COPPA Privacy Policy for Kids Apps
Apps targeting children under 13 face the strictest privacy requirements of any app category. The FTC can impose civil penalties of up to $50,120 per violation under COPPA, and recent enforcement actions have resulted in fines exceeding $275 million. Generate a COPPA-compliant privacy policy that covers verifiable parental consent, data minimization, app store kids category rules, and GDPR children's provisions.
Why Apps Targeting Children Need COPPA-Compliant Privacy Policies
The Children's Online Privacy Protection Act (COPPA) is a US federal law enacted in 1998 and significantly updated in 2013, enforced by the Federal Trade Commission (FTC). It applies to any app, website, or online service that is either directed at children under 13 or has actual knowledge that it collects personal information from children under 13. COPPA is not optional guidance — it is a legally binding regulation with severe penalties for non-compliance.
FTC Penalties
Up to $50,120 per violation. Each instance of collecting a child's data without consent can be a separate violation. Epic Games paid $275M, Google/YouTube paid $170M, and Microsoft paid $20M in recent enforcement actions.
App Store Removal
Both Apple and Google will remove kids apps that violate their children's content policies. Apple's Kids Category requires strict COPPA compliance. Google's Families Policy mandates compliance for all apps targeting children.
20-Year Oversight
FTC consent orders typically include 20 years of mandatory compliance monitoring. Companies must submit regular compliance reports, maintain privacy programs, and undergo independent assessments for two decades.
COPPA applies regardless of where your company is based. If your app is accessible to children in the United States through the App Store or Google Play, you are subject to COPPA. The FTC determines whether an app is "directed at children" based on factors including: subject matter, visual content, characters, music, language, age of models, advertising placement, and whether the app is listed in a kids category on app stores.
Critical distinction: Even if you do not intend your app for children, if it collects data from users you have "actual knowledge" are under 13 (e.g., they entered an age below 13, or a parent reported their child's account), COPPA applies. Many general-audience apps have been fined for failing to implement age gates and treating known child users the same as adults.
What COPPA Requires: The 7 Core Obligations
COPPA imposes specific, non-negotiable requirements on operators of children's apps. Understanding these requirements is essential before designing your app or drafting your privacy policy. Here is what the law demands:
Verifiable Parental Consent (VPC)Critical
Before collecting, using, or disclosing personal information from a child under 13, operators must obtain verifiable parental consent. The FTC recognizes several methods: signed consent forms returned by mail, fax, or email scan; credit card transactions; calls to trained personnel; video conferencing; government-issued ID checked against a database; and knowledge-based challenge questions. The 'email plus' method is allowed for internal use only — not for public disclosure of a child's data.
Data MinimizationCritical
You may only collect personal information that is reasonably necessary for the child to participate in the activity. No profiling, no building behavioral profiles, no collecting data 'just in case.' If a drawing app only needs a username, you cannot also collect location, contacts, or device identifiers beyond what is strictly required for the app to function.
No Behavioral Advertising to ChildrenCritical
COPPA prohibits serving behaviorally targeted advertisements to children under 13. Only contextual advertising — ads based on the content of the page or app, not the user's behavior — is permitted. This means no AdMob personalized ads, no Facebook Audience Network retargeting, no cross-app tracking for ad purposes. Violating this is one of the most common reasons for FTC enforcement actions.
Clear and Comprehensive Privacy Policy
Your privacy policy must be written in clear, understandable language (not legal jargon). It must describe: all personal information collected from children, how that information is used, disclosure practices, and parental rights. The policy must be prominently linked from every point where data is collected and from your app store listing.
Parental Access and Deletion Rights
Parents have the right to review all personal information collected from their child, request that the information be deleted, and refuse to allow any further collection. You must provide a reasonable mechanism (email, web form, toll-free number) for parents to exercise these rights, and you must respond to requests promptly.
Data Retention Limits
Personal information collected from children must be retained only as long as reasonably necessary to fulfill the purpose for which it was collected. After that purpose is fulfilled, the data must be deleted using reasonable measures to protect against unauthorized access. Indefinite retention for analytics is not permitted.
Confidentiality and Security
Operators must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. This includes both technical safeguards (encryption, access controls) and organizational measures (employee training, vendor agreements).
