Guide to Navigating COPPA

Summary of Senate Commerce Hearing on “Examining Safeguards for Consumer Data Privacy”

Recommendations for compliance in an increasingly regulated children’s media environment



Children are now one of the fastest growing online audiences and UNICEF reports more than 175,000 kids globally go online for the first time every day. As a result, lawmakers across the U.S. and around the world have been monitoring young people’s online well-being and are increasingly focused on doing more to protect children and teens from potential online abuse and privacy violations.

As lawmakers look to strengthen the laws that protect children’s data and consider creating additional rules that extend protections to minors 13 years old and above, companies should reevaluate their approach to children’s data.

The Children’s Online Privacy Protection Act (COPPA), enforced by the Federal Trade Commission (FTC), is the global gold standard in data privacy rules for children. Though the law is 20 years old, the momentum for COPPA enforcement has only increased due to heightened consumer awareness of privacy breaches and precedents set in litigation against ad buyers and sellers. In September 2019, for example, YouTube received a $170 million fine for COPPA violations.

As the pace of COPPA enforcement actions has significantly increased in recent years, IAB is taking a fresh look at the practicalities of compliance in the advertising industry. This IAB COPPA Guide is created to provide guidance and recommendations to the media and marketing community for compliance with COPPA in a continually evolving interactive advertising ecosystem.

This guide is the output of the IAB Data Benchmarks & Activation Committee specifically prepared by the COPPA Working Group to bring much-needed education about these regulations and how to navigate the current media environment. This document explains COPPA, provides recommendations to brands, advertising technology providers, and publishers, and acts as a resource for the media industry.

Although we have made efforts to ensure the accuracy of the material in this guide, it should not be treated as (and does not constitute) legal advice, nor should it be used as the basis for formulating legal or business decisions without individualized professional advice. We make no representations or warranties, express or implied, as to the completeness, correctness, or utility of the information contained in this guide and IAB assumes no liability of any kind resulting from the use or reliance upon its contents.

For detailed information on COPPA visit www.ftc.gov.

Understanding Existing Children’s Data Privacy Laws



  • COPPA is a U.S. federal law passed in 1998 that’s been in effect since April 2000. The rules implementing COPPA were then amended substantially in 2013. The law regulates the collection of personal information from children under 13 by online services including websites, advertising, and mobile apps. It spells out what data may not be collected from children without parental consent, how to seek verifiable consent from a parent before collecting any personal information, and what responsibilities businesses have to protect children’s privacy and safety online.
  • COPPA is enforced by the Federal Trade Commission (FTC) and by state Attorneys General, who have the power to fine companies (domestic and foreign) that are in breach.
  • The definition of personal information under COPPA is different than the definition of personal information under other privacy statutes.
    • Under COPPA, personal information includes anything that can be used to track a child across sites, apps, or devices. Persistent identifiers (e.g., cookies, IDFAs, Google ad IDs, fingerprints), precise geolocation, full IP addresses, full referrer URLs, full user agents, photos, videos, and voice recordings of children are all considered personal information.
  • Under COPPA, if you need or seek personal information from a child (other than in limited circumstances), you must obtain verified parental consent (VPC) before collection. Information on how to obtain consent is included in this document. For most advertising use cases, consent is difficult to obtain at scale, so the best practice is to apply zero-data strategies.
  • In practice, COPPA prohibits behavioral advertising, retargeting, or user profiling on most websites and apps that are directed to children.

Safe Harbors

  • COPPA includes a provision which enables industry groups, commercial ventures, or others to develop their own COPPA oversight programs, known as Safe Harbor programs. Examples are the Children’s Advertising Review Unit (CARU), the Entertainment Software
  • Rating Board (ESRB), Privo, and the kidSAFE Seal Program. The FTC maintains a current list of approved Safe Harbor organizations on its COPPA website.
  • A Safe Harbor organization may audit, monitor, or otherwise provide compliance guidance to its participating companies. For example, a company may seek Safe Harbor certification to have a product or process audited or to certify that its website or app meets the COPPA standards.
  • One benefit of certifying with a Safe Harbor program is that, in most circumstances, a disciplinary review for a COPPA violation will allow for a cure period instead of a formal FTC investigation.

