Direct Notice Drafting Under COPPA: What the FTC Actually Requires

What Is a COPPA Direct Notice and When Is It Required

A COPPA direct notice is not your privacy policy. It is a legally separate document — delivered directly to a parent — that must arrive before your operator collects, uses, or discloses a single piece of personal information from a child under 13. The timing rule is absolute: the notice obligation is triggered prior to collection, not simultaneously with it, and not after data has already been gathered.

Under 16 CFR § 312.4, operators must make reasonable efforts, taking into account available technology, to ensure that a parent actually receives direct notice of the operator's data practices. The regulation requires the notice to be "clearly and understandably written, complete, and contain no unrelated, confusing, or contradictory materials." That standard applies to the direct notice itself — not to a webpage somewhere on your domain where a link might eventually lead a determined parent to the relevant disclosures.

This distinction matters in practice. COPPA creates two independent notice obligations:

• Website privacy notice: Posted prominently on the site's homepage and at each data collection point — the public-facing policy most operators already maintain.
• Direct notice: Sent directly to the parent before collection begins — a distinct document that cannot be satisfied by pointing to the website privacy notice or including a link to it.

Operators routinely collapse these two requirements into one, treating a posted privacy policy as sufficient. The FTC has rejected that approach in enforcement action after enforcement action.

The stakes are concrete. As of January 2025, the FTC's inflation-adjusted civil penalty cap sits at $53,088 per violation per day. Musical.ly — the precursor to TikTok — paid $5.7 million specifically because it failed to provide direct notice to parents and failed to obtain verifiable parental consent. The FTC's complaint named each failure as a distinct violation. That penalty stood as the largest in a children's privacy case at the time it was imposed.

For EdTech operators, the threshold question is not whether you have a privacy policy. It is whether parents received a compliant direct notice before your app touched their child's data.

Required Elements — What COPPA Mandates in Every Direct Notice

The 2025 amended COPPA Rule significantly expanded what must appear inside a direct notice. Most existing EdTech notices were drafted against the pre-2025 standard and are missing several newly required disclosures. Here is what every compliant direct notice must now contain.

Elements required under the amended rule (16 CFR § 312.4(b)):

1. Operator identity and contact information — Full legal name, mailing address, telephone number, and email address. Generic "contact us" links do not satisfy this requirement.
2. Categories of personal information to be collected from the child — Specific categories, not a generic catch-all. The 2025 amendments expanded the definition of "personal information" to include biometric identifiers (fingerprints, voiceprints, facial templates, faceprints, retina and iris patterns, gait patterns, DNA sequences) and government-issued identifiers. If your app collects any of these, they must be named.
3. How the operator intends to use each category — The 2025 amendments added this as a standalone requirement. Prior notices that only listed data categories without explaining intended use are now deficient.
4. Identities or specific categories of third-party recipients, and the purpose for each disclosure — The 2025 amendments moved from general disclosure language to a requirement that operators name specific third parties or clearly defined categories and articulate why each disclosure is made.
5. That parent consent is required and how to provide it — The notice must explain the consent mechanism the operator uses.
6. That parents may consent to collection without consenting to third-party disclosure — Unless the disclosure is "integral" to the service. This unbundling right must be explicitly stated.
7. That the operator will delete contact information if consent is not received within a reasonable time
8. Parents' rights to review, correct, and delete their child's information
9. A link to the full online privacy policy

The AI vendor disclosure requirement. The 2025 amendments explicitly provide that disclosing children's personal information to third parties for AI training or development is never "integral" to a website or online service. Any EdTech operator sharing student data with an external AI analytics vendor must therefore: (1) name that vendor or describe its category in the direct notice; (2) state that data will be used for AI training or development; and (3) obtain separate verifiable parental consent for that sharing. This disclosure must appear in every notice sent to parents — and almost no existing EdTech notice currently includes it.

All of these elements must appear within the four corners of the notice itself. You cannot satisfy the requirement by pointing to your online privacy policy; the notice must stand alone as a complete, self-sufficient document.

