Do I need COPPA compliance for my kids app?
Building a free AI tutor for kids looks friendly and low-risk, and the thing most builders miss is that the moment children under 13 use it and you collect their data, COPPA requires verifiable parental consent before you collect anything. The wall here is not the tutoring. It is the personal information you take from children, and the specific consent you have to get first. A free price tag does not lower the bar, and emailing parents later is not the same as getting their consent up front.
The card above is a real result from a compliance check. The idea tested was a synthetic example: a free AI tutor app for kids that helps with homework, creates a profile for each child, tracks progress, and emails parents weekly summaries, aimed at students aged 8 to 14. The profile was a solo founder based in the US. The result was a needs review signal, not a blocked one, because a kids app is a compliance regime rather than a banned activity. The condition is the set of duties below.
What COPPA actually requires
COPPA applies to an online service directed to children under 13, or one whose operator has actual knowledge it collects personal information from under-13 children. When it applies, you must give parents a clear notice and obtain verifiable parental consent before you collect, use, or disclose a child's personal information.
This is the assumption that trips up most kids products. "It is just a tutor" feels harmless. But a profile for each child, progress tracking, and anything tied to an individual kid is personal information under COPPA. Collecting it from an under-13 child without verifiable parental consent first is the violation, regardless of how useful the feature is.
Sources: FTC, Children's Online Privacy Protection Rule (COPPA) and FTC, Complying with COPPA: Frequently Asked Questions.
"Ages 8 to 14" is the trap
COPPA covers children under 13, and an app aimed at "students aged 8 to 14" squarely includes them. Serving 13 and 14 year-olds as well does not exempt the under-13 users. A mixed-age range does not buy you a pass.
You have two honest paths. Screen ages with a neutral age gate, one that does not nudge kids to lie about their age, and apply COPPA to everyone who comes through as under 13. Or treat all of your users as under 13 and build to COPPA across the board. What you cannot do is point at the teenagers in your range to wave away the children in it.
Why a parent's email is not consent
The single most common mistake is treating "we email the parents" as consent. It is not. Sending parents a weekly summary keeps them informed after the fact. COPPA requires verifiable parental consent before you collect the child's data, using a method the FTC accepts as reliable proof that the person consenting is actually the parent.
Approved methods include a signed consent form returned to you, a credit or debit card transaction, a check of a government-issued ID, a video call, or a knowledge-based challenge. Having a parent's email address is none of these. The consent has to come first, and it has to be verifiable.
What changed in 2025
The FTC finalized amendments to the COPPA Rule in January 2025, and they tighten what a kids app has to do. Three changes matter most for a builder:
- A separate opt-in is required to disclose a child's data to third parties or to use it for targeted advertising. Behavioral ads to children are off by default, and you cannot cut off access if a parent declines that separate consent.
- The definition of personal information expanded to include biometric identifiers and government-issued identifiers.
- You must limit how long you keep a child's data to what the stated purpose needs, and maintain a written data retention policy.
If your plan involves any third-party analytics or ad pipeline touching kids' data, that is exactly what the 2025 changes put a separate consent in front of.
Source: FTC, Final Rule changes to the Children's Privacy Rule (January 2025).
The myth versus what the law does
| The common assumption | What COPPA actually does | |
|---|---|---|
| "It is free, so it is low-risk" | A free app has less exposure | COPPA turns on collecting children's data, not on price |
| "We email the parents" | Parents are in the loop, so we are fine | A parent's email is not verifiable parental consent |
| "We serve ages 8 to 14" | A teen range avoids the kid rules | Under-13 users are squarely COPPA; a mixed range does not exempt you |
| "A privacy policy covers it" | One privacy policy is enough | COPPA needs verifiable consent, a specific notice, retention limits, and the 2025 opt-ins |
The line the engine draws
The engine flagged this as needs review, not blocked, because a kids app is a compliance regime, not a forbidden one. The line is who uses the product and whose data you hold.
A tool children use directly, or that tracks a child's grades or personal data, is in COPPA scope. A homeschool planner built for parents, or a tool for teachers, that does not collect children's personal information is not, even though the topic is education and children. Designing so that you either do not collect children's personal data, or collect it only after verifiable parental consent, is what moves you off the gated activity.
If you are a solo founder on a small budget
The cost here is not the AI tutor. It is the consent flow, the parent-facing notice, the retention controls, and the 2025 opt-ins, plus keeping kids' data out of any third-party pipeline that is not covered. That is why a compliance check returns this kind of idea as needs review rather than a clean pass.
If that is heavy for your stage, these are not workarounds. They are different products that change the duty:
- If you target under-13 children, build verifiable parental consent in from day one and treat it as a launch requirement, not a later add-on.
- Or aim the product at parents or teachers as the users, and avoid collecting children's personal data directly.
- Or restrict to users 13 and over with a real age gate, which moves you out of COPPA, though some state minor-privacy laws can still apply.
Each of these changes whose data you hold and how you obtained consent, which is what changes the duty.
How to validate before you build
The result shown above came from Tovrio, a compliance check that runs an idea against country specific rules before you write code. The idea tested was a synthetic case, not a real user. The result was a needs review signal with the reasons named here.
This is a validate before you build signal, not legal advice. A flag means "go confirm this with a privacy professional before you commit," not "your specific plan is definitely unlawful." You can run your own idea through it.
Frequently asked questions
Do I need COPPA compliance for my kids app?
If children under 13 use your app and you collect personal information from them, yes. COPPA requires verifiable parental consent before you collect, use, or disclose a child's personal information. A per-child profile and progress tracking are personal information, so a kids tutoring app that under-13s use directly is squarely in scope.
What is verifiable parental consent under COPPA?
It is consent the FTC considers reliable to confirm that the person consenting is the child's parent, obtained before you collect the child's data. Approved methods include a signed consent form, a credit or debit card transaction, a government ID check, a video call, or a knowledge-based challenge. Simply having a parent's email address does not meet the standard.
Does COPPA apply if my app is for ages 8 to 14, not just under 13?
Yes, for the under-13 users. COPPA covers children under 13, and a range of 8 to 14 includes them. Serving older teens as well does not exempt you. You either screen ages with a neutral age gate and apply COPPA to the under-13 users, or you treat all users as under-13.
Is emailing parents the same as getting COPPA consent?
No. Emailing parents weekly summaries keeps them informed but is not verifiable parental consent. COPPA requires an approved consent method, completed before you collect the child's data, not a notification sent after collection has already happened.
What changed in the COPPA Rule in 2025?
In January 2025 the FTC finalized changes. A separate opt-in is now required to disclose a child's data to third parties or to use it for targeted advertising, with behavioral ads off by default and access not conditioned on that consent. Biometric and government-issued identifiers are now treated as personal information. Operators must also limit how long they keep children's data and maintain a written retention policy.
Does COPPA apply if I am a solo founder or based outside the US?
It can. COPPA turns on whether you collect personal information from children under 13 in the US, not on where you are located or your company size. A solo founder anywhere who runs a service that US under-13 children use, and that collects their data, is subject to COPPA.
Run your own idea through Tovrio before you build. See how it works.