KidProof · Compliance guide
If your service targets children under 13 — or you know you collect their data — COPPA requires verifiable parental consent, data minimization, and parental review/delete rights. The FTC's 2025 amendments add separate opt-in for third-party sharing and a written retention limit. Penalties run to tens of thousands per violation.
This rule applies if you run an online service directed to children under 13, or knowingly collect their data. Collect data from anyone under 13? COPPA wants verifiable parental consent — and the FTC's 2025 rules just got stricter. Not sure? The free checker tells you in about a minute — no signup.
In practice, KidProof's checker looks at whether you can answer "yes" to each of these. Each one is a place sellers commonly get caught:
⚠️ Exposure: up to $51,744 per violation (FTC). Status: In force.
Statutory maximums are worst-case ceilings, not a prediction — but they're why this is worth ten minutes now.
It applies if your online service is directed to children under 13, or if you have actual knowledge you collect personal information from under-13s — including via plugins/SDKs you embed.
A method reasonably designed to confirm the consenting person is the parent — e.g. a signed consent form, a small card transaction, a government-ID check, or a video call. Keep a record of it.
Among other things: a separate opt-in before disclosing a child's data to third parties or using it for targeted advertising, and a written data-retention policy — you can no longer keep children's data indefinitely.
RuleGoose checks this against the COPPA Rule (16 CFR Part 312), as amended by the FTC in 2025. Read it yourself: eCFR — 16 CFR Part 312 (COPPA Rule) →
or get one RuleGoose Score across every rule that applies to you.
Informational only, not legal advice, and not affiliated with the FTC. Last reviewed 2026-06-28.