COPPA regulations affecting businesses and age verification

The internet age has brought numerous benefits and opportunities, but it also introduced  new challenges and risks, especially regarding data privacy and protection for minors. Various approaches to the policing of data privacy have been introduced over the previous two decades, and The Children's Online Privacy Protection Rule (COPPA) is one of the longest standing, signed into US law by President Bill Clinton in October, 1998. Understanding COPPA is vital for any business operating online in the US. Read on to learn about what COPPA is and how it affects businesses.

What is the Children's Online Privacy Protection Rule (COPPA)?

The Children's Online Privacy Protection Rule, commonly known as COPPA, is a federal law in the United States aimed at protecting children's online privacy. Specifically, it regulates how websites and online services can collect and handle personal information from children under 13 years of age, emphasizing the need for parental consent and stringent privacy practices. According to the Federal Trade Commission (FTC), who enforce COPPA: “The primary goal of COPPA is to place parents in control over what information is collected from their young children online.”

What do COPPA regulations mean for businesses?

COPPA regulation applies to a wide range of businesses, including all those who collect data from children under the age of 13. As described specifically by the FTC, COPPA regulation applies to:

  1. Operators of commercial websites and online services (including mobile apps and IoT devices) directed to children under 13 that “collect, use, or disclose personal information from children.”
  2. Operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
  3. Websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.

COPPA outlines specific requirements that those applicable must meet, including:

  • Providing clear and comprehensive privacy notices
  • Obtaining verifiable parental consent before collecting information
  • Offering parents the ability to review or delete their children's information
  • Implementing robust security measures to protect the information collected

Examples of COPPA fines

The Children's Online Privacy Protection Rule is enforced by the Federal Trade Commission (FTC), and failure to comply can result in significant penalties — up to $50,120 for each violation.


Microsoft’s Xbox division was proposed to pay a $20m fine in June 2023 for not obtaining parental consent for Xbox account data collection for users under the age of 13.


The Google company was fined $170m in 2019 for collecting personal information from viewers of child-directed channels, without first acquiring parental consent. 

Epic Games 

The creator of Fortnite was fined $275m in 2022 for collecting personal information from all players without verifying age. 

The importance of age verification

Privacy laws are becoming more complex – for example, state by state privacy laws, changes to COPPA and public opinion are all changing.  Age verification is a means of future-proofing your site, helping maintain compliance with laws that protect children.

According to identity industry analysts Liminal: “Suppose a website does want to market to children under the age of 13. Its operator would need to verify when a user is under that age. And if it wanted to store or use any data for such a user, the operator would also need to notify the user’s parent or legal guardian, and then verify their age.”

Implementing robust age verification processes aligns with both legal requirements and ethical business practices.

Why choose Onfido for age verification?

Identity verification and COPPA compliance

By confirming the identity of parents or guardians, businesses can responsibly obtain the required consent for interacting with children online. Identity verification safeguards the integrity of the process and helps businesses adhere to COPPA rules.

The FTC’s own guidance on COPPA suggests a number of acceptable verification methods:

  1. Use of a credit, debit card, or other payment instrument for a small transaction (it’s only sufficient that the credit card is used and that prior consent is given, as a credit card for example requires that users are at least 18 years of age).
  2. Verifying a government-issued photo ID such as a driver's license submitted by the parent, and comparing that photo to a Selfie or Video for biometric analysis.
  3. Verifying a parent’s identity by checking a form of government-issued identification against databases of such information (there are strict limits on data retention here).
  4. Knowledge-based verification through a series of challenge questions.
  5. Having the parent verify and provide consent through a telephone or video call.
  6. Email consent with additional verification steps (referred to as “email plus”).
  7. Mailing or faxing a printed consent form (the “print-and-send” method).

How can Onfido help meet COPPA requirements?

Navigating COPPA regulations may seem daunting, but Onfido is here to help. Our identity verification solutions enable businesses to verify the identities and ages of their end users through AI-powered document and biometric analysis. We simplify the process of verifying individuals on your platform so that you can address regulation with confidence.

COPPA regulations serve a vital role in safeguarding children's online privacy. Compliance with these rules is not merely a legal obligation but a sign of commitment to ethical and responsible business practices.

Onfido provides the tools and expertise to help businesses navigate the complex landscape of age verification regulation. Our tailored solutions ensure that you can focus on growing your business while adhering to the highest standards of privacy and security.