CCPAA, GDPR-K, and Global Children’s Data Privacy Laws


  • Passed in June 2018, the California Consumer Privacy Act (CCPA) is the most comprehensive privacy law in the U.S. The law applies to any company that does business in California and meets certain minimum thresholds. CCPA goes into effect on January 1, 2020.
  • In addition to a broad set of rights (e.g., access, deletion, and opt out of sale) that apply broadly to the personal data of all consumers, the law prohibits selling personal information of a consumer under 16 without opt-in consent.
  • Under the CCPA, consent can be obtained in one of two ways, depending on the age of the child:
    • Children between the ages of 13 and 16 can directly provide opt-in consent themselves. For kids over 16, it is an opt-out model.
    • Children under 13 require parental consent, like COPPA.
  • Companies that fall within the jurisdiction of the CCPA still must comply with COPPA.


  • The General Data Protection Regulation (GDPR) applies to companies that process EU data subjects’ personal data, regardless of whether they are established in the EU or not, and regardless of where the data processing takes place. GDPR recognizes that children’s personal data should be afforded special protection because kids may be less aware of the risks and consequences of data sharing. The sections of the GDPR that relate to kids’ data are often shortened to the acronym GDPR-K.
  • By default, GDPR requires parental consent to process the personal data of children in situations where consent is relied upon as the legal basis for the processing of personal data.
  • Under GDPR-K, a user under 16 is considered a child, although this can be lowered by individual member states:
    • Germany, Italy, and Ireland use the age of 16
    • Norway, Spain, Sweden, and the United Kingdom have lowered this to 13
  • In practice, GDPR-K prohibits behavioral advertising, retargeting, or user profiling on most websites and apps that are offered to children (i.e., any service that does not actively dissuade or prevent children from using it).

COPPA is the gold standard for global data privacy laws for children, therefore our Working Group has decided to focus on COPPA.

The Advertising Industry Is Obligated to Comply with COPPA

Regardless of the role your company plays in advertising transactions or content creation and distribution, you are obligated to adhere to kids’ data privacy laws if:

  • You are an operator and your online service is child-directed.
    If your website, app, microsite, section of your site, or any kind of online service is targeted to appeal to children, then it is considered child-directed, and you are obligated to treat every visitor to this service as if they are a child and comply with COPPA. This is true even if they are accessing the service from a shared device or a device that is predominantly used by an adult. Classifying a service as child-directed is subjective, but requires consideration of factors such as whether it features characters popular with kids, vocabulary intended for kids, products that are appealing to kids, etc.Note that regulators are increasingly challenging digital services that classify themselves as general audience services and are expected to put more onus on service providers to prove that they do not have large audiences of children.
  • You are an operator of an online service and you have actual knowledge.
    If you obtain knowledge that your user (e.g., a visitor to your website or user of your app) is under 13, then you are obligated to abide by COPPA for this user. This is called actual knowledge, which can be gained by a user attempting to pass through an age gate, a user telling your customer service team his or her age, or by users under 13 being visible on the platform (e.g., in user-generated content).
  • You are a third party and you have actual knowledge.
    Third parties in the digital ad ecosystem (i.e., not the actual operators of the online service) will be subject to COPPA only if they have actual knowledge that they are collecting personal information directly from users of another website or online service that is directed to children. Although urged to do so from many industry commenters, the FTC provided little guidance as to when a plug-in or advertising network would be deemed to have actual knowledge that it is collecting information through a child-directed site or service, stating instead in commentary to the rules that:

COPPA applies to any covered online service, regardless of the device on which it is accessed.