The "Just-in-Time" Notice Approach — Practical Implementation

Under the 2025 amendments, the FTC described the direct notice as functioning as an effective "just-in-time" message to parents — a contextual notice delivered at the precise moment a specific data collection event is about to occur, rather than a single omnibus document buried in an onboarding flow. The just-in-time framework is the practical delivery mechanism for the rule's four-corners requirement.

The concept works like this: instead of (or in addition to) a general notice sent when a parent creates an account, you send a targeted notice each time your app requests a new type of data — at the exact moment your UI prompts for it. The notice appears in context, explains what is about to be collected and why, and invites consent before any data is gathered. If that notice contains all of the required elements for that specific collection activity, it satisfies 16 CFR § 312.4.

The FTC has specifically endorsed this approach for three categories of high-sensitivity data that EdTech apps routinely request:

• Geolocation data — COPPA covers location information sufficient to identify a street and city. A just-in-time notice displayed when the app requests location permissions — separate from the OS-level permission prompt — is the appropriate delivery point.
• Voice recordings — The FTC confirmed in 2017 that operators may collect audio files as a replacement for written words (such as voice search) without advance consent if the file is deleted immediately after use, but the operator must still clearly disclose the collection and deletion policy. A just-in-time notice at the point of voice feature activation is the appropriate mechanism.
• Photos and video — Any image or recording containing a child's likeness is personal information under COPPA. A notice triggered at the moment a camera permission is requested covers this category.

Two practical limitations apply. First, just-in-time does not replace your full online privacy policy or your initial account-creation notice — it supplements those disclosures with context-specific notices at each new collection point. Second, the support-for-internal-operations exception does not cover engagement-driven data uses such as push notifications or behavioral tracking. If your just-in-time notice attempt is tied to one of these use cases, the exception does not provide cover and you need a compliant consent flow.

One unresolved implementation question: the FTC has not addressed whether a just-in-time notice displayed simultaneously with an OS permission dialog satisfies the rule, or whether a separate screen is required. Until the FTC addresses this, the safer implementation is a dedicated screen that precedes the OS prompt.

Verifiable Parental Consent Methods — What "Verification" Actually Requires

Sending a compliant direct notice is only the first step. After the notice, the operator must obtain verifiable parental consent (VPC) before collecting, using, or disclosing personal information from children. The 2025 amendments added three new approved methods, bringing the total to eight — but not all methods are available to every operator.

Tier 1: Available to all operators regardless of third-party data sharing

1. Signed consent form returned by postal mail, fax, or electronic scan.
2. Credit or debit card transaction in connection with a purchase, which provides notification to the primary account holder.
3. Toll-free telephone number staffed by trained personnel.
4. Video conference with trained personnel.
5. Government-issued photo ID verified against a reliable database, with prompt deletion of the ID after verification.
6. Knowledge-based authentication (KBA) — New in 2025. Requires dynamic, multiple-choice questions where the answer options and difficulty level are specifically designed so that a child age 12 or younger in the parent's household could not reasonably determine the answers. Standard trivia or simple household questions do not satisfy this threshold.
7. Facial recognition with human review — New in 2025. An image of the parent's face is matched against a verified government-issued photo ID, confirmed by trained personnel.

Tier 2: Available only to operators who do not share child data with third parties

8. Email-plus — Consent by email followed by a confirmatory follow-up email, or followed by obtaining a postal address or phone number and confirming by letter or call. Available only to operators who do not disclose children's personal information to any third party. Covered in full in the following section.
9. Text-plus — New in 2025. Mirrors email-plus using SMS. The same no-third-party-disclosure limitation applies.

What is not yet approved. Facial age estimation technology — which analyzes facial geometry to estimate whether a user is an adult without requiring a government-issued ID — was not approved as a VPC method in the 2025 amendments. In early 2026 the FTC issued a policy statement permitting operators to collect biometric data for age-verification purposes under specific conditions, but facial age estimation as a standalone VPC mechanism remains pending formal approval. Do not build a compliance program around it.

The EdTech school-authorization exception. Schools may consent on behalf of parents for educational technology services, but only where the operator: (1) provides the school the same COPPA-required notice it would otherwise provide to a parent; (2) uses child data solely for the benefit of the school with no commercial purpose; and (3) makes no disclosures for advertising, marketing, or AI training. The FTC did not codify this exception in the 2025 amendments — it remains guidance-level, not regulatory text — and it does not cover commercial data uses under any interpretation.

