Do I Need Parental Consent for COPPA? US Privacy Law Guide

Q: Do I need parental consent for COPPA?

Yes, if you knowingly collect any personal information from children under 13 (including IP addresses from cookies). You must get verifiable parental consent — not just a checkbox. Methods include email verification, credit card verification, or third-party services. Violations carry fines up to $43,792 per violation.

What COPPA Is and When It Applies

COPPA (Children's Online Privacy Protection Act) is a federal law that regulates how websites and apps collect information from children under 13. If your website or app knowingly collects data from children under 13, COPPA applies to you — even if most of your users are adults.

Key requirement: You must get verifiable parental consent before collecting personal information from a child under 13. Verifiable means the parent actually agrees — not just a checkbox or an honor system.

What Counts as Personal Information Under COPPA

COPPA defines personal information broadly:

Name
Email address
Physical address
Phone number
Social Security number
Account login credentials
Payment information
Persistent identifiers (cookies, device IDs, IP address)
Geolocation data
Photos or videos
Data that could be used to identify the child

Note: IP addresses and cookies count as personal information under COPPA — so if your site has any tracking, you're potentially collecting personal information from children.

Verifiable Parental Consent Methods

COPPA requires "verifiable parental consent." This means the parent must actually affirmatively agree. Here are FTC-approved methods:

Email with PIN or access code: Send the parent a verification email with a unique code they must enter on your site to confirm
Postal mail: Send a written request that the parent signs and mails back
Credit card or other payment authorization: Process the parent's credit card to confirm they're an adult
Phone call: Have a trained agent call the parent to verify consent
Video chat or online authentication: Verify the parent's identity via video or government ID check
Third-party services: Use a service specializing in parental consent verification (increasingly common)

What does NOT count as verifiable consent:

A checkbox that says "I am the parent/guardian"
An honor system
Email confirmation without verification (parent must actually do something)
Claiming you'll collect consent later

COPPA Privacy Policy Requirements

Your Privacy Policy must include:

What information you collect from children: Be specific (names, email addresses, photos, etc.)
How you collect it: Forms, cookies, analytics, registration
How you use the information: Marketing? Product improvement? Third-party sharing?
What third parties have access: List all service providers and partners
How long you keep it: Retention periods for child data
How parents can access, modify, or delete child data: Explain the process clearly
How you notify about privacy policy changes: Do you ask permission again?

The Privacy Policy must be clearly written and easy to understand. The FTC expects plain language — no legal jargon that confuses parents.

What Happens If You Don't Comply?

Fines: The FTC and state attorneys general can fine your business up to $43,792 per violation. If you collected data from 1,000 children without verifiable parental consent, that's potentially $43,792,000 in fines.

Enforcement: The FTC actively investigates COPPA violations. YouTube was fined $170 million. TikTok paid $92.7 million. Amazon paid $25 million. Large or small, violations are prosecuted.

Injunctions: Courts can order you to delete all collected child data and modify your practices.

Do I Need Parental Consent? Checklist

You MUST get parental consent if:

Your site collects any personal information from children under 13
Your site knowingly targets children under 13
You use cookies, analytics, or pixel tracking (these collect IP addresses/identifiers)

You MAY NOT need parental consent if:

Your site doesn't knowingly collect information from children under 13
You don't use any tracking (cookies, analytics, pixels)
Your site is clearly for adults only (age gate at entry)

If you're unsure: Assume children visit your site. Implement parental consent. The downside of failing to get consent when you should have is enormous.

Practical Steps to Implement COPPA Compliance

Add an age gate: Ask "Are you 13 or older?" If yes, no parental consent needed. If no, request parental consent before proceeding.
Implement verifiable consent: Use email with PIN, credit card verification, or a third-party service. Don't use checkboxes.
Update your Privacy Policy: Clearly disclose data collection, use, and parent rights.
Store consent records: Document that you obtained parental consent for each child. Keep these for FTC audits.
Disable tracking for children: Turn off Google Analytics, Meta Pixel, and other tracking tools for children under 13. Or exclude child data from tracking.
Provide parent access/deletion: Create a process for parents to request access to or deletion of their child's data. Respond within a reasonable timeframe.

Critical: If your business collects ANY personal information from children (including IP addresses via cookies), COPPA applies. Many businesses think COPPA only applies to kids' games or apps, but it applies to any site that collects child data. Don't take the risk of non-compliance.

Generate your Privacy Policy in 2 minutes

COPPA compliant. Answer a few questions, get a free policy ready to use.

Generate now →

Do I Need Parental Consent for COPPA?