  • Covered services accessed on computers, phones, tablets, gaming consoles, OTT devices, smart TVs, virtual assistants (e.g., Alexa), and IoT devices (e.g., talking toys) are all subject to COPPA. Regardless of whether the device is considered a shared device — a smart TV, a tablet, or a streaming service — it is the online service being accessed and the in-moment user that dictate whether COPPA must be followed. For example, if a child user goes to www.nickjr.com using a laptop predominantly used by a mom for work, the site and its ads must adhere to COPPA because the user is under 13 and the site is child-directed.


COPPA: Frequently Asked Questions

Can I advertise to children? And can I include ad-supported content for kids?

Yes. You may recall TV commercials from your childhood with memorable lines like “Mikey likes it, “Silly rabbit,” and “Taste the rainbow.” These ads were appealing, they were powerful, and they were an integral part of Saturday morning cartoons. So it shouldn’t surprise us that kids of all ages today are also interested in new movies, snacks, toys, clothes, shoes, trips, electronics, and other products they like to use. And when they see something they like advertised, they ask their parents to buy it.

From 2011 to 2017, the time kids spent on digital devices grew tenfold, according to Common Sense Media. That means when we advertise to children today, digital is a critical component of their media diet. Generation Alpha, the name given to children of Millennials born between 2010 and 2025, will have a vastly different digital experience in their childhood than preceding generations. According to Forbes, Generation Alpha will soon be more than 2 billion individuals strong and will influence between $130 to $670 billion a year in household purchases. Meanwhile, Pew Research Center reports that teens that are 15-17 years old today spend 56% of their leisure time in front of a screen.

Regardless of the age of the children you are advertising to, context matters. While COPPA does not prohibit advertising to children, it states that you may not collect any personal information (which includes cookies and other persistent identifiers) from children under 13 years of age without verifiable parental consent. This is intended to stop, among other things, the behavioral advertising, retargeting, and profiling of children under 13.

  • As an advertiser, COPPA prohibits you from using any personal information collected from children without parental consent — which essentially requires you to use strictly zero-data advertising technology or certified ‘kidtech’ to deliver your advertising on a contextual basis only.
  • As a content owner, COPPA restricts you to contextual advertising with partners that do not collect any personal information from children.

What should I know about the market for advertising to kids online?

There are three macro trends when it comes to advertising to children in digital media:

  • It’s big — and getting bigger. PriceWaterhouseCoopers estimates the digital media market for children will grow to $1.7 billion by 2021. Kids were also 40% of new internet users in 2018, making them one of the fastest-growing audiences online.
  • It’s regulated. Around the world, governments have legislated data privacy and safety protections for kids’ digital experiences.
  • It’s changing. The momentum for governments and commercial platforms to protect kids is only increasing. Between 2016 and 2019 alone, new data protection laws or bills have been proposed in China, India, and Australia and enforcement has begun of GDPR-K in Europe. In the U.S., amendments to COPPA are being discussed in Congress, and the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. In 2019, Google, Apple, and Facebook announced changes to their policies and platforms that recognize kids as an audience that requires special treatment.

What are the demographics of children online and what devices do they use?

Access to electronic devices, and therefore advertising, begins very early in a child’s life. eMarketer reports over 36% of children under the age of two have access to tablets and smartphones.

Guide to Navigating COPPA

What is the role of the COPPA flag in programmatic advertising?

Part of IAB’s OpenRTB specification, the COPPA flag is an attribute of a bid request that signals whether that request is for the opportunity to serve an ad to a child protected by COPPA. (It is the publisher issuing the bid request who has determined whether the user is a child.) The flag will have a value of 1 if the user is a child subject to COPPA, and a value of 0 otherwise. This flag allows media buyers to programmatically decide whether to make a bid and whether they can use tracking and targeting technologies with that impression.

What is kidtech?

