What Is COPPA?
The Children's Online Privacy Protection Act (COPPA) is a US federal law enacted in 1998 and enforced by the Federal Trade Commission (FTC). COPPA regulates the online collection of personal information from children under 13 years of age. It applies to operators of websites, online services, and apps, including survey platforms, that are directed at children or that knowingly collect information from children under 13. For research teams conducting surveys with minors, COPPA establishes strict requirements for parental consent, data minimization, and data security.
Who Needs to Comply?
- Survey platforms and online services directed at children under 13 or that knowingly collect data from children under 13, regardless of where the operator is based
- Research teams conducting studies that include child participants under 13 in the United States
- Canadian research teams surveying children in the US through online platforms, as COPPA applies based on the child's location
- Market research agencies conducting youth research, family research, or education research involving children
- Organizations subject to Canadian privacy law: while Canada does not have a direct COPPA equivalent, PIPEDA and provincial laws require additional protections for minors, and the OPC has issued guidance emphasizing children's privacy as a priority
Gray areas: COPPA's age threshold is under 13, but many research contexts involve participants aged 13-17 who are minors under other laws. GDPR sets the age for consent at 16 (with member states able to lower it to 13). Canadian law does not specify a fixed age for privacy consent, the OPC applies a "meaningful consent" standard that requires age-appropriate communication. Research ethics boards typically require parental consent for participants under 18, regardless of what privacy laws mandate. The safest approach is to obtain parental consent for all participants under 18 and to design age-appropriate processes for all minors.
Key Requirements for Research Teams
Verifiable Parental Consent
COPPA requires verifiable parental consent before collecting personal information from children under 13. "Verifiable" means the method must be reasonably calculated to ensure that the person providing consent is actually the child's parent or guardian. Acceptable methods include: a signed consent form (physical or electronic), credit card verification, a video call, government ID verification, or knowledge-based authentication. Simply asking a child to have a parent click "I agree" is not sufficient, the FTC requires mechanisms that create a meaningful barrier to children providing consent themselves.
Notice Requirements
Before collecting information from children, you must provide parents with direct notice of: what information will be collected, how it will be used, whether it will be disclosed to third parties, and the parent's right to refuse consent and have any collected data deleted. For survey research, this means sending a detailed notice to parents before the child accesses the survey, not simply including an information page within the survey itself. The notice must be clear, complete, and prominently placed.
Data Minimization
COPPA prohibits collecting more personal information from children than is reasonably necessary for the activity. For survey research, this means evaluating every question: is the data point genuinely required for the research objectives, or is it being collected out of convenience? Do not collect names, addresses, school names, or other identifiers from child participants unless the research design specifically requires them and the parental consent covers their collection.
Data Retention and Deletion
Personal information collected from children must be retained only as long as necessary to fulfill the purpose for which it was collected. Parents have the right to request deletion of their child's data at any time, and you must comply. Implement project-level retention schedules for child data and automate deletion where possible. The FTC expects organizations to demonstrate that child data is not retained indefinitely.
Canadian Requirements for Research with Minors
Canada does not have a direct COPPA equivalent, but PIPEDA and provincial laws require meaningful consent for data collection from minors. The OPC has stated that children may not have the capacity to provide meaningful consent and that parental consent should be obtained for younger children. The TCPS 2 (Tri-Council Policy Statement) requires specific protections for research with children, including age-appropriate assent processes (where the child agrees to participate in addition to parental consent), additional REB scrutiny, and enhanced confidentiality protections.
