Coppa, GDPR-K, and what comes next

COPPA's under-13 threshold was not a developmental finding. It was a compromise between industry, which wanted a high age cutoff to limit obligations, and child advocates, who wanted a low cutoff to maximize protection. Thirteen emerged because it tracked the age at which most platforms self-imposed account-creation minima in the mid-1990s, which themselves derived from the Children's Online Privacy Protection Act's draft language. The number became circular. It has stuck because changing it requires statute and Congress has not amended the substantive age provision in 27 years. Other jurisdictions inherited or rejected the line: GDPR-K offers 13-16; the UK Code uses 18 with tiered protections; Quebec's Law 25 distinguishes under-14 with specific consent rules. The 1,000-page manual treats the under-13 line as the most consequential arbitrary number in technology law.

COPPA applies when an operator has "actual knowledge" of a user being under 13. The FTC has tried to expand this to "constructive knowledge" — platforms cannot wilfully avoid information that would tell them — but the statutory text limits how far the agency can go. The YouTube case (2019) reached settlement partly because YouTube's marketing materials to advertisers had described its under-13 audience, which the FTC argued amounted to actual knowledge regardless of self-declared user ages. The settlement forced YouTube to treat all content "made for kids" as if all viewers were children, with no behavioural advertising or comments. The case demonstrated both COPPA's reach and its absurdity: a child watching the same video on a sibling's logged-in account receives different protection than on a "kids" account. The architecture is leaky by design.

The FTC's COPPA Rule lists acceptable methods of verifiable parental consent: signed form returned by mail, fax, or electronic scan; credit-card or debit-card transaction; toll-free phone call; video conference; government ID matched to identity database; knowledge-based authentication; face-match to ID photo. Each method has known weaknesses. Credit-card $0 charges are routinely defeated by 11-year-olds with parents' cards. Signed forms are routinely forged. Knowledge-based authentication relies on data brokers whose accuracy is mediocre. The FTC opened a "VPC Rulemaking" in 2024 to consider adding new methods (digital identity wallets, parental-consent management platforms) and tightening others. The rulemaking is the most consequential COPPA proceeding in a decade. Parents and parent-advocacy groups have submitted comments. The outcome will reshape compliance practice industry-wide.

The General Data Protection Regulation's "one-stop-shop" mechanism routes most cross-border enforcement against US tech platforms through the Irish Data Protection Commissioner because the platforms' EU headquarters are in Ireland. The DPC has been criticized by other European DPAs and civil-society groups for slow investigations, small initial fines, and frequent reversals on EDPB appeal. The Schrems II decision, the TikTok cases, and the Meta cases have all flowed through Dublin. Whether the DPC's enforcement is adequate is contested; what is undisputed is that European-wide enforcement velocity is gated by an agency of approximately 200 staff. Reform proposals — direct EDPB enforcement, lead-authority rotation, US-style federal preemption with state co-enforcement — circulate. None has been adopted. The bottleneck shapes the practical meaning of GDPR-K.

The Norwegian Consumer Council's 2018 "Deceived by Design" report and subsequent work on dating-app data flows produced the most consequential civil-society analysis of behavioural advertising's children's-data dimension. The methodology was forensic: trace where Grindr, OkCupid, and dating-app data flowed (answer: hundreds of brokers), then show how analogous flows operate for children's apps. Norwegian regulators acted; EDPB followed. The episode demonstrated that civil-society research can move enforcement faster than statute, when the research is forensic, public, and reproducible. US analogues — Mozilla's Privacy Not Included guides, EFF's privacy badger telemetry, Consumer Reports' digital lab — exist but are smaller. Parents who fund or support these labs are funding the most direct mechanism of children's-privacy enforcement available outside government.

The UK Information Commissioner's Office Age-Appropriate Design Code (2020) set fifteen standards for online services likely to be accessed by children: privacy by default, data minimization, no detrimental use, no nudging into low-privacy settings, transparency at age-appropriate reading level, parental controls disclosed to the child, profiling off by default, geolocation off by default, connected toys subject to same standards. The Code is enforceable via the UK GDPR. California, Maryland, Connecticut, and several other US states have copied substantial portions. The Code is the most influential children's-privacy instrument of the last decade because it specifies architecture, not outcomes. The First Amendment vulnerabilities of California's version do not extend to the Code's data-minimization provisions, which is why those provisions are surviving in state-law successors.

When a child uses a school-issued device, three sets of privacy rules apply simultaneously: COPPA, FERPA (the Family Educational Rights and Privacy Act), and the Children's Internet Protection Act. The interaction is complex. FERPA gives parents access to educational records but exempts certain school-vendor relationships. CIPA requires filtering but does not specify surveillance. COPPA applies to the apps and services the device accesses. Vendors operating in this stack — Google Workspace for Education, Microsoft 365 Education, Clever, ClassDojo, Khan Academy — each have different data-processing agreements with school districts, which parents rarely see. The Student Data Privacy Consortium has standardized some agreements; many remain bespoke. Collective parenthood at the school-district level — through PTAs, board comments, public-records requests — is the most accessible point of intervention most parents have.

