Charter Data PrivacyJurisdictional Research
Home/Federal Baseline/COPPA

COPPA

Children's Online Privacy Protection Act

Statute
15 U.S.C. §§ 6501-6506
Regulations
16 C.F.R. Part 312
Enacted / Last Major Amendment
1998
Jurisdictional Layer
Federal Baseline (federal)

Summary

FTC-enforced. Operators of websites or online services directed to children under 13 (or with actual knowledge of collecting PII from them) must obtain verifiable parental consent or rely on the 'school consent' exception for educational uses.

Key Terms

School consent doctrine
Schools may provide consent for educational use of a service IF the service is used for the school's educational purpose and the operator collects no more PII than reasonably necessary.
Verifiable parental consent
FTC-specified methods of confirming the consenting adult is actually the parent.

School-side obligations

  • Vet vendors for COPPA compliance before deployment
  • Provide parents with the operator's privacy notice
  • Honor parental opt-out requests
  • Maintain documentation of vendor vetting

Vendor-side obligations

  • Post a privacy policy describing data practices
  • Obtain verifiable parental consent or rely on school consent
  • Allow parents to review their child's PII
  • Allow parents to delete their child's PII
  • Maintain confidentiality, security, and integrity of children's PII

Breach notification

COPPA does not impose its own breach-notification timeline; FTC enforcement focuses on overall security adequacy.

Enforcement

FTC enforces. Penalties up to $51,744 per violation (inflation-adjusted, verify current). Notable: YouTube/Google $170M (2019), Epic Games $275M (2022).

NCSC AI Toolkit — Scanner Fields

These fields in the NCSC AI Toolkit derive from this statute:

requires_dpa_for_under_13_servicesrequires_school_consent_documentationrequires_parental_review_mechanism

Case Law — Verification Queue

Pending vLex verification. Never cite these without verification.

  • FTC v. Epic Games
    Settlement, $275M (2022)
    Expanded scope of COPPA enforcement to in-game default settings
  • FTC v. YouTube/Google
    Settlement, $170M (2019)
    School-directed content also requires COPPA compliance

Open Questions / Unsettled Law

  • AI tutoring and chat apps: where school consent ends and parental consent begins
  • Behavioral advertising vs educational analytics line