Privacy

    COPPA and children's privacy for mobile apps

    A 2026 view of a children's mobile app applying COPPA protections: verifiable parental consent, minimized data, no behavioral ads, and a parental gate, under the Kids Category and Families policy

    Apps aimed at, or used by, children carry an extra layer of obligation that catches many developers off guard, and it is not optional. In the US, COPPA governs collecting data from children under 13, the app stores add their own children's-privacy rules on top, and getting it wrong risks both regulatory action and removal from the store. The core ideas are simple, get parental consent, minimize data, do not target kids with behavioral ads, but the details matter. This is a high-level overview to orient you, not legal advice; confirm the specifics for your app with a professional.

    Short answer

    COPPA, the US Children's Online Privacy Protection Act, requires apps directed at children under 13, or that knowingly collect personal information from them, to obtain verifiable parental consent before collecting that data, provide a clear privacy notice, minimize what they collect, and let parents review and delete their child's data. Per the FTC's COPPA guidance, the app stores add their own rules: Apple's Kids Category and Google Play's Families policy restrict data collection, advertising, and SDKs in children's apps. If your app targets or attracts children, comply with COPPA and the platform policies, get parental consent, minimize data, and avoid behavioral ads to kids. This is general information, not legal advice.

    What you should know

    • COPPA covers under-13 data: consent is required before collecting it.
    • Verifiable parental consent: needed before collecting a child's personal info.
    • The stores add rules: Apple Kids Category and Google Play Families policy.
    • Minimize data and ads: limited collection, no behavioral ads to children.
    • It is enforced: by regulators and by the app stores, with removal possible.

    What is COPPA, and who does it apply to?

    It is a US law protecting the personal information of children under 13. COPPA applies to apps and online services that are directed at children under 13, and to general-audience apps that knowingly collect personal information from children under 13, so it can apply based on your audience even if children are not your primary target. Where it applies, you generally must give clear notice of what you collect and how, obtain verifiable parental consent before collecting personal information from a child, collect only what is reasonably necessary, give parents the ability to review and delete their child's information and to refuse further collection, and keep the data secure. Other regions have their own children's rules, such as the GDPR's protections for minors in the EU, which can set the threshold higher. The throughline is that children's data gets heightened protection and a consent requirement that general-audience data does not.

    What do the platform children's policies require?

    Stricter rules layered on top of the law. The table summarizes them.

    Platform programWhat it requires
    Apple Kids CategoryStrict limits on data collection, third-party analytics and ads, and external links; a parental gate
    Google Play Families policyCompliance for child-directed apps, certified ad SDKs, and limits on collecting persistent identifiers from children
    BothAge-appropriate content and handling, and accurate audience targeting

    Apple's Kids Category imposes tight constraints, including restrictions on third-party advertising and analytics that handle personal data and on links out of the app, with a parental gate for sensitive actions. Google Play's Families policy applies to apps that target children and requires using certified ad SDKs and limiting the collection of persistent identifiers and other data from children. So even beyond the law, distributing a children's app means meeting the store's specific children's-privacy requirements, and misrepresenting your audience to avoid them is itself a violation.

    How do you comply?

    Determine your audience, then apply the protections. First, assess honestly whether your app is directed at or likely to attract children under 13, since that determines whether these rules apply; do not mislabel a kid-attracting app to avoid them. If they apply, give a clear privacy notice, obtain verifiable parental consent before collecting a child's personal information, and minimize what you collect to what the app genuinely needs. Avoid behavioral or personalized advertising to children, use only certified or compliant ad and analytics SDKs, and disable data collection that is not permitted, since a third-party SDK can collect data that breaks compliance. Provide parents a way to review and delete their child's data, and meet the specific requirements of the Apple Kids Category or Google Play Families policy if you distribute there. Because this is a legal area, confirm your approach with a qualified professional, as this is not legal advice.

    What to watch out for

    The first trap is assuming the rules do not apply because children are not your target, when knowingly collecting data from under-13s, or being directed at them, triggers COPPA regardless. The second is a third-party SDK collecting data or serving behavioral ads to children, which is your responsibility and a common compliance break. The third is misrepresenting your audience to dodge the platform children's policies, which is itself a violation. Compliance is a legal and product matter, so a pre-submission scan such as PTKD.com (https://ptkd.com), which reads your app against OWASP MASVS, supports the data-minimization side by surfacing what your app and SDKs collect, but the legal sufficiency needs a professional, since this is not legal advice.

    What to take away

    • COPPA requires verifiable parental consent, notice, data minimization, and parental review and deletion for apps directed at or knowingly collecting data from children under 13.
    • The app stores add stricter rules, Apple's Kids Category and Google Play's Families policy, on data collection, advertising, and SDKs in children's apps.
    • Assess your audience honestly, get parental consent, minimize data, avoid behavioral ads to kids, use compliant SDKs, and meet the platform policies.
    • A pre-submission scan such as PTKD.com supports data minimization by showing what your app and SDKs collect; consult a professional for legal sufficiency, since this is not legal advice.
    • #coppa
    • #childrens-privacy
    • #kids-category
    • #families-policy
    • #privacy
    • #compliance
    • #mobile

    Frequently asked questions

    What is COPPA and when does it apply?
    COPPA is the US Children's Online Privacy Protection Act, protecting the personal information of children under 13. It applies to apps directed at children under 13 and to general-audience apps that knowingly collect personal information from under-13s, so it can apply based on your audience even if children are not your main target. Where it applies, you generally need notice, verifiable parental consent before collecting a child's data, data minimization, and a way for parents to review and delete the data. This is not legal advice.
    What do the app stores require for children's apps?
    Stricter rules on top of the law. Apple's Kids Category imposes tight limits on data collection, third-party analytics and advertising that handle personal data, and links out of the app, with a parental gate. Google Play's Families policy applies to child-directed apps and requires certified ad SDKs and limits on collecting persistent identifiers and other data from children. Distributing a children's app means meeting these store requirements, and misrepresenting your audience to avoid them is itself a violation.
    Can a third-party SDK break my children's-app compliance?
    Yes, and it is a common cause. An ad or analytics SDK that collects data or serves behavioral ads to children can break COPPA and the platform children's policies, and because you ship and are responsible for the SDK, that becomes your violation. So for a children's app, use only certified or compliant SDKs, disable data collection that is not permitted, and avoid behavioral advertising to kids. Audit what your SDKs collect, since a dependency can undermine an otherwise compliant app.
    How do I comply with children's privacy rules?
    Assess honestly whether your app is directed at or likely to attract under-13s, since that determines whether the rules apply, and do not mislabel a kid-attracting app to avoid them. If they apply, give clear notice, obtain verifiable parental consent before collecting a child's personal information, minimize data, avoid behavioral ads to children, use compliant SDKs, provide parents review and deletion, and meet the Kids Category or Families policy. Confirm the specifics with a qualified professional, since this is not legal advice.
    How does a security scan relate to children's privacy?
    Compliance is largely legal and product, so it is not something a binary scan determines, but the data-minimization side is supported by one. A pre-submission scan such as PTKD.com reads your app against OWASP MASVS and surfaces what your app and its SDKs collect and send, which helps you minimize data and spot an SDK collecting more than a children's app should. The legal sufficiency of your COPPA and platform compliance still needs a qualified professional, since this is not legal advice.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free