In general, kidtech describes the infrastructure, products, and services used to power children’s digital experiences including advertising. Increasingly advertisers, agencies, content creators, and monetization platforms on both the buy-side and the sell-side have employed kidtech to manage and ensure compliance with COPPA.

What KPIs are used in marketing to kids and what does this mean for the ad creative?

Engagement is typically the core key performance indicator for children’s marketing, as a responsible and effective message to kids should encourage interest and excitement for products. This means the language for reaching children and adults should be different. For example, while adults might be encouraged to buy or shop, children should be encouraged to learn, play, or explore.

Guide to Navigating COPPA 1

By embedding privacy and responsibility into every facet of the business, organizations will be better prepared to adapt to the evolving landscape of children’s data laws and establish trusting relationships with their customers by demonstrating a commitment to digital safety.

Recommendations for COPPA Compliance and Best Practices

Content creators (publishers or brands with kid-friendly content), brands, agencies, and every company involved in the buying and selling of ads have an obligation under COPPA to avoid collecting and processing data of children under the age of 13 without explicit consent from parents. In this section, we provide some practical guidance and best practices on how each member of the advertising ecosystem can comply.

Guide to Navigating COPPA 2

Publishers and Brands

Publishers have an important role in ensuring that their online service is not collecting personal information from children under 13. Many of the COPPA enforcement cases have been made against publishers or brands’ services. If your online service is subject to COPPA, follow these best practices for compliance and kids’ online safety:

  • Start with a zero-data approach. Under COPPA, except in certain limited cases, kids’ personal information may not be collected or used without explicit, opt-in, and verifiable consent from a parent. This is hard to obtain unless you have a clear value exchange with the user and parent. Therefore, you should start with a zero-data approach to your experience.
    • Insist on zero-data settings where possible for third-party tools on your sites, apps, and other online services, including those tools used to serve, traffic, and optimize advertising. Avoid social media embedded widgets or data-enabled video players on your online services. Turn off data collection and configure privacy settings to their maximum levels on these platforms to maintain compliance.
    • Rather than use social-embedded features or data-enabled video players on your online services, research solutions that allow you to control all data collection such as Ooyala, JW Player, and PopJam Platform which are safer alternatives.
    • Aggregated, anonymous metrics like impressions, clicks, engagements, video completes, and time are allowed and do not require consent.
    • Allow only contextual advertising and only from partners you have audited for compliance with COPPA that have contractually committed to such compliance.
  • Obtain Verifiable Parental Consent (VPC) to collect or use kids’ personal information. If your service relies on personal data to function (such as collecting an email address, tracking location to power a game, or using persistent identifiers to target advertising using behavioral data), then you must obtain verifiable consent before you collect such information from children. The process requires you to contact a parent, to verify his or her identity, and then to obtain his or her consent.
    • VPC requirements include:
      • A clear mechanism for parents to provide opt-in consent for their kids before data collection
      • The ability for parents to review the personal information collected from their child and let them delete it
      • For sensitive data, the FTC requires that parents verify they are adults through a limited set of mechanisms, like a credit card micropayment, before they are allowed to give consent
