Children's Privacy and E-Commerce: COPPA and State Laws

Why Children's Privacy Matters for E-Commerce

If your online store could attract visitors under 13 — or under 16 or 18 in some states — you have heightened privacy obligations. Children's data receives special protection under both federal and state law, and the penalties for violations are among the steepest in privacy enforcement.

Even if your products are not marketed to children, if a child could reasonably visit your site and provide personal information, you need to understand your obligations.

Federal Law: COPPA

The Children's Online Privacy Protection Act (COPPA) is the foundational federal law governing children's privacy online. Enforced by the FTC, COPPA applies to:

• Websites and online services directed to children under 13
• General audience websites and services that have actual knowledge that they are collecting personal information from children under 13

What COPPA Requires

If COPPA applies to you, the requirements are strict:

• Verifiable parental consent — You must obtain verifiable consent from a parent or guardian before collecting, using, or disclosing a child's personal information
• Privacy policy — You must post a clear, comprehensive privacy policy describing your data practices for children's information
• Parental rights — Parents must be able to review their child's data, request deletion, and revoke consent
• Data minimization — You may not collect more information than is reasonably necessary for the child's participation in an activity
• Security — You must maintain reasonable security procedures for children's data
• No behavioral advertising — You cannot use children's personal information for targeted advertising without verifiable parental consent

What Counts as "Personal Information" Under COPPA?

COPPA's definition is broad:

• Full name, home address, email address, phone number
• Screen name or username (if it functions as online contact information)
• Social Security number
• Persistent identifiers that can recognize a user over time (cookies, device IDs, IP addresses) — when used for purposes other than internal operations
• Photos, videos, or audio files containing a child's image or voice
• Geolocation data sufficient to identify a street or city
• Any information combined with any of the above

This is critical for e-commerce: If your site uses cookies, analytics, or ad tracking that assigns persistent identifiers to visitors, and a child visits your site, those identifiers may constitute "personal information" under COPPA.

COPPA Penalties

The FTC takes COPPA enforcement seriously. Recent penalties include:

• Epic Games (Fortnite) — $275 million in 2022 for COPPA violations
• Google/YouTube — $170 million in 2019
• TikTok (Musical.ly) — $5.7 million in 2019

Penalties can reach $50,120 per violation as of 2023, and each affected child can constitute a separate violation.

State Laws Extending Protections Beyond COPPA

Several states have enacted laws that go beyond COPPA's protections, either by raising the age threshold or adding new requirements.

California Age-Appropriate Design Code Act (CAADCA)

California's CAADCA is a landmark law that applies to online services "likely to be accessed by children" — defined as anyone under 18. Key requirements:

• Data Protection Impact Assessments (DPIAs) required before offering new products or features likely to be accessed by children
• High privacy settings by default — Privacy settings must default to the most protective option for child users
• No dark patterns — You cannot use design features that encourage children to provide more data or lower their privacy settings
• Profiling restrictions — Profiling children is restricted unless you can demonstrate it is in the child's best interest
• Age estimation — You must estimate the age of users with a "reasonable level of certainty" to determine which protections to apply

Connecticut

Connecticut's privacy law includes specific provisions for children's data, requiring opt-in consent for processing the personal data of consumers the business knows are between 13 and 16 years old.

Other States

Several other states (including Texas, Oregon, and Maryland) include provisions requiring opt-in consent for selling or processing data of consumers known to be under 16 or 18, depending on the state.

Practical Implications for E-Commerce

Do You Sell Products for Children?

If your store sells children's clothing, toys, school supplies, or other products clearly intended for children, your site is likely "directed to children" under COPPA. You must either:

1. Implement full COPPA compliance — Verifiable parental consent, children's privacy policy, parental access rights, etc.
2. Age-gate your site — Prevent children from creating accounts or providing personal information without parental involvement

General Audience Stores

If your store sells general audience products, you are not automatically subject to COPPA unless you have actual knowledge of child users. However:

• Do not ignore obvious signals — If a customer's age or birthdate indicates they are under 13, you have actual knowledge
• Account creation — If you collect birthdates during registration, implement age checks and block data collection for children
• Marketing lists — If you purchase or rent marketing lists, ensure they do not include children's data

Age Verification Approaches

Depending on your risk profile, consider these approaches:

• Age gate at registration — Ask for birthdate and block accounts for users under 13 (or under 16/18 for applicable state laws)
• Neutral age screening — Present age questions in a way that does not encourage children to lie about their age (do not say "you must be 13 to use this site" before asking)
• Age estimation technology — For higher-risk applications, consider age estimation tools that use AI to estimate whether a user is a child

Steps to Take Now

1. Assess your risk — Determine whether your products, content, or marketing could attract child visitors
2. Review your data collection — Understand what personal information you collect from all visitors, including persistent identifiers
3. Implement age checks — If you allow account creation, include an age verification step
4. Update your privacy policy — Include a section on children's privacy, explaining your practices and COPPA compliance
5. Train your team — Ensure customer service and marketing staff understand the heightened rules for children's data
6. Audit third-party tools — Verify that analytics, ad tech, and other third-party services on your site are not collecting children's data in violation of COPPA
7. Monitor state laws — Age-appropriate design codes and expanded children's privacy laws are spreading to more states