Compliance Checklist
- Determined the ages of participants and identified which jurisdiction's child privacy laws apply
- Verifiable parental consent is obtained before any data collection from children under 13 (COPPA) or under 18 (ethics board requirement)
- A direct notice has been provided to parents detailing data collection, use, disclosure, and deletion rights
- The parental consent mechanism is reasonably calculated to verify that the consenting person is the parent or guardian
- An age-appropriate assent process is provided for child participants (in addition to parental consent)
- Data collection is limited to what is reasonably necessary for the research purpose
- No more personal information is collected from children than from adult participants in a comparable study
- Data retention schedules are specified for child participant data, with automated deletion or review dates
- A process exists for parents to request access to, correction of, or deletion of their child's data
- Survey language and design are appropriate for the age group (reading level, question complexity, visual design)
- Research Ethics Board approval has been obtained with specific attention to child participant protections
- All team members with access to child participant data have received training on child privacy requirements
How This Compares to Other Frameworks
| Requirement | COPPA (US, under 13) | GDPR (EU, under 16/13) | PIPEDA + OPC Guidance (Canada) | TCPS 2 (Canadian Ethics) |
|---|---|---|---|---|
| Age threshold | Under 13 | Under 16 (or 13 per member state) | No fixed age, capacity-based | Under 18 (varies by REB) |
| Parental consent | Verifiable parental consent required | Parental consent/authorization required | Required when child cannot provide meaningful consent | Required for most research with minors |
| Consent method | Must be verifiable (defined methods) | Not specified beyond "reasonable efforts" | Meaningful consent standard | Documented process approved by REB |
| Child assent | Not required by law | Not specified | Not specified | Required when appropriate |
| Data minimization | Explicit, no more than necessary | General principle applies | General principle applies | Proportionality principle |
| Deletion rights | Parent can request deletion | Parent/child can request erasure | Access and correction rights | Defined in research protocol |
| Penalties | Up to $50,120 per violation (FTC) | Up to EUR 20M / 4% turnover | OPC investigation + Federal Court | REB can halt research |
How Quali-Fi Helps You Comply
Quali-Fi supports research with minors through configurable consent workflows that handle the multi-party consent process COPPA and ethics boards require. You can build two-stage consent flows where parents receive a detailed notice and provide verifiable consent before their child receives a separate, age-appropriate assent screen. The platform logs both consent events with timestamps and version tracking, creating the documentation needed for FTC compliance and ethics board reporting.
Data minimization is supported through survey design tools that make it easy to limit collection to essential data points, and through export configurations that can automatically exclude identifier fields from child participant datasets. Role-based access controls restrict who can view child participant data, and anonymization tools let you strip identifiers from datasets after data collection is complete. Retention management features support project-level deletion schedules, ensuring that child data is not retained beyond the approved period.
Quali-Fi's WCAG 2.2 AA accessibility compliance also supports age-appropriate survey design, clear layouts, readable text, keyboard navigation, and mobile-responsive design all contribute to surveys that younger participants can navigate independently. Combined with encryption, audit logging, Canadian data residency, and SOC 2 Type II certification, the platform provides the security infrastructure that both COPPA and Canadian privacy law require for the heightened protection of children's data.
FAQs
Does COPPA apply to Canadian research firms?
If your survey collects personal information from children under 13 who are located in the United States, regardless of where your firm is based. COPPA applies. A Canadian research agency conducting an online survey that includes US children under 13 must comply with COPPA's parental consent, notice, and data minimization requirements. For studies involving only Canadian children, PIPEDA and provincial laws apply, supplemented by TCPS 2 for ethics-reviewed research.
What about teenagers (13-17)?
COPPA does not cover teenagers 13 and older. However, GDPR's consent threshold is 16 (or as low as 13 per member state), and most research ethics boards require parental consent for participants under 18. From a practical standpoint, parental consent for all minors (under 18) provides the broadest compliance coverage and is consistent with ethics board expectations. Some market research codes (ESOMAR) also recommend parental consent for participants under 16.
Can I use an "I am over 13" age gate?
An age gate alone does not satisfy COPPA if you have reason to know that children under 13 are participating. If your survey targets youth, families, or education audiences, an age gate is insufficient, you need actual age verification and parental consent for under-13 participants. The FTC has taken enforcement action against organizations that relied on easily bypassed age gates while knowingly collecting children's data.
Related Compliance Topics
- Consent Management in Surveys. Multi-party consent flow design
- Research Ethics Compliance, Ethics board requirements for vulnerable populations
- PIPEDA Compliance for Research. Canadian privacy baseline for child data
- GDPR for Researchers. EU child privacy provisions
- WCAG Accessible Surveys. Age-appropriate accessible design
- Indigenous Data Sovereignty. Community consent frameworks