      • Kidtech companies such as SuperAwesome, AgeCheq, and Privo provide VPC solutions
      • Post a clear and comprehensive online privacy policy. Your site or app must have a privacy policy that simply explains your data collection practices for users under 13. Use your privacy policy as an opportunity to build a transparent and trustworthy relationship with parents and to encourage kids to have a healthy online presence.
  • Apply a church-and-state principle by separating your adult and child audiences. On your sites, apps, and microsites segregate content meant for kids from content intended for shoppers, parents, and adults. Focus your child-oriented content on videos, games, and character-based activities, with all non-consented tracking removed. Include only safe social interactions and moderate any user-generated content to ensure appropriateness and also prevent children from sharing personal information. Your adult content can have social widgets and feeds from adult platforms (e.g., social media) including shopping and typical tracking via pixels and cookies.
    • Age gates can be used to identify user buckets in general audience or mixed audience experiences. COPPA requires your age-screening mechanism to be neutral. This means that your age gate may not encourage kids to lie about their age or lead them to a particular answer.
    • For respondents under 13, you can direct them to the portion(s) of your services that are safe for kids, turn off data collection for that user across the site, and/or begin the process to obtain parental consent for data collection.
    • Stay current with best available practices for determining a user’s age. Pressure from regulators and politicians is driving the kidtech industry to innovate on age detection technologies instead of using age gates.
    • Do not make a child’s participation in an online activity contingent on the child’s providing more information than is reasonably necessary.
  • Regularly purge data you do not need. Protect the confidentiality, security, and integrity of personal information. Retain personal information for only as long as is necessary to fulfill the purpose for which it was collected.
  • Apply zero-data principles to monetization.
    • Remove kids’ personal information before transmitting the ad opportunity (i.e., bid request) to buyers. For example, use your own or licensed filter solutions to truncate IP addresses. In programmatic, set the OpenRTB COPPA flag to 1 (for more on this see page 18).
    • When accepting ads (i.e., bid responses) ensure that the impression and click trackers are not trying to collect personal data. Approve creative audio and visual for appropriateness and safety for kids’ audiences per FTC and CARU guidance.
    • Do not monetize bid-stream data or audience data originating from your child- directed or child-user traffic.
    • Refer to new app store requirements on monetizing and measuring kids’ content. Google’s Designed for Families program and Apple’s policy updates are recent and ongoing attempts to update and clarify requirements for safety and compliance. For example, Google now maintains a list of approved networks for monetizing ad- supported, kid-friendly Android apps.
  • Adopt a narrow interpretation of COPPA’s internal operations exception. In COPPA, parental consent is not required if personal information is used to support internal operations. However, companies should interpret this exception narrowly as companies have been sued and fined COPPA violations stemming, in part, from misuse of the exception.
    • The following fall within the definition of supporting internal operations:
      • Maintaining or analyzing the functioning of the website or online service
      • Performing network communications
      • Authenticating users
      • Personalizing content
      • Serving contextual advertising or capping the frequency of advertising
      • Protecting the security or integrity of the user, website, or online service
      • Ensuring legal or regulatory compliance
      • Responding to a child’s specific request


