If children under 13 might use your site or app, COPPA applies to you. Even if you didn't plan it that way. Generate a compliant children's privacy policy now. Free.
The FTC has been very clear. The fines have been very large. Here's what you need to know.
The FTC doesn't care if you intended to target children. If they can reasonably use your product, you need COPPA compliance. YouTube paid $170 million for this exact reason. Intention is irrelevant. Actual use is what matters.
COPPA requires verifiable parental consent before collecting any personal data from under-13 users. Your policy explains the mechanism and the rights parents have to review, access, and delete their child's data at any time.
General-audience sites that knowingly collect data from children still need COPPA compliance sections. Your generated policy handles both scenarios: fully child-directed platforms and mixed-audience platforms with age-gating.
The law is broader and stricter than most people realize. Here's the full picture.
COPPA — the Children's Online Privacy Protection Act — passed in 1998 and was updated by the FTC in 2013. It covers websites and online services that are either directed at children under 13 or that have actual knowledge they're collecting personal information from children under 13. That second part is where most enforcement actions start, and it's the part most operators don't think about.
Here's what "directed at children" actually means. The FTC doesn't just look at whether you intended to target kids. They look at the totality of your product. Subject matter — is it about cartoon characters, crafts, or kids' entertainment? Visual content — does the design use bright colors, child-friendly fonts, cartoon imagery? Music — does the soundtrack appeal to children? Child-oriented celebrities or influencers — are you featuring people with primarily young audiences? If your product checks several of these boxes, the FTC may find it directed at children regardless of what your terms of service say about minimum age.
In 2019, Google and YouTube agreed to pay $170 million to the FTC and New York Attorney General for collecting data from viewers of child-directed content without parental consent. The YouTube channels had content clearly aimed at children — toy unboxing videos, cartoons, kids' songs — and YouTube served targeted ads based on watch history. Same year, TikTok (then Musical.ly) paid $5.7 million for knowingly collecting personal information from children under 13 without parental consent. Before the settlement, Musical.ly let children create profiles, post videos, and interact publicly. The FTC also cited Age Gate Theater, a small online game company, in 2022 for a fraction of those amounts. Big or small, the FTC pursues these cases.
So what are the six requirements COPPA operators must meet? First, post a clear and comprehensive privacy policy that describes your information practices for children's personal information. Second, provide direct notice to parents before collecting their child's personal information. Third, obtain verifiable parental consent before any collection, use, or disclosure. Fourth, give parents the option to consent to collection and internal use of their child's information without consenting to disclosure to third parties. Fifth, give parents access to their child's information and the ability to review and delete it. Sixth, give parents the option to prevent further use or collection of their child's information.
Verifiable parental consent is the requirement most companies struggle with. The FTC has approved several methods. A signed consent form sent by the parent via postal mail or fax (yes, still legally valid). A credit card transaction with a fee (the fee is only a cent or two, but it verifies a parent). A toll-free phone number or video call with trained personnel. An email with an additional step — like following up by phone, postal mail, or digital certificate. Knowledge-based authentication questions. The FTC calls these the "sliding scale" methods — the more sensitive the data collection, the stronger the consent mechanism you need. Collecting just a first name requires less than collecting photos, precise location, or conversations.
What data can you collect from children without parental consent? Very little. You can collect a child's name and online contact information to respond to a one-time request for information, as long as you don't retain it or use it for anything else. You can collect information needed to protect the safety of a child on your site, if you notify a parent promptly. You can collect a persistent identifier — like a device ID — as long as you don't tie it to a child's profile or use it to contact the child. That's basically it. Everything else requires verifiable parental consent first.
Third-party advertising is a major compliance issue for child-directed platforms. You cannot use behavioral advertising (interest-based, retargeted ads) on sites directed at children. This is why YouTube changed its entire ad model for child-directed content after the $170 million settlement — no more personalized ads, no more interest-based targeting. If your app uses Google AdMob, you need to configure it for child-directed content to disable behavioral targeting. The same applies to Facebook Audience Network, Unity Ads, and any other ad network. The network's ability to serve targeted ads doesn't change your COPPA obligation.
Analytics tools are another commonly missed issue. Google Analytics, by default, collects persistent identifiers and user behavior data. On a child-directed site, using standard Google Analytics without the child-directed content flag is a COPPA issue. Google's own documentation states that operators of child-directed sites should not use Google Analytics because it collects personal information. Some operators use server-side analytics that aggregate data without personal identifiers as an alternative. Others use privacy-preserving alternatives like Fathom or Plausible that collect no personally identifying information. Your COPPA policy should accurately reflect which analytics tools you use and how they're configured.
Finally, there are COPPA safe harbors. The FTC approves industry self-regulatory programs that provide COPPA compliance guidance and enforcement. If your company is a member of an approved safe harbor program like PRIVO, kidSAFE, or CARU, being a member can help demonstrate good-faith compliance. Our generated policy includes information about safe harbor programs where applicable. But safe harbor membership doesn't replace the actual requirements — it supplements them with additional oversight and accountability.
Every disclosure the FTC requires. All of them. For free.
Clear statement of which users this policy applies to, what age thresholds trigger the special protections, and how the platform determines user age.
Specific disclosure of every category of personal information collected from or about children under 13, including any persistent identifiers, usage data, or device information.
Description of the verifiable parental consent method used, how parents are notified, and what the consent covers. Specific to your platform type and data sensitivity.
Parents' right to review their child's personal information, delete it, refuse further collection or use, and withdraw previously given consent at any time without penalty.
Commitment to collecting only the minimum personal information necessary to provide the service, and not conditioning a child's participation on disclosing more information than necessary.
Children's personal information will not be retained longer than necessary for the purpose it was collected, and will be securely deleted when that purpose is met.
Strict limits on sharing children's data with third parties, including ad networks and analytics providers, and how those restrictions are implemented technically.
Direct contact information for parents to exercise their COPPA rights, submit deletion requests, revoke consent, or ask questions about their child's data.
Information about FTC-approved COPPA safe harbor programs and how membership in such programs provides additional accountability and oversight.
Date the policy was last updated and commitment to notifying parents of material changes to how their child's information is collected or used.
Everything you need to know about COPPA compliance
What it costs to get a compliant COPPA policy elsewhere versus here.
| Feature | FreeTOS | Paid Generator | Law Firm |
|---|---|---|---|
| Price | Free | $10/mo+ | $500+ |
| Signup Required | No | Yes | Yes |
| FTC COPPA Coverage | Full | Full | Full |
| Mixed-Audience Handling | Yes | Basic | Yes |
| Parental Rights Section | Yes | Yes | Yes |
| Safe Harbor Info | Yes | Rare | Yes |
| PDF Download | Free | Paid plan | Included |
Where to post it, how to link it, and what else you need to do beyond just having the document.