What is COPPA? What every founder needs to know before a product launch

You just built the perfect product, an educational tool for kids. You shared it on Product Hunt, Reddit, and social media. Launch day was a win. Signups came fast. People paid. Momentum was real.

Then, a few days later, the FTC showed up in your inbox.

You’re under investigation for marketing to children under 13 without parental consent. And now you’re staring down the barrel of fines that could bury your startup. All because of a law you probably didn’t know existed: COPPA.

The Children’s Online Privacy Protection Act might sound like a niche rule, but it applies far more broadly than you’d think. If your app collects data, runs ads, or even looks like it might attract young users, you’re already in risky territory.

Here’s what every founder should know before hitting publish.

What Is COPPA?

The Children’s Online Privacy Protection Act (COPPA) is a U.S. law passed in 1998 and enforced by the Federal Trade Commission (FTC). It sets rules for how websites and online services are allowed to collect personal information from kids under 13.

It’s not just about games or apps for toddlers. COPPA covers any digital product that targets children or knowingly collects data from them. That includes analytics, ad platforms, and any tool that involves tracking.

Ignore it, and you could face fines of up to $43,280 per child, per violation.

What Counts as “Personal Information” Under COPPA?

Founders often assume they’re in the clear if they’re not asking for names or emails. That’s a risky assumption.

COPPA casts a wide net. It considers the following as personal information:

• Full name
• Home address
• Email address
• Phone number
• IP address
• Location data
• Usernames
• Persistent identifiers (cookies, device IDs, tracking pixels)
• Photos, audio, or video content

If your product uses ad tracking, analytics, or anything that builds a user profile, you’re likely collecting data covered by COPPA.

What Triggers COPPA Compliance?

You’re subject to COPPA if:

1. Your product is built for kids under 13
2. You know that users under 13 are using your product

The FTC doesn’t just look at your site’s age fields—they assess how your product looks, reads, and markets itself. This includes visuals, wording, subject matter, and even the channels you use to promote it. If your site features bright colors, cartoon characters, fun voices, school-related themes, or anything that resembles a Saturday morning cartoon, it could be seen as targeting children, even if that wasn’t your intention.

Even if you’re not actively collecting data, third-party scripts or tools embedded on your site might be doing it for you. That’s why it’s critical to audit not just your content, but the technologies running behind the scenes. What seems harmless could raise a red flag with regulators.

Real-world implication: If your product has cartoonish design, fun characters, or content that appeals to kids, the FTC might interpret it as “directed at children.”

Even if you don’t mean to, you could trigger COPPA and be banned from:

• Running ads
• Using Google Analytics
• Retargeting users

Even worse: if you’re using third-party tools like tracking pixels or behavioral analytics, those might be collecting data without your knowledge, and you’ll still be held responsible.

What You Can’t Do Without Parental Consent

If your app or site falls under COPPA, and you haven’t gotten verified parental consent, you’re not allowed to:

• Collect personal data from kids under 13
• Run interest-based ads
• Use tracking tools like pixels or cookies
• Ask for names, emails, or phone numbers
• Let kids submit content like photos or audio

Real-World Examples

In 2019, YouTube was hit with a $170 million fine for tracking the viewing habits of children without parental consent. The platform had knowingly served behavioral ads to users under 13—something that COPPA explicitly forbids. TikTok followed shortly after with a $5.7 million settlement for collecting personal data from children without proper notice or consent.

But these headlines aren’t limited to household names. Several smaller edtech startups and gaming platforms have been caught in similar violations. Some were fined. Others were forced to pivot or shut down entirely.

This isn’t just about punishing bad actors at the top. It’s a warning to every founder: COPPA applies to you, too.

How Founders Can Protect Themselves

If your product might appeal to kids:

• Add an age gate when users sign up
• Post a clear disclaimer saying it’s not for children under 13
• Avoid kid-friendly design unless you’re fully compliant
• Don’t collect user data or run ads unless you have verified parental consent
• Review your third-party tools and scripts carefully

How to Be COPPA-Compliant

Here’s a practical checklist to stay on the right side of COPPA:

• Know your audience — if there’s any chance kids under 13 will use your product, proceed with caution
• Add an age gate to prevent underage users from accessing features that collect personal info
• Don’t run behavioral ads without verified parental consent
• Avoid using tracking tools like Google Analytics, Meta Pixel, or ad SDKs unless you’re confident they’re COPPA-safe
• Display a clear disclaimer that your product is not intended for children under 13
• Make your privacy policy easy to find and written in plain language
• Avoid cartoonish branding or messaging that might appeal directly to kids
• Keep detailed records of consent if you’re building for kids and using data

Following these steps won’t make you invincible, but it’ll keep you way ahead of most founders who aren’t paying attention.

Bottom Line

COPPA is easy to overlook and expensive to ignore. If you’re building anything online that collects user data or could attract kids, it’s on you to make sure you’re in the clear.

Know the rules. Watch your design. And launch with eyes open.