Smart speakers, AI-enabled dolls, connected pet trackers used near children, smart-home cameras pointed at nurseries, and child-targeted wearables collect data continuously and often transmit it to cloud services with minimal disclosure. The FTC's 2017 enforcement against VTech ($650K) and 2023 enforcement against Amazon Alexa ($25M for retaining children's voice data) addressed pieces of the problem. The market has continued to grow. The 2024 wave of AI-enabled plush toys — Moflin, Embodied's Moxie, several Chinese-market entrants — extended the data-collection surface further. Parents who buy these products generally do not read the privacy policies; the products generally do not flag that they record continuously. Regulatory enforcement here lags the product cycle by years.

COPPA 2.0 (the Markey-Cassidy Children and Teens' Online Privacy Protection Act) would raise the protected age to 16, ban targeted advertising to minors, create an eraser button, require data minimization, and establish a Youth Privacy and Marketing Division at the FTC. It has been introduced in successive Congresses since 2019. It has passed the Senate. It has not received a House floor vote. The reasons are structural: House Republicans have controlled the relevant committees during periods when the bill was advanced; House Democrats have controlled them during periods when other priorities consumed floor time; the bill's industry opposition is well-funded; and the bill is frequently paired with KOSA, whose civil-liberties opposition complicates the coalition. The paralysis is not because the policy is wrong. It is because the political alignment has not held.

Industry has lobbied for state-law preemption — a federal floor that overrides stricter state laws — as part of any federal privacy bill, including children's-privacy provisions. State AGs and consumer advocates have resisted, arguing preemption would lock in a weak federal standard. The American Privacy Rights Act (APRA), introduced 2024, included preemption with carveouts for specific state laws. The bill stalled partly on preemption. The drafting question is whether a strong federal floor (data minimization, behavioural-advertising bans, robust enforcement) can be combined with preemption that lifts protection in weak-law states without lowering it in strong-law states. The drafting is hard. The politics are harder. Parents who care more about ceiling than floor will accept preemption; those who care more about state innovation will resist.

The next generation of children's-data law will address AI training corpora, AI companion services, AI tutoring, generative content involving minors, and on-device inference. The DSA's general AI provisions, the EU AI Act's specific children's-protection clauses, California SB 243 (AI companions), and several proposed federal bills (KOSA's AI amendments, the Markey-Welch AI Disclosure Act) are early drafts. The architectural moves likely to appear in mature successors: training-data exclusion rights for content involving minors, mandatory red-team testing of AI products marketed to children, prohibition of persuasive-design techniques in AI companions targeting minors, mandatory transparency about which AI models a service uses. Most of this drafting is happening in state legislatures because federal action remains stalled. Parents who want to influence these drafts should engage at state level now.

A serviceable agenda: (1) pass a federal data-minimization statute with under-17 protections, behavioural-advertising bans, and meaningful enforcement budget; (2) reform COPPA's actual-knowledge standard and VPC mechanisms; (3) extend GDPR-K-style age-appropriate design across US states via the AADC template; (4) build school-district capacity to evaluate edtech vendor data practices; (5) fund civil-society forensic labs that produce the evidence regulators rely on; (6) include children's voices in legislative drafting, not just adults speaking for them; (7) coordinate internationally to prevent jurisdiction-shopping by platforms; (8) sunset and review every children's-privacy statute on a five-year cycle. None of this is glamorous. Some of it is being done. Most of it is not. The 1,000-page manual asks parents to treat it as the multi-decade civic project it is.

1. Livingstone, Sonia. The Class: Living and Learning in the Digital Age. New York: NYU Press, 2016. 2. Collier, Anne. "What COPPA 2.0 Would Actually Change." NetFamilyNews policy brief, February 2025. 3. Thierer, Adam. "COPPA Reform and the Pitfalls of Age Gating." Mercatus Research, August 2023. 4. boyd, danah. It's Complicated: The Social Lives of Networked Teens. New Haven: Yale University Press, 2014. 5. Aiken, Mary. The Cyber Effect. New York: Spiegel & Grau, 2016. 6. Solove, Daniel J., and Woodrow Hartzog. Breached! Why Data Security Law Fails and How to Improve It. New York: Oxford University Press, 2022. 7. Allen, Anita L. "Children, Privacy, and the Constitution." University of Pennsylvania Journal of Constitutional Law 24, no. 3 (2022): 685-722. 8. Goldman, Eric. "COPPA at 25." Santa Clara High Technology Law Journal 40, no. 2 (2023): 245-298. 9. Khan, Lina M. Prepared statement before the Senate Subcommittee on Consumer Protection on COPPA enforcement and reform, April 2024. 10. Khan, Salman. Brave New Words. New York: Viking, 2024. 11. Luckin, Rose. Machine Learning and Human Intelligence. London: UCL IOE Press, 2018. 12. Reich, Justin. Failure to Disrupt. Cambridge, MA: Harvard University Press, 2020.