The Children’s Online Privacy Protection Act (COPPA) has long been a cornerstone of child privacy protection, setting stringent requirements for online services that collect personal information from children under 13. Recently, there have been proposed updates to COPPA and the emergence of state-level regulations like Colorado’s Privacy Protections for Children's Online Data Act and California’s Age-Appropriate Design Code Act. These developments underscore the need for businesses to stay ahead of compliance requirements while balancing innovation and product strategies. Find out how DataProbity can help you navigate the complexities of COPPA.

---

Navigating COPPA Compliance and Proposed Enhancements

The Children’s Online Privacy Protection Act (COPPA), enacted in 1998 and enforced by the FTC, serves as a landmark law aimed at safeguarding the privacy and safety of children under the age of 13 in the digital landscape. Recognizing the unique vulnerabilities of children online, COPPA established comprehensive requirements for operators of commercial websites and online services that are directed at children or that knowingly collect, use, or disclose personal information from children. The law mandates transparency in data practices, parental involvement, and strict limitations on the collection and use of children’s personal data. Recent discussions propose updates to strengthen these protections in light of evolving technological challenges.

Key Requirements Under COPPA

COPPA defines personal information broadly, covering identifiers such as a child’s name, physical address, email address, phone number, social security number, and other unique identifiers as determined by the FTC. Additionally, it regulates the release or public availability of this information in identifiable form through home pages, chat rooms, pen pal services, email services, or message boards. Operators must limit data collection to what is reasonably necessary for the service and cannot condition a child’s participation on the provision of unnecessary personal information.

---

Proposed Updates to Strengthen COPPA

Recent updates to COPPA have been proposed to address the rapid evolution of technology and its impact on children’s privacy. These include expanding the definition of personal information to cover biometric data, geolocation, and algorithmic profiles, aligning COPPA with international standards such as the EU's GDPR. These updates remain in the proposal stage and are not yet enforceable.

Parental consent mechanisms have also been a focus of ongoing discussions, with stricter verification processes suggested to ensure that only legitimate guardians authorize data collection. Similarly, a proposed ban on targeted advertising to children aims to curb exploitative practices. Operators would need to ensure compliance with these potential standards by adopting enhanced transparency and accountability measures.

---

State-Level Regulations and COPPA

State-level regulations aimed at protecting children's online privacy have expanded beyond COPPA, with states like Colorado, Connecticut, and Utah introducing their own measures. Colorado’s Privacy Protections for Children's Online Data Act, which amends the Colorado Privacy Act and takes effect in October 2025, establishes stricter rules for processing minors' personal data when there is a heightened risk of harm. It applies to businesses operating in Colorado or targeting Colorado residents, regardless of revenue. The law prohibits processing a minor’s data for targeted advertising, selling personal data, or profiling without consent and restricts the use of design features that significantly extend engagement or collect precise geolocation data. It also requires companies to conduct data protection assessments for any product or service that could pose risks to minors. However, it does not mandate age verification, though companies that use commercially reasonable age estimation are protected from liability. Enforcement falls under the Colorado attorney general and district attorneys, who may notify companies of violations and allow time for corrective action.

California’s Age-Appropriate Design Code Act (CAADCA) differs by going beyond data protections and regulating how online services are designed for minors. It mandates high default privacy settings, limits profiling, and requires businesses to conduct risk assessments, but it also seeks to mitigate mental health risks, excessive screen time, and algorithmic harm. Unlike Colorado’s law, which focuses on data processing, CAADCA includes design-based safety features to create a safer digital environment for children. However, in August 2024, the Ninth Circuit Court of Appeals blocked certain provisions, ruling that restrictions on content-based harms violated the First Amendment, though it upheld privacy-focused aspects such as data minimization. Critics, including the ACLU, argued that some provisions could unintentionally limit minors' access to mental health resources and news, while tech industry groups challenged the law as vague and overly broad. Despite legal setbacks, states continue to explore new approaches to balancing child privacy, online safety, and free speech.

---

Staying ahead of evolving COPPA requirements demands constant vigilance and adaptation. We specialize in developing future-proof COPPA compliance programs that accommodate proposed enhancements while maintaining operational efficiency. Reach out today to learn how to strengthen your COPPA privacy protections with our specialized guidance.

---