Online Safety Laws for Children and Teens: Part 1

About this series: 

This series offers a practical overview of the key U.S. laws that govern online privacy and safety for children and teenagers. It begins with the Children’s Online Privacy Protection Act (COPPA), passed by Congress in 1998 and first implemented by the Federal Trade Commission (FTC) in 2000, with major rule updates in 2013 and 2025. Together, these regulations form the foundation for how companies collect, use, and share data from children under the age of 13. The series also examines related federal laws, including the Children’s Internet Protection Act (CIPA, 2000), which governs schools and libraries; the REPORT Act (2024), which expands online exploitation reporting requirements; and current proposals such as the Kids Online Safety Act (KOSA) and the EARN IT Act, which aim to address risks facing teens. Each installment breaks down what these laws actually say, how they are enforced, and what they mean for families, educators, and young people navigating digital spaces today.

Thanks for reading this article from "Do as I say, not as I do!" Subscribe for free to receive new posts and support my work.

The Internet Goes Mainstream

By the late 1990s, the internet had transformed from a research network into a mainstream commercial space. Following Tim Berners-Lee’s release of World Wide Web software in 1991 and the arrival of user-friendly browsers like Mosaic in 1993, internet use expanded rapidly. By 1995, the U.S. lifted restrictions on commercial traffic, and millions of users, including children, were online. Companies like AOL and early kid-focused websites began collecting personal information, often without parental knowledge or consent. This rapid, unregulated shift from research tool to commercial platform prompted Congress and the FTC to take action, leading to the passage of the Children’s Online Privacy Protection Act (COPPA) in 1998.

Who Would Oppose Protecting Children Online?

In the late 1990s, the Federal Trade Commission conducted a series of studies to assess how children’s information was being handled online. In a testimony before Congress on September 23, 1998, the FTC reported that 

despite the growing use of the internet by children under 13. The agency acknowledged that some industry groups had attempted self-regulation, but concluded that

This finding was hardly surprising. Early internet companies operated under a “collect now, ask later” mindset, and without enforceable standards, commercial pressures almost always outweighed voluntary safeguards. The FTC’s testimony, based on empirical surveys and real examples, became a turning point. It reframed children’s online privacy not only as a consumer protection issue but also as a public responsibility that required federal intervention. (Source).

Industry Response: The Pushback Begins

Not everyone welcomed COPPA. While lawmakers framed children’s privacy as a public duty, early internet companies saw regulation as a threat to innovation and profitability. Some argued that compliance costs would disproportionately harm small businesses trying to build educational or entertainment platforms for kids. In a 1999 article, Wired reported that “start-up Web sites devoted to children [feared COPPA would force them] to charge for access or go out of business” because they could not afford formal mechanisms to verify parental consent. Larger companies worried, too. At a children’s digital media conference in 2000, several businesses said they were removing interactive features like chat rooms and instant messaging “to avoid the costs of complying” with COPPA. For some, it was easier to disable services than to protect kids’ data responsibly (source, source, source).

At the same time, some legislators questioned whether the FTC had assessed the law’s impact on smaller operators. In June 1999, representatives James Talent and George Gekas urged the FTC to slow down, arguing it had not sufficiently “studied the nature and significance of the small entities that will use the Internet for this purpose.” Despite these warnings, the Commission moved forward, concluding that without enforceable federal standards, the commercial web would continue to treat children’s personal data as a business asset rather than something to be protected.

The Doom That Never Came

Despite warnings from industry groups that COPPA would “crush innovation” or put child-focused websites out of business, the opposite happened. The decade following the 2000 implementation of COPPA produced some of the most successful and profitable children’s platforms (not to mention general technological and digital platform innovation) in history. YouTube launched in 2005 and quickly became the dominant home for children’s video content; by 2019, YouTube Kids reached more than 35 million weekly active users worldwide. Club Penguin, created in 2005, was acquired by Disney in 2007 for $350 million—an early signal that children’s online environments were more lucrative than ever (source). Roblox, launched in 2006 with a core user base of children under 13, grew into a multibillion-dollar ecosystem and went public in 2021 (source) with an initial valuation of roughly $45 billion. Even smaller platforms like Webkinz and Neopets flourished throughout the 2000s. Far from being “killed” by regulation, the children’s digital market grew rapidly, along with platforms that attracted children even though they weren’t designed for them (source)—underscoring that COPPA was never an existential threat, only a modest guardrail in a booming commercial landscape.