Advertisers have clear obligations for safety and compliance when intending to connect with kids through ads, influencer marketing, social engagement, or branded experiences across any online services using any connected device. It is not enough for you to assume that the destination for your promotion is compliant. An advertiser, its agencies, and its buy-side vendors must proactively ensure that:

  • There is not any collection of personal information from kids under 13 from your ads
  • Your ad purchase is not the result of non-compliant targeting
  • Your measurement is not relying on personal information in violation of COPPA

Here are some best practices to consider when engaging with kids:

  • Apply a church-and-state principle by separating your adult and child audiences. Your kids’ marketing strategy and execution should be separated from your adult marketing and content.
    • Ensure that you have appropriate and compliant messages for kids and data collection is turned off from the ad.
    • Use best-available technology to strip trackers from your purchased media.
  • Use contextual targeting. Do not use behavioral, interest-based audience selection, or retargeting strategies to market to kids. Instead, use contextually-based advertising that is limited to the content currently in-view and on the domain of the site visited.
    • For example, if a user is currently playing a racing game with animated content and requires an early education reading level, then you can contextually target an ad intended for a boy between the ages of 6 to 8.
    • In reaching children, recognize that the differences in interests and development maturity vary greatly across ages. Ads that are captivating for a 12-year-old are vastly different from those that interest a 5-year-old. Suggested micro audiences are:
      • Preschool – 3 to 5
      • Kids – 6 to 8
      • Tweens – 9 to 12
      • Teens – 13 to 18
  • Socially-enabled video yields meaningful reach for kids’ audiences, but buying requires additional safety measures. Given the enormous popularity of social media and video sharing sites, most brands advertise on these platforms. However, these platforms were not built for audiences under the age of 13. So when you use their buying tools to target select audiences with your ads, you are using audience profiling and interest- based targeting techniques based on personal data, which COPPA prohibits for kids under 13 years old.
    • Responsible brands seek to respect the principles of COPPA when making these media buys. That means using only contextual targeting methods such as choosing the destination of the ad based on the surrounding content and not on profiled audiences.
    • Avoid using the platform’s keyword targeting tools, as these rely on behavioral data to select audiences.
    • Start with a curated, hand-picked set of channels or pages that have been moderated by humans and are certain to be kid-safe.
    • Your real or perceived intent for buying media for kid’s audiences on these platforms means you cannot transfer safety obligations to the platform.
  • Family time is a viable strategy for advertising but should be considered a way to target adults. Family strategies for advertising, also known as householding strategies, are where both targeting and attribution occurs for an entire household, not an individual. Family-targeting strategies can be a warning that you are accidentally enabling data collection on children.For example, if you want to target households with parents to sell diapers, you can use data from an adult-directed, parenting website to segment the household and its associated devices. To develop this diaper-buyer audience, you should not collect behavioral signals (including device identifiers) from a “Toddler ABCs” game, which is child-directed, to segment this device or its related household devices. Collecting data from child-directed online services without verifiable parental consent is a COPPA violation.

Guide to Navigating COPPA 3

Here’s a TV example: Depending on the service provider, TV companies have access to data on the account holder or whoever registered the device. That data is then matched to a device graph to determine who is eligible for advertising in a household. Companies can then choose to target a specific device/household. This targeting data should be used for adult targeting and measurement, not for child-directed advertising. To reach the children in the home, you should target based on the context of the content, not device identifiers that are tied directly or indirectly to a device graph.

  • Marketer’s perspective: I am a toy manufacturer and I want everyone in the house to learn about our new doll series, as I know there is a child in the household from parenting and other purchase signals. I target parents of girls (ages 5-12) as a demographic audience with a “buy now” message. The click for the adult media is to our online shop. Using a separate contextually-driven strategy, I reach girls ages 5-12 in games and sites relevant to their age using a “check it out” call to action. The click from the kids’ media is to the Kids Club section of our website.
  • Know the details of your media buys and measurement. It is important to understand what methodology is used for identifying the appropriate targeting and attribution strategy to ensure proper precautions and processes are in place.
  • Control your supply chain. Control your delivery through contracts, audits, and careful partner selection.
    • Establish rules. For programmatic buying, establish rules to ensure your buying partners adhere to the COPPA flag in the OpenRTB protocol (for more on this see page 18).
    • Filter data for clarity and compliance. When you have a complex ad transaction system, use filtering technologies that actively strip trackers from ad tags and/or remove personal information from ad requests.
    • Limit hops. Minimize the number of hops in your advertising delivery chain, the number of tag wrappers used for a single ad, and the number of third parties involved in delivery, targeting, and measurement.
    • Tag management matters. If accepting ad tags or trackers or any other code from partners, audit these to ensure they do not include piggyback or zombie trackers.
    • Police your third-party partners. Require that every third-party supplier involved in delivering your campaign (DSP, exchanges, SSP, verification vendor) confirms in writing their actual knowledge that this is a campaign aimed at children, that they understand their obligations under relevant data privacy laws, and that they will not profile users or share data related to any views of the campaign.
  • If you see something, discard it. If any personal information of a child under 13 is passed back to your systems, discard it or ensure it is treated properly.
    • Do not use it for profiling/targeting
    • Do not share it and ensure that no other party can access or use it
    • Have documented, clear processes in place to prove you are treating it compliantly
    • Keep your privacy notice up-to-date to explain those processes
  • Send kids into safe spaces. Use dedicated kid-safe campaign landing pages that feature age-appropriate content, no third-party trackers, and only internal performance analytics.

