COPPA-Compliant User Research Guide: How to Research with Children Under 13

COPPA violations carry fines of up to $50,120 per incident. In 2023 alone, the FTC levied over $500 million in COPPA-related penalties against companies including Epic Games ($275 million) and Microsoft ($20 million). For product teams, conducting user research with children under 13 without COPPA compliance is not just an ethical failure. It is a financial and legal risk that can be avoided entirely with proper research design.

This guide is the definitive COPPA compliance reference for UX research teams. It covers when COPPA applies to your research, how to obtain verifiable parental consent, how to design research sessions that comply with data minimization requirements, and which research methods work within COPPA constraints. It is the equivalent of our HIPAA-compliant research guide for healthcare research, applied to children’s privacy.

For K-12 edtech research broadly (teacher workflows, classroom observation, administrator research), see our K-12 education research guide. For research consent best practices across all populations, see our consent guide.

Key takeaways

COPPA applies whenever your research collects personal information from children under 13 through an online service. This includes screen recordings with faces, voice recordings, usernames, device identifiers, and geolocation data
Verifiable parental consent must be obtained before any data collection begins. The FTC approves specific consent methods including signed forms, credit card transactions, video calls, and government ID verification
Schools can act as parental agents for educational-purpose research only. This pathway simplifies logistics but has strict limitations on data use
Data minimization is not optional. Collect only the minimum data needed for the research purpose. If you do not need the child’s name, do not collect it. If you do not need video of their face, do not record it
Several research methods, including Wizard of Oz, paper prototyping, and observation without recording, avoid triggering COPPA entirely because they do not collect personal information through an online service

When does COPPA apply to user research?

The COPPA trigger test

COPPA applies when ALL THREE conditions are met:

The participant is under 13 years old
The research involves an online service (website, app, connected device, or online platform)
Personal information is collected from the child through that service

If any one condition is not met, COPPA does not apply to that specific research activity. This creates legitimate pathways for research that do not trigger COPPA.

What counts as “personal information” under COPPA?

Data type	Personal information?	Common in UX research?
Child’s name	Yes	Yes (consent forms, session notes)
Email address	Yes	Sometimes (scheduling)
Physical address	Yes	Rarely
Phone number	Yes	Rarely
Screen name / username	Yes	Yes (if the child creates an account)
Photo or video of the child	Yes	Yes (session recordings)
Audio recording of the child’s voice	Yes	Yes (think-aloud, interviews)
Geolocation data	Yes	Sometimes (mobile testing)
Persistent identifier (cookie, device ID)	Yes	Yes (if using analytics platforms)
Screen recording without the child’s face	Possibly (if it captures identifiable input like username)	Yes (usability testing)

COPPA decision flowchart for research

Is the participant under 13?

No: COPPA does not apply (standard consent applies)
Yes: Continue

Does the research involve an online service?

No (paper prototype, in-person observation without digital tools): COPPA does not apply
Yes: Continue

Will you collect personal information from the child through the service?

No (anonymous observation, no recordings, no identifiers): COPPA does not apply
Yes: COPPA applies. Obtain verifiable parental consent before proceeding

The FTC requires “verifiable” parental consent, meaning the method must provide reasonable assurance that the person giving consent is actually the child’s parent or guardian.

Method	How it works	Verification level	Practical for research?
Signed consent form (physical or electronic)	Parent signs a form and returns it (mail, email scan, or e-signature with identity verification)	Medium	Yes. Most common for research. Use DocuSign or similar with email verification
Credit card transaction	Parent provides credit card information as identity verification (a small charge that is immediately refunded)	High	Less practical for research. Better for product enrollment
Government ID verification	Parent submits a government-issued ID that is verified and then deleted	High	Impractical for most research studies
Video call verification	Parent joins a brief video call where their identity is confirmed	High	Practical for small studies (5-10 participants). Too labor-intensive for large studies
Knowledge-based authentication	Parent answers security questions drawn from a consumer database	Medium	Requires integration with a verification service. More practical for products than research
Email plus (for internal operations only)	Parent provides consent via email, and the operator sends a confirmation email with a mechanism to revoke	Low (used for internal operations, not commercial disclosure)	Acceptable for low-risk research where data is used only internally and deleted promptly

