections to consider alongside your privacy policy.

Generate your COPPA Privacy Policy now →