Children's privacy and COPPA
The Children's Online Privacy Protection Act (COPPA) and the FTC's COPPA Rule regulate the online collection of personal information from children under 13 in the US. They require verifiable parental consent and restrict tracking on child-directed services. This page explains how COPPA shapes analytics choices for sites and apps aimed at children.
What COPPA covers
COPPA applies to operators of websites and online services directed to children under 13, and to operators with actual knowledge they are collecting personal information from such children. The FTC's COPPA Rule treats persistent identifiers used to recognise a user over time and across services — including cookies and device IDs used for tracking — as personal information.
Covered operators generally must provide notice, obtain verifiable parental consent before collection, and honour data-minimisation and deletion duties.
Effect on analytics
On a child-directed service, deploying tracking analytics that sets persistent identifiers can require verifiable parental consent, which is impractical for general measurement. A narrow exception exists for the operator's internal operations — support for the service itself — but it does not extend to behavioural advertising or cross-service tracking. The safe path is minimal, aggregate, non-tracking measurement.
- Persistent identifiers can be 'personal information'
- Verifiable parental consent generally required before collection
- Internal-operations support is narrow; ad tracking is not covered
How it appears in analytics and logs
Persistent identifiers placed on a child-directed service can be 'personal information' under COPPA, so unconsented analytics tracking there is a compliance risk.
Diagnostic use case
Determine whether a service is child-directed and, if so, restrict analytics and tracking identifiers to what COPPA permits with verifiable parental consent.
What WebmasterID can help detect
WebmasterID's aggregate, identifier-light model is the kind of low-data measurement that fits constraints on tracking children's personal information.
Common mistakes
- Assuming analytics cookies are exempt on child-directed sites.
- Relying on a self-declared age gate without real diligence.
- Stretching the internal-operations exception to ad tracking.
Privacy and accuracy notes
This page is educational and not legal advice. COPPA applies to operators of child-directed services and those with actual knowledge of child users; assess applicability carefully.
Related pages
- User-ID tracking and its privacy cost
User-ID analytics assigns a persistent identifier — often a logged-in account ID — so sessions across devices and over time can be joined into one profile. It answers cross-device questions that cookieless measurement cannot, but the cost is real: it creates durable, identifiable personal data with full data-protection obligations. Whether the insight justifies the surface is the trade-off. This is educational, not legal advice.
- Data minimisation in analytics
Data minimisation is the principle that personal data should be adequate, relevant, and limited to what is necessary for the purpose. In analytics it translates to: do not collect identifiers you will not use, prefer aggregates over per-person rows, and avoid storing precise values like full IPs. Minimising at collection beats trying to protect data you never needed. This is educational, not legal advice.
- Cookieless analytics: how it works and its limits
Cookieless analytics records visits and events without setting cookies or persistent cross-site identifiers. It relies on first-party, server-side signals and aggregate counting. The trade-off is honest: it cannot follow an individual across sessions the way cookie-based tracking can — which is exactly the point for privacy-first measurement.
- Privacy-first analytics
Identifier-light measurement for sensitive audiences.
Sources and verification notes
- FTC — Children's Online Privacy Protection Rule (COPPA)Official COPPA Rule text and guidance.
- FTC — Complying with COPPA: Frequently Asked QuestionsPersistent identifiers and internal-operations exception.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.