COPPA Compliance Includes the Entire Advertising Supply Chain

Any company that touches data, content, or advertising to children must uphold its obligations for COPPA compliance, including demand-side platforms (DSPs), supply-side platforms (SSPs), data management platforms (DMPs), customer data platforms (CDPs), automated content recognition (ACR) technology, fraud detection, measurement providers, creative ad servers, and the litany of other advertising technologies involved in media. Here are some frequently asked questions regarding compliance in typical advertising services:

  • Can I perform attribution from child-directed media?
    Lift-based attribution or attribution that does not rely on non-consented children’s personal information (e.g., cookies, in-app IDs, full IP addresses) is permitted. Traditional one-to-one attribution, even across screens, is not permitted.
  • How can location be used in kids’ media and measurement?
    Designated market area (DMA) and zip code location data are permitted for targeting and measurement. Without consent, precise geolocation (e.g., latitude/longitude, zip+4, IP address, and beacon data) is not permitted.Example: A new movie wants to advertise to kids who are frequent movie-goers and near theaters premiering the title.

Not permitted

  • Geotargeting bid requests within a mile of the theaters’ latitude and longitude
  • Using an audience segment targeting seeded from mobile app IDs who showed previously visited movie theaters
  • Attributing an exposure for the movie to an in-theater visit for the same device


  • Targeting impressions where the truncated user IP matches theaters’ DMA
  • Measuring the lift in movie ticket sales for DMAs with media turned on


  • Can identity management be used in kids’ content and media?
    Identity management alone or in combination with data management platforms (DMPs) and customer data platforms (CDPs) is typically not permitted with non-consented kids’ data because these platforms rely on collection and storage of data that is considered personally identifiable for kids. Things to watch out for:

    • If you are sourcing data stream data to build your identity solution (e.g., a device graph), be sure to expunge any signals originating from kids’ content or users known to be under 13
    • Do not add ID sync pixels in purchased impressions as they are typically trying to drop a cookie or collect uniquely identifying data from kids
    • Fingerprints, even those that rely on the full user agents, are likely to be perceived as personally identifiable for kids


Technical Recommendations for COPPA in Programmatic

Considering the importance of compliance within the programmatic buying processes, here are several ways to modify your buying process to ensure COPPA compliance and safety.

Technical considerations in buying and selling kids media Recommendation
Ad sellers using OpenRTB programmatic When selling ad inventory, take two steps:

  1. Set the COPPA flag (also known as a TFCD or TFUA parameter) when either case is valid:
    • Direct knowledge of user’s year of birth or age to be under 13 in the U.S.
    • Originating site, app, content is child-directed, per CARU and FTC guidelines.
  2. Remove kids’ personal information from the bid request. This will better prevent non-compliant data from entering the ad ecosystem. For example, truncate the last octet of the IP in direct or programmatic ad transactions, as a full IP address is considered personal information under COPPA.
Ad buyers using OpenRTB programmatic When you receive a bid request with the COPPA flag, do not attempt to apply behavioral buying (e.g., retargeting, DMP-based audience buys, or message sequencing).

On bid response, ensure that no trackers are added to the impression or click, including ID sync pixels, measurement requiring personal data, or any other third-party tracker.

Creative tag types For video buying, use VAST tags only. Do not use VPAID as it allows unknown, untrusted JavaScript execution on client devices.

For display and mobile buying, use XHTML and HTML5. Do not use MRAID as it allows unknown, untrusted JavaScript execution on client devices.

Click through (link, URL and fallback URL) on any ad object For ads intended for a youth audience, the click-through destination URL must be to content appropriate for children and free from non- consented data collection.

If you must send a child to a site that is for a general audience, then apply a bumper between the ad and the destination, reminding the child that he or she is leaving the site and to be safe on the internet.

