What Recent FTC Enforcement Actions Reveal About COPPA Risks

Children’s privacy, a consistent priority for state and federal regulators, remained a focus for the Federal Trade Commission (FTC) in 2025 and promises to be a sustained area for regulatory attention in 2026. While many states have been navigating passage and subsequent legal challenges to age-appropriate design code legislation and app store accountability acts, the FTC targeted compliance with the Children’s Online Privacy Protection Act and corresponding rule (COPPA), which requires online services and website operators to, among other things, obtain verifiable parental consent before collecting personal information from children (under 13). 

The FTC’s three most recent child-related cases (two settlements and one lawsuit) involve Disney, Apitor and Iconic Hearts, respectively, and offer insight into potential areas of exposure under COPPA and risk mitigation strategies.

Disney settlement: Child-directed content should be properly labeled and accompanied by COPPA-compliant settings

The FTC’s $10 million settlement with Disney in 2025 contained allegations that the company failed to correctly label its child-directed videos on YouTube, resulting in violations of COPPA because it collected children’s personal information without the requisite protections.

For context, in 2019 YouTube settled with the FTC over alleged COPPA violations of its own and implemented safeguards requiring content creators to designate their videos as either made for kids (MFK) or not made for kids (NMFK). When a video is designated as MFK, certain features — such as comments, the ability to save a video to a playlist and targeted advertising using persistent identifiers — are disabled to prevent the collection of children’s personal information that would require notice and verifiable parental consent under COPPA.

Channel owners can designate MFK or NMFK at the channel level such that all videos uploaded to the channel receive the selected designation by default or on the individual video level. According to the FTC, YouTube advised Disney that it may face compliance issues if it failed to accurately designate its content.

Disney’s policy, which governed over 1,250 YouTube channels through numerous subsidiaries, mandated that audience designations be made on the channel level. As a result, the FTC alleged certain child-directed videos uploaded to Disney’s NMFK channels beginning in 2020 retained their default NMFK designation. YouTube’s feature-disabling COPPA compliance mechanisms were not activated, and YouTube, relying on Disney’s designations, allegedly collected personal information and placed targeted advertisements on child-directed videos on Disney’s behalf.

These alleged misclassifications also meant that alongside YouTube, Disney itself ran targeted advertising campaigns on child-directed videos incorrectly marked NMFK. Conducting targeted advertising on child-directed content without verifiable parental consent violates COPPA because it relies on collecting persistent identifiers that can be used to recognize a user over time and across different websites or online services. Such persistent identifiers qualify as personal information that is protected under COPPA.

In addition to paying $10 million, Disney agreed to implement comprehensive internal controls to ensure future COPPA compliance when uploading to third-party platforms. The proposed settlement requires Disney to establish and implement a mandatory audience designation program “to review whether [individual] videos posted to YouTube should be designated as MFK—unless YouTube implements age assurance technologies that can determine the age, age range, or age category of all YouTube users or no longer allows content creators to label videos as MFK.” The order, the FTC explained in a news release, “would transform how the entertainment behemoth designates videos on YouTube … while encouraging adoption of age assurance technologies on YouTube.”

Iconic Hearts lawsuit: More holistic view for assessing COPPA applicability

The FTC, through the DOJ, filed a 2025 lawsuit against Iconic Hearts Holdings — the operator of the anonymous messaging app Sendit — and its CEO (individually and as an officer of the company), alleging. that Iconic Hearts unlawfully collected personal data from children in violation of COPPA and also misled users, including in an effort to secure paid subscriptions, in violation of the Restore Online Shoppers’ Confidence Act (ROSCA) and Section 5 of the FTC Act.

The FTC’s complaint alleges that Iconic Hearts is a child-directed service. The FTC points to Iconic Hearts’ own statements about its services, responses to inquiries from parents indicating that Sendit is for users 12 and up and marketing materials characterizing the app as “the primary destination where every social interaction for gen alpha can happen” and as a “Gen Alpha social networking app.” The complaint contended that Iconic Hearts’ use of the term Gen Alpha, commonly understood to refer to those born after 2010, further demonstrated that Iconic Hearts intended for the service to be used by those under 13. Moreover, the FTC identified several ways through which it said Iconic Hearts had actual knowledge of children using its services. For example, it collected users’ birthdates in some instances (apparently over 116,000 users reported their age as under 13) and repeatedly received complaints from parents and children that explicitly referenced the child as under 13. Given these factors and allegations, the FTC contends that Iconic Hearts should have complied with COPPA, including obtaining verifiable parental consent before collecting children’s information.

This case is a good reminder about how the FTC may evaluate whether a site or service is child-directed, as well as what the FTC may look to in determining actual knowledge under COPPA. In this case, Iconic Hearts received birthdate information from some users, which could be used to calculate its users’ ages and establish actual knowledge in connection with those users. However, the commission also considered public statements, app store designations, presence of user complaints and marketing taglines as described above in evaluating whether the services more broadly were child-directed. 

To mitigate potential exposure under COPPA, take stock of what age-related data you collect or receive through complaints, which might be found to give you actual knowledge, and consider whether your marketing and other public messaging could create the impression that you are child-directed. Then, consider if there are product changes to implement, statements to clarify or compliance processes to adopt to reduce the potential for COPPA violations.

Compliance

[Q&A] Big Tech & Free Speech Under the Microscope: FTC’s New Direction

by FTI Consulting

April 28, 2025

What compliance teams need to know about the changing approach to consumer protection and data privacy

Read moreDetails

Apitor settlement: COPPA liability based on third-party collection

In 2025, the FTC also reached a settlement with Apitor Technology over allegations that Apitor violated COPPA by allowing a Chinese third party to collect sensitive geolocation data from children using their products.

The complaint alleges that the mobile app, which accompanies Apitor’s robotic toys, required Android users to enable location-sharing to connect their toy. This app leveraged a third-party software development kit (SDK) called JPush that allowed JPush’s developer to collect location data and use it for any purpose, including advertising and sharing with additional third parties. According to the complaint, Apitor’s failure to notify parents that a third party was collecting geolocation information and to obtain verifiable parental consent before collection from children under the age of 13 constituted a violation of COPPA.

In settling the allegations, Apitor will be required to delete any wrongfully collected information and ensure that use of future third-party software complies with COPPA. Despite Apitor’s stated commitment to COPPA compliance in its own privacy policy, the complaint notes that the SDK provider’s publicly available privacy policy stated that “its SDKs collect and use location information if app users enable location permissions.”

The Apitor case is a good reminder for compliance professionals to diligently vet vendors and third-party partners. Reasonable compliance where data collection is involved may include reviewing the third party’s public-facing privacy documents. Additionally, companies should seek contractual representations about privacy compliance and incorporate technical guardrails, where relevant, to ensure COPPA compliance by all parties involved in data collection and use.

Takeaways for compliance professionals

If your business is subject to COPPA, either based on the services you provide or actual knowledge of your users’ ages, consider the following steps to mitigate potential risk:

• Audit your content labeling practices, ensuring that each piece of content receives the appropriate audience designation and that technical compliance mechanisms are properly in place on child-directed content.
• Invest in internal review programs of uploaded content, such as randomized audits and flagging systems for potentially problematic designations.
• Document policies and processes to demonstrate good-faith compliance efforts with COPPA requirements.
• If you do not currently have a COPPA compliance program, conduct an in-depth review of your websites or services (including marketing and other public messaging) to determine whether they are directed at children or whether your business has actual knowledge of users younger than 13.
• Diligently review your third-party partners’ privacy practices and ensure their services are also COPPA-compliant.