What Data Kids Apps Commonly Collect
Many developers underestimate how much personal information their kids app collects. Under COPPA, "personal information" includes any persistent identifier that can recognize a user over time — even anonymous device IDs. Here are the data categories you need to address in your privacy policy:
Device Identifiers
- •Advertising ID (GAID / IDFA)
- •Android ID or IDFV
- •Device fingerprint data
- •Installation UUID
Location Data
- •GPS coordinates
- •IP-based geolocation
- •Wi-Fi access point data
- •Cell tower triangulation
Chat & Communication
- •Free-text chat messages
- •Voice chat audio
- •Emoji reactions and stickers
- •Friend requests and social connections
Photos & Media
- •Camera access for AR features
- •Photo uploads for avatars or profiles
- •Drawings and creative content
- •Screenshots shared within the app
Usage & Behavioral Data
- •Session duration and frequency
- •Feature usage patterns
- •Content preferences and interactions
- •Search queries within the app
Account & Profile Data
- •Username or display name
- •Age or date of birth
- •Email address (child's or parent's)
- •Avatar selections and customizations
Apple App Store and Google Play Kids Category Requirements
Both Apple and Google impose their own children's app policies on top of COPPA. These platform-specific rules are often stricter than COPPA itself, and non-compliance results in app rejection or removal. Your privacy policy must address these requirements.
Apple Kids Category
- •No third-party analytics SDKs allowed (no Firebase Analytics, no Mixpanel, no Amplitude)
- •No third-party advertising SDKs allowed (no AdMob, no Unity Ads, no AppLovin)
- •No links that leave the app without a parental gate
- •Login must not be required (optional login with parental gate permitted)
- •Must select one of three age bands: 5 and Under, 6-8, or 9-11
- •Cannot use App Tracking Transparency (ATT) — kids apps must not request IDFA access
- •Data collection must comply with Apple's privacy nutrition labels
Google Play Designed for Families
- •Only Google-certified ad SDKs can be used (listed in Google's Families Self-Certified Ads SDK program)
- •No personalized advertising — contextual ads only
- •Must complete the Families Policy target audience questionnaire in Play Console
- •APIs and SDKs used must be approved for use in child-directed services
- •Ads must be age-appropriate in content
- •Must declare Data Safety section accurately for all SDKs
- •Teacher Approved badge available for educational apps meeting additional criteria
Mixed-audience apps: If your app targets both children and older users, you must implement an age gate at first launch. Google Play requires you to declare your target audience in Play Console. If you include children under 13 in your target audience, the Families Policy applies. Apple does not allow mixed-audience apps in the Kids Category — you must choose between Kids Category (strict rules) and a general category with an age gate.
Parental Consent Mechanisms: What the FTC Accepts
Obtaining verifiable parental consent (VPC) is the central obligation of COPPA. The FTC has approved several methods, each with different levels of reliability and friction. Your privacy policy must describe which method(s) you use and how parents can provide or withdraw consent.
Email Plus
Reliability: ModerateSend a consent notice to the parent's email, then use an additional confirmation step (e.g., delayed confirmation email, phone call, or letter). Allowed only for internal use of data — not for disclosing a child's information publicly.
Best for: Internal data use only, lower-friction onboarding
Credit Card / Payment Verification
Reliability: HighCharge a small transaction amount to the parent's credit card as proof of identity. The charge can be nominal ($0.50-$1.00). Provides strong identity verification since only adults typically have credit cards.
Best for: Apps with in-app purchases or paid tiers
Government ID Check
Reliability: Very HighParent submits a government-issued ID (driver's license, passport) which is checked against a database. The ID must be deleted promptly after verification. Often handled by third-party age verification services.
Best for: High-sensitivity data collection, social features
Knowledge-Based Authentication
Reliability: HighAsk the parent questions that only an adult would be able to answer, drawn from public databases (e.g., financial history questions similar to credit bureau authentication). Must be sufficiently rigorous to prevent child bypass.
Best for: No-cost verification, broad accessibility
Video Conference
Reliability: Very HighConduct a live video call with the parent to verify identity. Requires trained staff and scheduling infrastructure. Provides very strong verification but has high operational cost.
Best for: Small user base, premium apps, highest-sensitivity data
Signed Consent Form
Reliability: HighSend a consent form to the parent via mail, fax, or email. Parent signs and returns the form. Physical mail is the most traditional method but introduces significant delay in the user experience.
Best for: Educational apps, institutional settings (schools)
FTC tip: The "email plus" method (sending a consent email to the parent, then confirming via a follow-up email after a delay) is the lowest-friction option but is only approved for internal use of data. If your app makes a child's personal information publicly available (e.g., a public username, leaderboard, or social features), you must use a higher-assurance method like credit card verification or government ID check.
