Privacy laws regulating the collection and other processing of children’s personal information are an increasingly compliance-heavy area in what is an already incredibly dynamic and complex privacy law landscape. There are many laws, ranging from the Children’s Online Privacy Protection Act (COPPA) on the federal level in the United States, state-specific laws with components that regulate children’s data, or international frameworks that have compliance applications for children’s personal information; the considerations are varied. Much of the analysis when it comes to which privacy laws must accounted for will involve identifying the processing types as well as jurisdictional applications based on the residency of the children in question. Where the processing is in the educational context, such as with education technology (EdTech), targeted advertising, or online games and apps, there is a broad application of children’s compliance obligations when children’s data is at play.
Several Key Children’s Privacy Laws
While there is an ever-expanding number of privacy laws regulating children’s personal information, there are several key laws that often come into play in many scenarios, which we overview below:
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law enacted in 1998 to protect the privacy of children under 13 years old. The Federal Trade Commission (FTC) enforces COPPA, which requires websites and online services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children, among other compliance obligations. The FTC is currently in the process of proposing amendments to COPPA, which aim to expand the scope of COPPA to require separate opt-in consent for targeted advertising, prohibit conditioning a child’s participation in the collection of personal information, limit data retention, and strengthen data security requirements.
New York Child Data Protection Act
The New York Child Data Protection Act mandates that operators of online services collecting personal data from minors delete such data within 30 days unless they comply with COPPA or obtain informed consent. The act also restricts the provision of addictive feeds to minors and enforces overnight notification bans without parental consent.
California’s Consumer Privacy Act (CCPA)
California, a first-mover on the state level when it comes to comprehensive privacy laws, has one of the most mature and robust privacy laws, including compliance obligations when processing children’s data. For example, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), states that for certain processing, such as in the context of selling or for targeted advertising, if a business knows that the individual is under the age of 16, they must get “affirmative authorization” (“opt-in”) for the sale or “sharing” for targeted advertising of the child’s personal information. Further, for children under the age of 13, “opt-in” consent to such sale or “sharing” must be had from the child’s parent or guardian.
Colorado Privacy Act Amendments
Effective October 1, 2025, the Colorado Privacy Act includes enhanced protections for minors’ data, prohibiting its use for targeted advertising, selling, or profiling without consent. It also mandates data protection assessments for services posing heightened risks to minors.
General Data Protection Regulation (GDPR)
The GDPR, enforced in the European Union (with a similar law in the United Kingdom post-Brexit), includes specific provisions for the protection of children’s data. A significant portion of GDPR fines involve violations related to children’s privacy, highlighting the importance of robust compliance measures for businesses operating in the EU.
California Age-Appropriate Design Code Act (CAADCA)
The CAADCA, effective July 1, 2024, imposes strict obligations on businesses providing online services likely to be accessed by children under 18. It requires companies to implement privacy by design principles and imposes severe penalties for non-compliance.
Sectors of Particular Risk
While any processing of children’s data requires additional compliance considerations, there are several sectors that are increasingly in the crosshairs of regulators and, therefore, need even more stringency, including the following:
Education Technology (EdTech)
The FTC has increased its enforcement of COPPA against EdTech providers. Companies must ensure that they do not collect more personal data than necessary and must obtain verifiable parental consent. Recent actions against Edmodo highlight the importance of compliance in this sector.
Targeted Advertising
Businesses involved in targeted advertising must navigate stringent consent requirements and prohibitions on using children’s data for advertising purposes. The FTC’s settlement with OpenX and proposed COPPA amendments and state laws, like California’s CCPA and Colorado’s Privacy Act, emphasize the need for separate opt-in consent for targeted advertising to children.
Online Games and Apps
Online games and apps frequently attract young users, making compliance with children’s privacy laws critical. Recent enforcement actions against companies, like the FTC’s record-breaking half-a-billion dollar settlement with Fortnite, underscore the severe consequences of non-compliance, including substantial fines and operational bans.
Children’s Privacy Regulatory Enforcement and Private Actions
With the increasingly ubiquitous data processing of children, regulators ranging from the federal government to state enforcement, as well as international regulators, are ramping up enforcement for non-compliance with children’s privacy laws, including some of the most notable enforcement actions we overview below:
FTC Enforcement
The FTC has been active in enforcing children’s privacy laws, as seen in cases against Edmodo and NGL Labs. These actions often result in significant settlements and operational restrictions, emphasizing the importance of compliance.
GDPR Fines
GDPR enforcement has led to substantial fines for social media platforms, such as the large fine levied against Instagram and the Irish data protection regulator’s case against TikTok for allegedly mishandling children’s data. These fines highlight the rigorous standards and severe penalties associated with GDPR compliance.
Depart of Justice and State Actions
The FTC, via a referral to the U.S. Department of Justice, has sued TikTok for illegally collecting children’s data and failing to comply with COPPA. This lawsuit exemplifies the potential legal ramifications for companies that violate children’s privacy laws. State attorneys general are also active in enforcing non-compliance with how companies use children’s data, as was illustrated in the case brought by Arkansas against Meta and TikTok.
Helping Clients Navigate COPPA and Other Children’s Privacy Compliance
At RICHT, we are privacy-focused technology lawyers helping clients stay ahead of the ever-changing compliance curve, including when it comes to data processing involving the personal information of children. Whether it is COPPA, GDPR, or state laws such as the CCPA, we help guide clients to success while accounting for and mitigating risk.
Learn How We Can Help You Comply With Children’s Privacy Laws
Children’s Privacy Law Resources
- Children’s State Privacy Law Update and Tracker
- Guide to Navigating COPPA
- Complying with COPPA: Frequently Asked Questions
- How Will Contextual Advertising Fare When The FTC Revises Its COPPA Rule?
- Implementing Kids’ Privacy Protections Around The World: The PerfectPetPal Case Study
- Was Tilting Point Media’s Children’s Privacy “Nautical Nonsense”?
- Instagram Rolls Out Teen Accounts With Privacy, Parental Controls As Scrutiny Mounts
- Texas Attorney General Sues TikTok Over Alleged Sale of Minors’ PII