1998: COPPA and Email Marketing to Children
In October 1998, President Bill Clinton signed the Children’s Online Privacy Protection Act (COPPA) into law, establishing rules that would fundamentally change how online businesses interacted with children — and, in particular, how they used email to market to minors.
The law was straightforward in its core requirement: websites and online services must obtain verifiable parental consent before collecting personal information from children under 13 years old. Personal information included names, addresses, phone numbers, and — critically for the email marketing industry — email addresses. For marketers who had been happily building email lists without asking anyone’s age, COPPA was a wake-up call.
The World Before COPPA
In the mid-1990s, the internet’s rapid commercialization created a situation that lawmakers increasingly found alarming. Children were going online in growing numbers, drawn by games, chat rooms, and interactive websites designed specifically for young audiences. These sites routinely collected personal information from child visitors — including email addresses — through registration forms, contests, surveys, and interactive features.
Few of these sites disclosed what they did with the information. Fewer still sought parental permission. Email addresses collected from children were added to mailing lists, used for targeted marketing, and sometimes shared with third parties. The idea that a 9-year-old signing up for a game website might start receiving commercial email from unknown companies was troubling to parents, advocates, and regulators alike.
The Federal Trade Commission had been studying children’s privacy online since 1996, conducting surveys of children’s websites and finding widespread collection of personal information with minimal disclosure or parental involvement. A 1998 FTC survey found that 89% of children’s websites collected personal information, but only 24% posted any privacy policy, and only 1% required parental consent.
The Law
COPPA, effective April 21, 2000, established several requirements that directly impacted email marketing to children.
Verifiable parental consent. Before collecting an email address from a child under 13, a website or online service must obtain verifiable consent from a parent or guardian. This isn’t a simple checkbox — the FTC requires methods that provide reasonable assurance that the person giving consent is actually the child’s parent. Acceptable methods include signed consent forms, credit card verification, or government ID verification.
Privacy policy requirements. Any website or service directed at children (or that has actual knowledge of collecting information from children) must post a clear, comprehensive privacy policy describing its data collection practices.
Parental access and deletion rights. Parents have the right to review the information collected from their children and to request its deletion.
Data minimization. Operators cannot condition a child’s participation in an activity on the collection of more personal information than is reasonably necessary.
The Effect on Email Marketing
For the email marketing industry, COPPA’s practical effect was simple: marketing to children under 13 via email became extremely difficult and, for most companies, not worth the effort.
The parental consent requirement was the key barrier. Obtaining verifiable parental consent for each email address was cumbersome, expensive, and created friction that killed conversion rates. A typical email signup flow — enter address, click subscribe — couldn’t be used for children’s addresses without adding a multi-step parental verification process.
Most marketers made a practical decision: simply avoid collecting email addresses from children under 13. Websites aimed at children either didn’t include email marketing features or implemented age gates that screened out users under 13 from email collection. The path of least resistance was exclusion rather than compliance, and most companies chose that path.
This created an interesting market dynamic. The under-13 demographic, which represented a massive and growing population of internet users, was largely unreachable via email marketing. Brands targeting children shifted their marketing budgets to channels where COPPA’s consent requirements didn’t apply — television, in-app advertising, and later social media (though COPPA applies there too, compliance has been inconsistent).
Enforcement
The FTC took COPPA enforcement seriously, bringing actions against companies large and small that violated the law’s requirements.
Toysmart.com (2000): One of the first COPPA enforcement actions, filed against a dot-com era toy retailer that collected children’s information and attempted to sell its customer database during bankruptcy.
UMG Recordings (2004): Universal Music’s fan websites collected email addresses from children without parental consent. The company paid $400,000 to settle.
Xanga (2006): The blogging platform paid $1 million for creating 1.7 million accounts for children under 13 without parental consent.
TikTok / Musical.ly (2019): The largest COPPA settlement at the time — $5.7 million — for collecting personal information from children without parental consent.
Google / YouTube (2019): Google paid $170 million to settle allegations that YouTube collected personal information from children to target advertising. The case reshaped how YouTube handled children’s content.
Epic Games / Fortnite (2022): Epic paid $275 million for COPPA violations related to collecting children’s personal information and enabling direct communications between children and adults.
These enforcement actions established that COPPA was not a toothless statute. Companies that collected email addresses or other personal information from children without parental consent faced real financial consequences.
The Broader Impact
COPPA’s influence extended beyond its literal requirements. The law established the principle that children’s data deserved special protection — an idea that influenced subsequent privacy legislation worldwide. The EU’s GDPR includes specific provisions for children’s data, with member states setting consent ages between 13 and 16. Many national privacy laws now include child-specific protections modeled, in part, on COPPA’s framework.
For email marketing specifically, COPPA created a permanent carve-out. The under-13 market is effectively off-limits for email-based marketing, which means the entire email marketing industry is built around adult and teen audiences. This constraint has shaped everything from list-building strategies to content design to the platforms that email marketers use.
Twenty-five years after COPPA’s passage, the law remains the cornerstone of children’s online privacy protection in the United States. Its email-specific provisions rarely make headlines because compliance has become second nature — age gates, parental consent flows, and under-13 exclusions are standard practice. But the law fundamentally shaped the boundaries of email marketing, establishing that some audiences are simply off-limits without jumping through very specific hoops. For most marketers, those hoops aren’t worth jumping through — which is exactly what COPPA’s authors intended.
Infographic
Share this visual summary. Right-click to save.
Related Events
Frequently Asked Questions
What is COPPA?
COPPA is the Children's Online Privacy Protection Act, signed into law in October 1998 and effective April 21, 2000. It requires websites and online services to obtain verifiable parental consent before collecting personal information, including email addresses, from children under 13 years old.
How does COPPA affect email marketing?
COPPA effectively prohibits email marketing to children under 13 without verified parental consent. Marketers cannot collect email addresses from children under 13, add them to mailing lists, or send them commercial messages without going through a parental consent process that most companies find impractical for marketing purposes.
What are the penalties for violating COPPA?
COPPA violations carry civil penalties of up to $50,349 per violation as of 2023, with each improperly collected piece of information potentially constituting a separate violation. The FTC has levied multimillion-dollar fines against companies including Google (YouTube), TikTok, and Epic Games for COPPA violations.