Children's Online Privacy Protection in the Home
Children's online privacy in the home sits at the intersection of federal law, parental responsibility, and the technical architecture of connected devices. The Children's Online Privacy Protection Act (COPPA) establishes enforceable obligations on commercial operators, but the practical burden of compliance and protection falls heavily on household environments where children access the internet daily. This page describes the regulatory framework, how protections operate in practice, the scenarios where coverage applies or lapses, and the boundaries that determine when federal law governs versus when household-level controls are the primary line of defense.
Definition and scope
COPPA, codified at 15 U.S.C. §§ 6501–6506 and administered by the Federal Trade Commission (FTC), applies to operators of commercial websites and online services directed to children under 13, or any general-audience operator with actual knowledge it is collecting personal information from a child under 13. The Rule requires verifiable parental consent before collecting, using, or disclosing a child's personal information.
Personal information under COPPA includes full name, home address, email address, phone number, Social Security number, persistent identifiers (such as cookies or device identifiers used to track children across sites), photographs, geolocation data, and audio files. The FTC updated the COPPA Rule in 2013 to explicitly add these data categories, reflecting the expansion of mobile and connected-device ecosystems.
The home environment is the dominant context in which children encounter COPPA-covered services. Smart televisions, tablets, gaming consoles, voice assistants, and smart home devices all represent potential data-collection surfaces. COPPA's jurisdiction extends to the operator, not the household — meaning the law regulates what a service provider must do, not what a parent must configure. Household protections are a separate operational layer.
How it works
COPPA compliance follows a structured sequence of obligations placed on operators, which in turn defines what households can expect from compliant services:
- Notice: Operators must post a clear and comprehensive privacy policy describing data practices directed at children, including the types of information collected and the purposes for which it is used.
- Verifiable parental consent: Before collecting personal data from a child under 13, operators must obtain consent through a mechanism that reasonably ensures the person providing consent is the parent. Accepted methods include signed forms, credit card verification, toll-free phone calls, and video conferencing.
- Data minimization and retention limits: Operators may collect only as much information as is reasonably necessary for the activity, and must retain data only as long as necessary to fulfill that purpose.
- Parental access and deletion rights: Parents retain the right to review their child's personal information, request deletion, and refuse further collection — rights that operators must honor upon verified request.
- Prohibition on conditioning participation: Operators cannot require a child to disclose more personal information than is necessary to participate in an activity as a condition of use.
The FTC enforces COPPA through civil penalties. Violations can reach up to $51,744 per violation as of the 2023 adjusted penalty schedule (FTC Civil Penalty Adjustments). High-profile enforcement actions, including a 2019 settlement with Google and YouTube totaling $170 million (FTC Press Release, September 2019), demonstrate active regulatory posture.
At the household level, parental controls and cybersecurity tools operate as a complementary layer. Router-level filtering, device-level restrictions, and account supervision extend coverage to situations COPPA does not address — such as peer-to-peer communications, household-shared accounts, or services based outside U.S. jurisdiction.
Common scenarios
Child-directed apps and gaming platforms: Applications explicitly targeting children under 13 — such as educational games, animated content services, and children's social platforms — fall squarely under COPPA. Operators must obtain parental consent before account creation. Parents interacting with these services should expect a consent mechanism before any data collection begins.
General-audience platforms with age gates: Large platforms like social networks typically use self-reported age gates to filter out users under 13. These systems are not technically robust; a child entering a false birth year bypasses the gate. COPPA holds the operator liable only when it has "actual knowledge" of a child user. This gap represents the most common privacy exposure in residential environments and is addressed through family online safety practices rather than federal law alone.
Voice assistants and smart speakers: Devices such as Amazon Echo or Google Home, when used by children, may collect voice recordings. The FTC and the Consumer Financial Protection Bureau have examined data practices for these devices. Voice assistant privacy risks in the home extend beyond COPPA to include continuous ambient recording, third-party skill operators, and data retention by cloud providers.
School-issued devices used at home: Devices provided by schools for remote learning carry separate obligations under the Family Educational Rights and Privacy Act (FERPA), administered by the U.S. Department of Education (FERPA). FERPA governs educational records; COPPA governs commercial data collection. These frameworks overlap when ed-tech vendors collect personal information from students.
Decision boundaries
The key distinctions that determine which framework governs — and which protections apply — are structured around operator type, age, and context:
| Condition | Governing Framework | Household Action Required |
|---|---|---|
| Commercial service directed at children under 13 | COPPA (FTC enforcement) | Verify parental consent mechanism exists |
| General-audience service, child uses false age | COPPA does not apply (no actual knowledge) | Household controls and supervision |
| School-issued device, educational data | FERPA (Dept. of Education) | Review school's data sharing agreements |
| Non-U.S.-based service operator | COPPA jurisdiction unclear; limited enforcement | Home network security basics and DNS filtering |
| Child over 13 using adult-oriented services | COPPA does not apply | Two-factor authentication and account monitoring |
Distinguishing between COPPA-covered operators and unregulated services is the central challenge. COPPA does not govern peer communications, content shared between private users, or services operated outside commercial contexts. For exposures outside COPPA's scope, protections depend on securing home WiFi, device-level access controls, and proactive account management.
The FTC's COPPA guidance for parents is published at ftc.gov/coppa, and the full Rule text appears at 16 C.F.R. Part 312.
References
- Federal Trade Commission — COPPA Rule (16 C.F.R. Part 312)
- FTC COPPA Guidance and Enforcement
- 15 U.S.C. §§ 6501–6506 — Children's Online Privacy Protection Act (GovInfo)
- FTC Civil Penalty Adjustments
- FTC Press Release — Google/YouTube $170M Settlement, September 2019
- U.S. Department of Education — FERPA
- FTC COPPA Parent and Consumer Information