Bid stream ingestion Drop all bid requests with COPPA = 1 if bid stream ingestion is for identity mapping (probabilistic or deterministic), audience segmentation, or user-specific profiling.
UTM trackers When using UTM trackers, ensure that they only signify general campaign data, such as campaign ID or placement ID. Do not use any unique qualities of the user or the actual site from where the user originated.


Conclusion: 5 Recommendations to Comply with COPPA

In a media environment where regulatory decisions are underway, it is necessary to explore how children’s contemporary online behaviors can have a profound effect on your business processes. This document outlines a series of steps marketers can consider to help ensure compliance and also avoid costly fines should something go wrong along the many steps of delivering advertising messages.

  • Implement a children’s data privacy compliance strategy.
    Because the digital media industry for children is growing, regulated and changing, your organization should define and implement a compliance strategy. Whether you are upstream or downstream or in the middle of content and advertising, you are most likely obligated to be COPPA compliant, whether by regulation, contract, or both.
  • Shorten and control your delivery chain.
    Whether you are upstream or downstream or in the middle of an ad transaction, you are obligated to proactively enforce COPPA compliance. Use the COPPA flag in programmatic and filters to remove trackers.
  • Use a zero-data strategy for personal information.
    For measurement, ad serving, monetization, targeting or tech that touches your content or ads, turn off data collection. Employ trusted partners to implement your compliance strategy.
  • Appropriateness and safety are your company’s responsibility.
    Precedent shows that our businesses are obligated to help kids — it is not just parents’ responsibility to protect children.
  • Apply the consumer test.
    If you find your business in a grey area, consider if a parent would perceive that your company is violating safety or data privacy rules. Perception matters when avoiding bad headlines and lawsuits.



  1. Federal Trade Commission (FTC)
  2. Children’s Advertising Review Unit (CARU)
  3. Training Resources



This report would not have been possible without the guidance and direction of the IAB COPPA (Children’s Online Privacy Protection Act) Working Group led by Joe Pilla, IAB Data Center of Excellence. We extend our thanks and deepest appreciation.

IAB would like to acknowledge the contributions of the following individuals and organizations:

Kate O’Loughlin, SuperAwesome (Co-chair)
Aundra Thompson, Conversant Media (Co-chair)
Brad Timmers, Innovid (Co-chair)
Jennifer Derke, IAB Tech Lab
Andy Fargnoli, Pandora
Alex Propes, IAB
Veronica Torres, ComScore
Affinity Express
Ahava Digital Group
Dun & Bradstreet
Garden Lites
Havas Media
Index Exchange
The Media Trust Company
Unity Technologies

IAB Contact
Joe Pilla
Director, Data and Automation
IAB Data Center of Excellence
[email protected]

About Us

The Interactive Advertising Bureau (IAB) empowers the media and marketing industries to thrive in the digital economy. Its membership is comprised of more than 650 leading media companies, brands, and the technology firms responsible for selling, delivering, and optimizing digital ad marketing campaigns. The trade group fields critical research on interactive advertising, while also educating brands, agencies, and the wider business community on the importance of digital marketing. In affiliation with the IAB Tech Lab, IAB develops technical standards and solutions. IAB is committed to professional development and elevating the knowledge, skills, expertise, and diversity of the workforce across the industry. Through the work of its public policy office in Washington, D.C., the trade association advocates for its members and promotes the value of the interactive advertising industry to legislators and policymakers. Founded in 1996, IAB is headquartered in New York City.

For more information, please visit iab.com

IAB Data Center of Excellence is an independently funded and staffed unit within IAB, founded to enhance existing IAB resources and to drive the ‘data agenda’ for the digital media, marketing, and advertising industry. The Data Center of Excellence’s mission is to define boundaries, reduce friction, and increase value along the data chain, for consumers, marketers, and the ecosystem that supports them.

For more information on how to get involved, please contact [email protected].

Download the Report

Get the report here