How COPPA Interacts with GDPR for International Kids Apps
If your kids app is available in European Union countries (which most App Store and Google Play apps are), you must comply with both COPPA and GDPR simultaneously. While both laws protect children's data, they differ in significant ways:
| Aspect | COPPA (US) | GDPR (EU) |
|---|---|---|
| Age threshold | Under 13 (fixed) | Under 13-16 (varies by EU member state) |
| Parental consent required? | Yes — verifiable parental consent before any data collection | Yes — for children below the age of digital consent in their country |
| What triggers the law? | App directed at children OR actual knowledge of child users | Any processing of personal data of EU residents, including children |
| Penalties | Up to $50,120 per violation (FTC civil penalties) | Up to 4% of annual global revenue or EUR 20M (whichever is higher) |
| Data deletion rights | Parents can request deletion of child's data | Right to erasure (Article 17) — broader scope including automated data |
| Data minimization | Only what is reasonably necessary for the activity | Data must be adequate, relevant, and limited to what is necessary (Article 5) |
| Age of consent by country | 13 (uniform across all US states) | UK: 13, France: 15, Germany: 16, Spain: 13, Italy: 14, Netherlands: 16, Ireland: 16 |
The practical impact is significant: if your kids app is available globally, you need a privacy policy that addresses both COPPA and GDPR requirements. For US children under 13, you need verifiable parental consent under COPPA. For EU children, you need parental consent under GDPR Article 8, with the age threshold varying by country (13 in the UK, 15 in France, 16 in Germany).
PolicyForge Pro generates a single privacy policy that covers both COPPA and GDPR children's provisions, including country-specific age thresholds. See our GDPR Privacy Policy Generator for detailed EU compliance guidance.
Common COPPA Violations and FTC Enforcement Actions
The FTC has dramatically increased COPPA enforcement in recent years, with penalties growing from millions to hundreds of millions of dollars. Understanding past enforcement actions helps you avoid the same mistakes:
Epic Games (Fortnite)
(2022)$275 millionCollected personal information from children under 13 without parental consent. Used dark patterns to trick players into unintended purchases. Default privacy settings exposed children to voice and text chat with strangers.
Microsoft (Xbox)
(2023)$20 millionCollected personal information from children who signed up for Xbox Live accounts without notifying parents or obtaining consent. Retained children's data beyond what was necessary.
Edmodo
(2023)$6 millionEd-tech platform collected personal data from children and used it for advertising purposes. Failed to obtain parental consent before collecting data from students under 13.
Fortnite (additional)
(2022)$245 million (refunds)FTC ordered Epic Games to pay $245 million in refunds to consumers over dark pattern charges, in addition to the $275 million COPPA penalty. Combined total: $520 million.
Musical.ly (TikTok)
(2019)$5.7 millionCollected personal information from children under 13 without parental consent. Failed to delete children's data upon parental request. This was the largest COPPA fine at the time.
Google (YouTube)
(2019)$170 millionCollected persistent identifiers from children watching kid-directed content on YouTube channels without parental consent. Used the data to serve targeted advertising to children.
Most Common Violations
COPPA Privacy Policy: PolicyForge vs Generic Templates
Generic privacy policy generators don't address COPPA-specific requirements. They miss critical sections like parental consent mechanisms, children's data handling procedures, and app store kids category compliance. Here is how PolicyForge compares:
| Feature | Generic Templates | PolicyForge |
|---|---|---|
| COPPA-specific parental consent section | ✗ | ✓ |
| Verifiable parental consent method descriptions | ✗ | ✓ |
| Children's data collection disclosures | ✗ | ✓ |
| Parental access and deletion rights section | ✗ | ✓ |
| Apple Kids Category compliance | ✗ | ✓ |
| Google Designed for Families compliance | ✗ | ✓ |
| No behavioral advertising disclosure | ✗ | ✓ |
| GDPR children's provisions (Article 8) | ✗ | ✓ |
| Data minimization for kids section | ✗ | ✓ |
| Basic data collection disclosure | ✓ | ✓ |
| Contact information section | ✓ | ✓ |
| General GDPR/CCPA provisions | ✓ | ✓ |
Cost Comparison
| Provider | Price | Notes |
|---|---|---|
| Termly | $120/year | Annual subscription, generic template — no COPPA-specific sections |
| iubenda | $90/year | Pro plan required for apps, limited COPPA customization |
| TermsFeed | $89+ | One-time, but no kids-app-specific flow or parental consent language |
| A COPPA attorney | $2,000-5,000+ | Per document, specialized but expensive for indie developers |
| PolicyForgeBest Value | $4.99 | One-time, COPPA-specific sections, parental consent clauses, app store kids category coverage |
Generate Your COPPA-Compliant Privacy Policy Now
PolicyForge generates privacy policies built for kids apps. Select your target age group, data collection practices, and parental consent method — get a policy that covers COPPA, app store kids category rules, GDPR children's provisions, and CCPA in under 2 minutes.
Already Have a Privacy Policy for Your Kids App?
