Children’s Online Privacy (COPPA) Compliance for Online Courses

Running an online course? If kids under 13 are signing up-even if it’s just one-you’re legally required to follow COPPA. It’s not optional. It’s not a suggestion. It’s federal law in the U.S., and the Federal Trade Commission (FTC) enforces it strictly. Ignore it, and you could face fines of up to $50,120 per violation. That’s not a typo. One accidental data collection from a 10-year-old could cost you more than a month’s revenue.

What COPPA Actually Requires

COPPA, the Children’s Online Privacy Protection Act, was passed in 1998 and updated in 2013. It doesn’t just apply to games or social media. It covers any website, app, or online service-including online courses-that collects personal information from children under 13. That includes names, email addresses, geolocation data, cookies, IP addresses, and even persistent identifiers like device IDs used to track behavior across sites.

Most course creators think: "I don’t collect any data." But if your course uses a login system, a quiz that saves progress, a comment section, or even a third-party analytics tool like Google Analytics, you’re collecting data. And if a child under 13 uses it, COPPA kicks in.

How to Know If Your Course Is Covered

Ask yourself these three questions:

1. Is your course aimed at children under 13? (Think cartoons, educational games, kids’ science experiments, or content with child-friendly characters.)
2. Do you have actual knowledge that a child under 13 is using your course? (For example, a parent signs up their 9-year-old, or a user enters "I’m 11" in a form.)
3. Is your platform generally recognized as directed to children? (Even if you don’t market to kids, if your content, colors, or language are clearly child-focused, the FTC considers it directed.)

If you answered yes to any of these, you’re subject to COPPA. There’s no gray area. You can’t say "I didn’t know"-the law holds you responsible if you should have known.

Step-by-Step Compliance Checklist

Here’s what you must do right now if you’re collecting data from kids under 13:

• Post a clear privacy policy on your course site. It must explain exactly what data you collect, why, and how it’s used. No legalese. Use plain language a parent can understand.
• Get verifiable parental consent before collecting any personal information. This isn’t just a checkbox. You need a method that proves the person giving consent is actually the parent. Options include: signed consent forms sent by mail or fax, video calls with a trained operator, government-issued ID verification, or credit card verification (where the parent is billed a nominal amount).
• Give parents control. They must be able to review their child’s data, delete it, and stop further collection. Your system must include a simple way for parents to do this-like a "Manage Child’s Account" button.
• Don’t collect more than you need. If your course doesn’t need an email to function, don’t ask for one. If you don’t need location data, turn off geolocation tracking. Less data = less risk.
• Use age gates carefully. A simple "Are you 13 or older?" checkbox is not enough. The FTC has ruled that these are easily bypassed. If you’re serious about compliance, you need a real verification system.

What Happens If You Don’t Comply?

The FTC doesn’t just send warning letters. In 2024, they fined a popular educational platform $3.5 million for collecting data from over 100,000 children without parental consent. The platform claimed they "didn’t realize" kids were using it. The FTC didn’t buy it. They pointed out the site had animated characters, colorful graphics, and child-friendly language-all clear signals that the service was designed for kids.

And it’s not just fines. If your course is hosted on a platform like Teachable, Thinkific, or Kajabi, they may suspend your account if they find COPPA violations. Your payment processor could freeze funds. Your reputation could tank.

How to Handle Mixed-Audience Courses

Many courses serve both adults and children. You can’t just block kids-you might be losing customers. But you also can’t ignore COPPA.

The cleanest solution? Build two separate access paths:

• One for adults (no data collection beyond what’s needed for billing or support)
• One for children under 13 (with full COPPA compliance: parental consent, limited data, clear policy)

Use a simple age verification screen at login: "Are you over 13?" If yes, proceed. If no, show a message: "This course requires parental consent. Contact [email] to set up a child account." Then route them to a separate, compliant portal.

Third-Party Tools You Can’t Ignore

You might think: "I don’t collect data-I use Teachable." But Teachable doesn’t handle COPPA for you. If you embed YouTube videos, use Google Analytics, or integrate a chatbot, those tools are collecting data too. And under COPPA, you’re responsible for everything on your platform-even if you didn’t build it.

Here’s what to audit:

• Analytics: Google Analytics, Hotjar, Mixpanel-turn off IP collection and anonymize data if kids are involved.
• Video platforms: YouTube’s child-directed mode must be enabled if you’re embedding videos for kids.
• Payment processors: Stripe, PayPal, and others may require separate agreements if you’re processing payments for minors.
• Chatbots and AI tutors: If they store messages or track usage patterns, they’re collecting personal information.

Every third-party tool needs its own COPPA review. Don’t assume they’re compliant. Ask them. Get it in writing.

Real Example: A Math Course That Got It Right

A small business called MathMates runs a popular online math course for grades 3-6. They didn’t want to lose their young students, but they also didn’t want to get sued.

Here’s what they did:

• Created a separate login portal for kids under 13
• Required parents to upload a signed consent form (PDF upload) or verify via video call with a staff member
• Only collected name, email, and progress data-nothing else
• Deleted all data after 30 days of inactivity
• Added a "Parent Dashboard" where moms and dads could see what data was stored and delete it with one click

They now have 12,000 active child users-and zero legal issues.

What About Outside the U.S.?

COPPA only applies if you’re collecting data from children in the United States. But if you have international students, you’re not off the hook. The EU’s GDPR for children (under 16) is even stricter. Canada’s PIPEDA, Australia’s Privacy Act, and others also have child-specific rules.

Best practice? Treat every child as if they’re under 13 and in the U.S. That way, you’re compliant everywhere.

Final Warning: Don’t Wait for a Lawsuit

The FTC doesn’t need a complaint to investigate. They scan the web. They monitor forums. They check course platforms. If your site has child-friendly design and collects any data, you’re on their radar.

Compliance isn’t about being perfect. It’s about being intentional. If you’ve built a course for kids, you owe it to their parents-and to your business-to do it right.