What Operators Get Wrong — Common Direct Notice Failures

The FTC's COPPA enforcement record traces a consistent set of failures. These are not edge cases — they are patterns that appear across companies ranging from gaming startups to enterprise platforms. Each one has produced a civil penalty.

1. No notice at all. The most common violation is the most straightforward. WW International and its Kurbo app made no attempt to provide direct notice to parents through the app until November 2019 — despite operating a children-directed service for years. The FTC found the violation independently actionable. Settlement: $1.5 million, plus deletion of all illegally collected data and any algorithms derived from it.

2. Burying the notice behind a link chain. Kurbo's eventual attempt at compliance failed on its own terms: parents who signed children up on the website were shown information about data collection only if they clicked a hyperlink buried in a string of other links. The FTC found the notice was not "clear" and "complete" and was not directly provided to parents. "Clear and prominent" means the link must stand out through visual differentiation — larger font, different color, contrasting background. A fine-print link at the bottom of a page, or a link indistinguishable from adjacent links, does not satisfy the standard.

3. Relying on a privacy policy instead of a direct notice. Google and YouTube paid a record $170 million penalty specifically for failing to notify parents before collecting persistent identifiers from viewers of child-directed channels — even though both companies maintained detailed privacy policies. The FTC treats each failure as an independent violation. Having a privacy policy does not substitute for a direct notice sent to parents.

4. Failing to disclose third-party SDK collection. Apitor Technology collected geolocation data through its app with no parental consent prompt during download or registration, and did not notify parents that a third party was collecting location information from children. The FTC specifically cited the absence of notice about third-party collection as a distinct violation. If your app includes any third-party analytics, advertising, or AI SDK, that collection must be disclosed in your direct notice — not just in your privacy policy.

5. Treating non-compliance as low-priority risk. Epic Games paid $275 million — the largest penalty ever obtained for violating an FTC rule — in part because for more than two years it took no steps to comply with COPPA's notice, consent, or parental rights requirements. At $53,088 per violation per day, prolonged non-compliance on a large-scale platform produces a penalty calculation that no operator can afford. HoYoverse paid $20 million in 2025 for the same pattern: collecting personal data from children under 13 without adequate notice and verifiable parental consent.

6. Failing to update notice when practices change. The 2025 amendments require operators to name specific third-party recipients. Any operator whose data practices have evolved — new analytics provider, new AI integration, new advertising partner — must update its direct notice before that new sharing begins. Stale notice language is non-compliant notice language.

The Email-Plus Consent Method — When It Works and When It Doesn't

Email-plus is COPPA's lowest-friction verifiable parental consent method. Before deciding whether to build your consent flow around it, there is one threshold question that eliminates most EdTech apps from eligibility: Does your operator share children's personal information with any third party? If yes, email-plus is not available to you.

The email-plus method is available only to operators that do not disclose children's personal information to third parties. The rationale, stated explicitly in the rule, is that email carries a higher risk that a child will impersonate their parent compared to stronger verification methods — and that risk is acceptable only when the harm from fraudulent consent is limited because no third party receives the data. If your app shares any child data with any external service — analytics provider, advertising SDK, AI vendor, or any other service that receives information originating from children — you cannot use email-plus.

Most EdTech applications that use any third-party SDK are disqualified by default. The 2025 amendments made this worse for operators relying on AI analytics: disclosures of children's personal information for AI training or development are explicitly not "integral" to any website or online service, meaning an operator sharing student data with a third-party AI vendor cannot use email-plus for that consent. It must use one of the Tier 1 methods — signed form, credit card transaction, toll-free number, video conference, government ID verification, or knowledge-based authentication.

For the operators who do qualify, email-plus requires two components:

1. The initial consent email — Sent to the parent with the full direct notice disclosures and a consent mechanism.
2. A "plus" confirmation step — Either: (a) a confirmatory follow-up email sent to the parent after receipt of consent; or (b) obtaining the parent's postal address or telephone number and confirming consent by letter or phone call.