So…What is COPPA?

COPPA is a U.S. federal law (15 U.S.C. § 6501 et seq.) passed in 1998 that regulates how websites and online services collect personal information from children under age 13. (Source) It took effect in April of 2000.

Who does it apply to?

COPPA applies to “operators” of websites, apps, or online services that are:

• directed to children under 13, or

• have actual knowledge that they are collecting personal information from children under 13. (Source)

• 
  

What do operators have to do?

In essence, the rule (implemented by the Federal Trade Commission (FTC) under 16 CFR Part 312) requires four major practices:

1. Notice to parents and/or children. Operators must provide a clear and comprehensive online privacy notice that describes what information is collected, how it is used, and to whom it is disclosed. (Source)

2. Verifiable parental consent. Before collecting, using, or disclosing personal information from a child under 13, the operator generally must obtain verifiable parental consent. (Source)

3. Parental access and control. Parents must be able to review the personal information collected from their child, and refuse further collection or use of that information. (Source)

4. Data security and minimal collection. Operators must maintain the confidentiality, security, and integrity of personal information collected from children. They cannot require more personal information than reasonably necessary for a child to participate in an activity. (Source)

   
   

Why was COPPA created?

COPPA was designed in response to concerns that children under 13 were having their personal information collected online without their parents’ knowledge or consent. The law gives parents control over what data children can share online. (Source)

A few additional key points

• “Personal information” is broadly defined to include identifiers, geolocation, photos, videos, and, under the updated Rule, persistent identifiers and biometric data, as we will discuss in detail in a later post. (Source)

• The Rule covers not just child-directed sites but also general-audience sites that knowingly collect data from children under 13. (Source)

• Non-compliance can result in significant enforcement by the FTC. (Source)

Where COPPA Falls Short

Looking back, it’s clear that COPPA, though still considered landmark legislation, was never built for the world that arrived only a few years later. The law was passed before the introduction of the iPhone (2007), before Facebook opened to the public (2006), before YouTube launched (2005), and long before algorithmic recommendation systems, biometric tracking, behavioral advertising, or AI-driven platforms became central features of children’s online lives. COPPA drew a bright line at age 13, an arbitrary age chosen more for administrative simplicity than for developmental research, leaving teenagers without clear federal privacy protections even as they became the primary users of emerging social platforms. 

The resistance to COPPA’s passage was not an isolated moment; it was the beginning of a pattern that continues across the tech sector today. The same arguments once used by children’s content sites in 1998 (“regulation will kill innovation,” “we can self-police,” “kids will lose their favorite features”) reappear whenever new protections are proposed. Yet history shows these claims are unfounded: innovation has repeatedly flourished under modest guardrails, while children continue to face significant, well-documented risks online. Internal research from Facebook revealed active strategies to target teens, including those in emotional distress, with product features known to amplify vulnerability, and repeatedly violated COPPA laws (source). Recent reports have also documented children using AI chatbots for emotional validation, including in moments of crisis (source), with no required safeguards, oversight, or age-appropriate design standards (source). The “build fast and break things” culture that shaped the early web has not disappeared; it has simply scaled. Tech companies have shown, again and again, that they will not meaningfully regulate themselves. And as long as profit is tied to children’s data, attention, and emotional states, any effective system of protection will need to come from outside the industry, not from within it.

Enforcement has also been uneven: while the FTC has brought notable actions against major companies (source, source, source), most violations go undetected, and civil penalties often arrive years after the harm occurs. COPPA’s creation was an important first step. Still, the law’s narrow scope, reliance on parental consent, and limited enforcement mechanisms left fundamental questions unanswered, most importantly, whether the design of digital environments prioritizes children’s rights and wellbeing, or the commercial interests of companies that profit from their data.

(c) Soni Albright, 2025 — Do as I Say, Not as I Do

In the next part of this series, we’ll look at how COPPA has been updated over time and how the FTC has attempted to keep pace with the technologies shaping children’s online lives.

Soni Albright is a teacher, parent educator, curriculum specialist, researcher, and writer for Cyber Civics with nearly 24 years of experience in education. She has taught the Cyber Civics curriculum for 14 years and currently works directly with students while also supporting families and educators. Her experience spans a wide range of school settings—including Waldorf, Montessori, public, charter, and homeschool co-ops. Soni regularly leads professional development workshops and is passionate about helping schools build thoughtful, age-appropriate digital literacy programs. Please visit: 

https://www.cybercivics.com/parent-presentations