Scan your kids app's privacy policy URL to check COPPA compliance, parental consent disclosures, data minimization, GDPR children's provisions, and app store requirements.
Free Compliance ScanFrequently Asked Questions: COPPA Privacy Policies for Kids Apps
What is COPPA and does it apply to my kids app?
COPPA (Children's Online Privacy Protection Act) is a US federal law enforced by the FTC that applies to operators of websites, apps, and online services directed at children under 13, or that have actual knowledge they are collecting personal information from children under 13. If your app is listed in the Kids category on the App Store or Google Play, targets children in its marketing, features child-oriented content (cartoons, bright colors, simplified interfaces), or is likely to attract a primarily under-13 audience, COPPA almost certainly applies to you. The law applies regardless of where your company is based — if your app is accessible to US children, you must comply. Penalties are severe: the FTC can impose civil penalties of up to $50,120 per violation, and recent enforcement actions have resulted in fines exceeding $275 million (Epic Games, 2022).
What counts as 'personal information' under COPPA?
COPPA defines personal information more broadly than many developers expect. It includes: first and last name; home or physical address; email address; telephone number; Social Security number; any persistent identifier that can be used to recognize a user over time and across websites or apps (including device IDs, cookies, and IP addresses when used for tracking); a photograph, video, or audio file containing a child's image or voice; geolocation data sufficient to identify a street name and city; and any information combined with any of the above. This means that even collecting an advertising ID (GAID/IDFA), an IP address logged server-side, or a photo taken with the device camera constitutes collecting personal information from a child and triggers COPPA obligations.
Can I show ads in a kids app?
Yes, but only contextual ads — never behaviorally targeted ads. Under COPPA, you cannot use personal information (including persistent identifiers) to build profiles of children for advertising purposes. This means no personalized ads from AdMob, no Facebook Audience Network, no retargeting, and no interest-based ad targeting. You can show ads based on the content of the app itself (e.g., a math game showing ads for educational products) but not based on the child's browsing or usage behavior. On Apple's App Store, Kids Category apps face even stricter rules: no third-party advertising SDKs are allowed at all. Google Play's Families Policy restricts ads to Google-certified ad SDKs only and prohibits personalized advertising. Many developers choose to monetize kids apps through one-time purchases or parent-gated subscriptions rather than advertising.
How does COPPA interact with GDPR for kids apps available in Europe?
If your kids app is available in EU countries, you must comply with both COPPA (for US children) and GDPR (for EU children). GDPR's Article 8 sets the default age of consent for data processing at 16, though individual EU member states can lower it to as young as 13. The actual age varies: the UK, France, and others use 13; Germany and the Netherlands use 16; Italy uses 14; Spain uses 13. Under GDPR, you need parental consent for children below the applicable age of digital consent in their country. GDPR also requires a lawful basis for processing, data minimization, and grants children (through their parents) the right to access, rectify, and delete data. The key practical impact is that you may need separate consent flows for US users (under 13 per COPPA) and EU users (under 13-16 depending on country per GDPR). Your privacy policy must address both frameworks. PolicyForge Pro generates policies covering both COPPA and GDPR children's provisions in a single document.
What happens if my kids app violates COPPA?
COPPA violations carry serious consequences. The FTC can impose civil penalties of up to $50,120 per violation — and each instance of collecting a child's data without consent can be counted as a separate violation, meaning fines can accumulate to millions of dollars quickly. Recent enforcement shows the FTC is actively pursuing cases: Epic Games paid $275 million (2022), Google/YouTube paid $170 million (2019), Microsoft paid $20 million (2023), and Musical.ly/TikTok paid $5.7 million (2019). Beyond FTC fines, consequences include: mandatory deletion of all children's data collected without consent, required implementation of comprehensive privacy programs under FTC oversight for 20 years, removal from app stores (both Apple and Google will pull non-compliant kids apps), reputational damage and negative press coverage, and potential class-action lawsuits from parents. State attorneys general can also enforce COPPA, creating additional enforcement risk. The cost of compliance is trivial compared to the cost of non-compliance.
Related Resources
Privacy Policy for Game Apps
Game-specific privacy requirements including ad SDKs, analytics, and COPPA for children's games
Privacy Policy for Mobile Apps
General mobile app privacy requirements for iOS and Android
Privacy Policy for App Store
Apple App Store and Google Play privacy policy requirements
GDPR Privacy Policy Generator
EU General Data Protection Regulation compliance including Article 8 children's provisions
Free Compliance Checker
Scan any privacy policy URL for COPPA, GDPR, and app store compliance gaps
Terms of Service Generator
Generate Terms of Service for your kids app alongside your privacy policy