One obligation that operators implementing email-plus routinely miss: the method requires that you notify the parent they can revoke any consent given in response to the initial email. That revocation notice is a separate content requirement — not implied, not covered by a general cancellation policy, and not satisfied by including a generic unsubscribe link. It must be explicit.

The 2025 amendments added a text-plus method that mirrors email-plus using SMS, with the same no-third-party-disclosure limitation. If you are disqualified from email-plus, you are equally disqualified from text-plus. The email-plus method itself was not changed by the 2025 amendments — the core two-step structure and the no-third-party rule remain exactly as they were.

Direct Notice Drafting Checklist — What Your Notice Must Contain

No FTC model notice template exists. The agency's compliance guides do not contain annotated example language for the post-2025 direct notice, and no regulatory body has published a reference draft. What follows is the firm's practitioner checklist, built directly from the regulatory text, the 2025 amendments, and the enforcement record. Every item must appear within the four corners of the notice itself — you cannot satisfy any of these requirements through a link to a separate document.

1. Operator identity and contact information
   Full legal name, physical mailing address, telephone number, and email address. Common error: listing only a website URL or a "contact us" link.
2. Categories of personal information to be collected
   List each category separately. Include biometric identifiers and government-issued identifiers if your app collects them. Common error: a single catch-all phrase like "account information and usage data."
3. How the operator intends to use each category
   State the purpose for each data type, not just what is collected. Common error: omitting use entirely, or stating only "to provide our services."
4. Third-party recipients: identities or specific categories, and purpose for each disclosure
   Name the third party or describe its category with specificity (e.g., "learning analytics provider," "cloud infrastructure provider"). State why each disclosure is made. Common error: generic language like "trusted partners" without identification.
5. AI vendor disclosure (required for most EdTech apps)
   If any third party receives children's data for AI training or development, this must be stated explicitly. The FTC has established that such disclosure is never "integral" to the service and always requires separate consent. Model language: "We share your child's [specific data categories] with [Vendor Name / AI analytics providers]. This data is used to train and improve AI-based learning tools. This sharing is not necessary to use our core service. You may consent to our data collection without consenting to this AI-vendor sharing." Common error: describing AI features without disclosing the third-party data flow.
6. That consent is required and how to provide it
   Identify the VPC method and walk the parent through the steps. Common error: saying consent is required without explaining the mechanism.
7. Consent-unbundling statement
   Explicitly state that parents may consent to collection and internal use without consenting to third-party disclosure (unless that disclosure is integral to the service). Common error: treating consent as all-or-nothing.
8. Deletion commitment
   State that if the parent does not consent within a reasonable time, the operator will delete the parent's and child's contact information. Common error: omitting this entirely.
9. Parental rights statement
   Inform parents they may review the personal information collected from their child, direct the operator to delete it, and refuse further collection — without losing access to the core service. Common error: generic privacy rights language that does not address each right separately.
10. Link to the full online privacy policy
    Required by the amended rule even though the direct notice must be complete on its own. Common error: treating the policy link as sufficient and omitting substantive notice content.

Plain language is mandatory. 16 CFR § 312.4 requires the notice to be "clearly and understandably written" and to contain no confusing or contradictory materials. The FTC reviews notices for whether an ordinary parent could understand the data practices described — not whether a lawyer could defend them. If your notice was drafted for legal defensibility rather than for a parent reading it on a phone, rewrite it.

Progressive disclosure is permitted. The 2025 amendments confirm that operators may use expandable sections or within-notice hyperlinks to manage length, provided all required content remains inside the notice flow. A two-screen notice that opens an expandable section for third-party disclosures satisfies the four-corners requirement. A two-screen notice where the second screen is a separate website does not.

School-authorization scenario. If your EdTech product relies on school-authorization consent rather than individual parent consent, the same required disclosures apply — you must provide the school the equivalent of the direct notice you would otherwise provide to a parent, and the school must act as the parent's agent with full knowledge of your data practices. The commercial-use prohibition applies in full: if your product shares student data with a third-party AI vendor for any purpose, school-authorization consent does not cover that disclosure.