"Children's Online Privacy and COPPA"
By: Srishti Mulgund
______________
Introduction
Data privacy is “the principle that a person should have control over their personal data,
including the ability to decide how organizations collect, store, and use their data” (Kosinski &
Forrest, 2025). Children and minors are particularly vulnerable to data collection, manipulation,
misuse, and exploitation, making online privacy protections especially critical for this
population. As children are exposed to digital platforms at increasingly younger ages, the
absence of adequate legal safeguards can result in long-term harm, including unauthorized data
profiling, targeted advertising, and exploitation (Livingstone et al., 2024).
To mitigate risk related to minors online, the United States enacted the Children’s Online Privacy
Protection Act (COPPA) in 1998 to protect the online privacy of children under the age of 13 by
requiring websites and online services to obtain parental consent before collecting personal
information from minors (15 U.S.C. § 6502 (2020)). The key requirements of the COPPA Act
are the following: (i) companies publish a clear and comprehensive privacy policy, (2) obtain
verifiable parental consent before collecting personal data of the children, (iii) allow parents to
revoke consent and request the deletion of collected information, and (iv) maintain the
confidentiality, security, and integrity of children’s data (EPIC, n.d., para. 3).
COPPA created a basic framework for children’s online privacy, but fast-changing technology
and new ways kids use the internet make us question if the law is still enough. While the Act
provides important protections, it also has some limits that need to be looked at more closely.
COPPA’s Protective Framework and Core Rights
COPPA contributes to a safer digital environment for children by providing several rights to
parents. One of its most important features is empowering parents by giving them greater control
over how their children’s personal information is collected, used, and shared. By requiring
parental consent, COPPA places adults in a gatekeeping role, enabling them to oversee and limit
their children’s exposure to data-driven risks (Steeves & Mačėnaitė, 2023).
This parental control also helps protect children from manipulative or inappropriate ads and
lowers the risk of exploitation. By limiting data collection, COPPA pushes companies to design
services for kids with privacy as a priority, rather than relying on surveillance-based business
models (Zuboff, 2019).
COPPA helps make sure companies are responsible for how they handle children’s data. When
big platforms break the rules, they can face penalties. For instance, TikTok was fined for failing
to inform parents and not getting their permission before collecting children’s personal
information, which violated COPPA rules (Kern & Farrar, Aug 2, 2024; DOJ Press Release, Feb
06, 2025). These actions encourage companies to handle data responsibly and be transparent,
which builds consumer trust. Overall, COPPA supports a culture of accountability and good data
practices for organizations that work with young users.
Structural Gaps and Emerging Challenges
Despite these benefits, COPPA has some clear limits. One major issue is that it only covers
children under 13, so teens aged 13 to 17 do not have the same federal privacy protections
(Johnson, 2020). As more teenagers use social media, gaming, and AI-driven services, the lack
of clear rules for this age group raises real concerns about data security, surveillance, and
exploitation.
Age verification is another problem. COPPA does not set a standard or reliable way to check a
user’s age, and platforms cannot just trust what users say. This means children might give the
wrong age, either by accident or to get around restrictions, which exposes them to the data
collection COPPA is supposed to stop. Even when parental controls work as intended, they can
seem too strict and limit access to useful educational or social resources online (Erickson et al.,
2016).
Because of these strict controls, many children find ways to get around the system. The Guardian
reports that 32% of children aged eight to seventeen with a social media profile said they
identified themselves as an age of 18 or older (Dan Milmo, 2022). This common workaround
weakens COPPA’s effectiveness and shows a gap between what the law intends and how people
actually behave.
COPPA also causes problems in schools, especially when digital tools are used in the classroom.
It is not always clear if parental consent is needed for data collection with educational
technology, or who is responsible, including schools, parents, or service providers (Walker et al.,
2023).
Compliance Burdens and the Business Perspective
For companies, following COPPA can be costly and complicated. They must set up strong data
security, keep detailed privacy policies, and manage consent systems, all of which add to costs
and legal risks. For small businesses and startups, these rules can make it hard to enter the
market or may even stop them from creating digital services for children. However, it is
important to safeguard the data privacy of children, even though protecting children can incur
some costs. Therefore, there is a need for developing best practices and implementation guides
that help organizations comply cost-effectively. Further, it is equally critical to update the law to
address privacy issues emerging from novel technologies such as Generative Artificial
Intelligence.
Future Directions and Conclusion
Recognizing these challenges, lawmakers have begun to propose legislation to modernize the
Act to reflect contemporary technologies and usage patterns (Price, 2024). These proposed
reforms may expand age protections, clarify consent requirements, and address emerging issues
such as AI-driven data collection and algorithmic profiling.
Updating the COPPA Act offers a unique opportunity not only to improve the digital privacy of
children and minors but also to balance parental control and teen independence in the context of
new technologies. As the online world evolves, the laws that protect its most vulnerable users
must keep pace.
Bibliography
Kosinski, M., & Forrest, A. (2025, November 17). What is data privacy?. IBM. https://www.ibm.com/think/topics/data-privacy
Electronic Privacy Information Center. (n.d.). Children’s privacy. EPIC. Retrieved January 10, 2026, from https://epic.org/issues/data-protection/childrens-privacy/
Price, T. (2024, April 26). Children and teens’ online privacy act pros and cons - the american consumer institute center for citizen research, from https://www.theamericanconsumer.org/2024/04/children-and-teens-online-privacy-act-pros-and-cons/
Milmo, D. (2022, October 10). Adult online age used by third of eight- to 17-year-old social media users. The Guardian. https://www.theguardian.com/media/2022/oct/11/adult-online-age-eight-to-17-year-old-social-media-users
Justice Department sues TikTok and parent company ByteDance for widespread violations of children’s privacy laws. Office of Public Affairs | Justice Department Sues TikTok and
Parent Company ByteDance for Widespread Violations of Children’s Privacy Laws | United States Department of Justice. (2025, February 6). https://www.justice.gov/archives/opa/pr/justice-department-sues-tiktok-and-parent-company-bytedance-widespread-violations-childrens
Kern & Farrar, (August 2, 2024). Press Release, FTC investigation leads to lawsuit against TikTok and ByteDance for flagrantly violating children’s privacy law. Federal Trade Commission. https://www.ftc.gov/news-events/news/press-releases/2024/08/ftc-investigation-leads-lawsuit-against-tiktok-bytedance-flagrantly-violating-childrens-privacy-law
Federal Trade Commission, & Federal Trade Commission. (2002). Protecting children’s privacy under COPPA: A survey on compliance. Retrieved July.
15 USC 6501: Definitions. (n.d.). https://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-section6501&edition=prelim