What Is COPPA? And Why It Should Change How We Build Everything.

COPPA ensures our children don't grow up with the same unawareness we did. But most apps don't meet even its basic requirements. Here's the truth - and why the standard we hold for our kids should be the standard we hold for everyone.

coppaprivacychild-safetyethicsconsulting

Let me be real with you.

COPPA, the Children’s Online Privacy Protection Act, has been federal law since 1998. And most of the apps your kids are using right now don’t meet it.

That’s not a scare tactic. That’s the data. But before we get into the numbers, let’s talk about why this matters.

Children really are our future. I know that sounds like a greeting card - but stay with me. In a world where technology moves lightyears faster than our ability to adapt, COPPA is one of the few moments where we as a society said: slow down. These are kids. Think about what you’re doing.

COPPA ensures we put our money where our mouth is. It forces us to look at what really matters. And the honest truth? It is not held to the importance it should be in the apps of the app store today.

So What Is COPPA?

The premise is simple, and it’s profound: children under 13 deserve protection online.

Before you collect their name, their location, their voice, their face, their habits - you need their parents’ informed, verifiable consent. You need to tell parents exactly what you’re collecting and why. You need to let them say no. You need to let them delete it. And you need to actually secure it.

That’s the bare minimum.

The Gap Between the Law and the App Store

Here’s what actually happens:

45% of children’s apps on Google Play have COPPA violations. 26% on Apple’s App Store. 81% of apps in Google’s own “Family” category use trackers - trackers that, by Google’s own policies, aren’t supposed to be there.

How? Because the system runs on self-certification. There is no government agency reviewing your app before it goes live. Both Apple and Google rely on developers to honestly declare who their app is for. A developer can build something that looks, feels, and markets itself to seven-year-olds and classify it as “general audience” to avoid COPPA entirely.

This is not a loophole. It is the front door.

How It’s Supposed to Work

There are two paths to COPPA compliance. The first is self-compliance: you implement every requirement yourself, and if the FTC investigates, you’d better have done it right. The second is certification through one of six FTC-approved Safe Harbor programs. Organizations like kidSAFE, PRIVO, or CARU that audit your app, review your data practices, and certify that you’re meeting the standard.

That certification is real. Comprehensive audits. Every SDK, every analytics tool, every ad network. Remediation. Ongoing monitoring. Public accountability.

But here’s the truth. Most apps never go through it. They self-declare. They check a box. They ship.

How They Get Around It

The methods are not sophisticated. They’re just unchallenged.

The “General Audience” Shield. COPPA applies to services “directed to children” or where the operator has “actual knowledge” of child users. So companies simply… claim they don’t know. They set a minimum age of 13 in their terms of service and declare the problem solved. Never mind that their entire design - the characters, the colors, the marketing - screams children. On paper? No child users here.

Age Gates That Gate Nothing. A date-of-birth field that a six-year-old can lie on is not parental consent. It’s a legal fig leaf. Research shows parents themselves often help their children bypass these gates - because the gates are designed to be bypassed. They exist to create plausible deniability, not protection.

The SDK Blind Spot. This is the big one - and it’s the one that keeps me up at night. A developer might genuinely try to build a safe app - and then embed a third-party advertising SDK that silently collects device IDs, geolocation, and behavioral data on every child who opens it. 19% of children’s apps use SDKs whose own terms of service prohibit use in child-directed apps. The SDK knows it shouldn’t be there. The developer either doesn’t know or doesn’t check.

The FTC said it plainly in September 2025: “Using a third party’s software in your app? Make sure you’re all complying with COPPA.” The developer is legally responsible for what their third-party code does. Most developers have never audited what their third-party code does.

Are People Really Upholding These Laws?

Let the enforcement record speak.

Epic Games (Fortnite) - $520 million. Collected children’s data without consent for two years. Employees raised concerns as early as 2017. The company refused to act. Voice and text chat were enabled by default - exposing children to harassment, bullying, and worse.

Google/YouTube - $170 million. Tracked children across child-directed channels to serve targeted behavioral ads. Earned an estimated $50 million from the practice.

TikTok - $5.7 million in 2019 - and a pending DOJ lawsuit alleging “unlawful, massive-scale invasions of children’s privacy” affecting millions.

Amazon (Alexa) - $25 million. Kept children’s voice recordings for years. Ignored deletion requests from parents.

HoYoverse (Genshin Impact) - $20 million. Collected children’s data without consent. Sold loot boxes to minors - an FTC Commissioner likened the practice to “virtual slot machines.”

These are the cases that made it to enforcement. The FTC brings a handful per year. There are hundreds of thousands of apps. The probability of any individual violator facing consequences is vanishingly small. And the fines - even the record-breaking ones - are often a fraction of what the violations earned.

What COPPA Doesn’t Cover - and Should

COPPA is a data collection law. It was written in 1998. It does not address:

  • Algorithmic manipulation: Recommendation engines that amplify harmful content to children. Eating disorders. Self-harm. Rage. The data feeds the algorithms, but the algorithms themselves? Unregulated.
  • Attention harvesting: Infinite scroll, autoplay, notification bombardment, streaks. Design patterns engineered to maximize screen time - built on decades of behavioral psychology research - deployed on developing minds.
  • Teens: COPPA protects children under 13. Thirteen-year-olds - arguably the most psychologically vulnerable digital users on the planet - have zero federal privacy protection. COPPA 2.0 would extend protection through age 16. It has not yet become law.
  • Mental health: There is a documented, direct line between platform data practices and the adolescent mental health crisis. COPPA does not address downstream harms. What companies do with what they collect - that’s a different fight entirely.

Our Part in This

We build apps. That means every line of code is a decision about what we value.

Every SDK we include or exclude. Every data point we collect or don’t. Every consent flow we design. Every age gate we build.

At Evoke, COPPA compliance is not a checkbox. It’s a design philosophy. We don’t collect what we don’t need. We don’t embed SDKs we haven’t audited. We don’t classify apps as “general audience” when we know children will use them. We don’t treat parental consent as a speed bump on the way to user acquisition.

We chose to pursue Safe Harbor certification. Not because the law required it for every product we build, but because the standard represents what the law intended. Real audits. Real accountability. Real protection.

And we did it because we believe the question isn’t “What can we get away with?”

The question is “What would we want if these were our kids?”

The Bigger Truth

Everything COPPA protects children from - unconsented data collection, opaque tracking, manipulative design, algorithmic exploitation - happens to adults every single day. We’ve just… stopped noticing. We click “I agree” without reading. We let apps track our location, our habits, our conversations, our faces. We feed the same algorithms. We scroll the same infinite feeds.

COPPA says: children deserve informed consent, data minimization, the right to deletion, and protection from exploitation.

I believe every human deserves that.

Not because it’s the law. Because it’s right.

The standard we hold for our children should be the standard we hold for ourselves. The floor should be higher for everyone. And until the law catches up, the builders have to lead.

That’s our part. That’s what we build toward. Let’s get there - together.

COPPA compliance deadline for the 2025 FTC Rule amendments: April 22, 2026. If you’re building an app that children may use, the time to act is now.

If you want to build something that respects the people who use it - all of them - let’s talk.

Sources

Statistics:

Enforcement Actions:

Regulation:

Chat with Echo

Hi, I'm Echo — an AI assistant for evoked.dev. I can answer questions about Erin's work, services, and projects. What would you like to know?