Your parental consent form must include:

Section 1: Who we are

Company/organization name and contact information
Name and contact of the researcher

Section 2: What we are doing

Plain language description of the research: “We are testing how children use [product] to make it better. Your child will [description of activities] for approximately [duration]”
What your child will be asked to do (specific tasks, not vague descriptions)

Section 3: What data we collect

Specific list of all data collected: screen recordings, audio, video, mouse clicks, responses to questions
Be exhaustive. If you might record audio, say so. Do not discover mid-session that you need to record something not covered by consent

Section 4: How we use and protect the data

Purpose: “Only to improve [product]. Never for advertising or sold to third parties”
Security: “All recordings are encrypted and stored on access-controlled systems”
Retention: “Recordings will be deleted within [timeframe, e.g., 90 days] after the study”
Access: “Only [number] researchers on our team will access the recordings”

Section 5: Your rights

“You may review any data collected from your child by contacting [email]”
“You may request deletion of your child’s data at any time”
“You may revoke consent and withdraw your child from the study at any time”
“Your child will not be penalized in any way for not participating or for withdrawing”

Section 6: Consent

I consent to my child participating in this research study as described above
I consent to screen recording during the session (optional)
I consent to audio recording during the session (optional)
I consent to video recording of my child during the session (optional)

Parent/guardian name: _______________ Relationship to child: _______________ Child’s first name and age: _______________ Signature: _______________ Date: _______________

Child assent

In addition to parental consent, obtain the child’s own agreement (assent) to participate. Assent is not legally required by COPPA but is an ethical best practice and is required by most IRBs.

Assent script by age group:

Ages 5-7: “We are going to play with [product] today. I want to watch how you use it so we can make it better for kids. You can stop anytime you want. Is that okay with you?”

Ages 8-10: “We are testing [product] to make it better. I will ask you to try some things and tell me what you think. Everything you say is helpful, there are no wrong answers. You can stop at any time. Do you want to try it?”

Ages 11-12: “We are doing a research study on [product]. We will record the screen while you use it. Your parent said it is okay, but I want to make sure you are okay with it too. You can stop at any time and you do not have to answer any question you do not want to. Are you willing to participate?”

When schools can act as parental agents

Under COPPA, schools can consent on behalf of parents when:

The data collection is for an educational purpose (not commercial testing unrelated to education)
The school has a legitimate educational interest in the research
The school has policies and practices for protecting student data
The data will not be used for commercial purposes beyond the educational context

Contact the district’s technology or research coordinator. Explain the research purpose and how it serves an educational function
Provide a research brief that the school can share with parents (transparency, even when school consent is used)
Sign a data use agreement with the school/district specifying what data you collect, how you use it, and when you delete it
The school provides written consent on behalf of parents, documenting their authority to do so
Send a parent notification letter (not consent form, but information) through the school, with an opt-out mechanism for any parent who objects

Applies only to educational-purpose research. If your product is a gaming app marketed to kids, school consent does not apply
The school must verify that its own privacy policies support this consent pathway
Data collected under school consent cannot be used for commercial purposes beyond improving the educational product
If in doubt, obtain direct parental consent alongside school consent. Belt and suspenders

Research methods that minimize or avoid COPPA triggers

Methods that do not trigger COPPA

These methods do not collect personal information from children through an online service:

Method	Why COPPA does not apply	Limitations
Paper prototyping	No online service involved, no digital data collected	Cannot test digital interactions, animations, or transitions
In-person observation without recording	No personal information collected (researcher takes anonymous notes)	No video review possible. Relies on researcher’s real-time notes
Wizard of Oz (human-simulated)	If the child interacts with a simulated interface and no data is logged, no personal information is collected through an online service	Requires a human “wizard” behind the scenes. Labor-intensive
Expert review / heuristic evaluation	No children involved at all. Experts evaluate the interface against child usability heuristics	Does not capture real child behavior
Parent/caregiver proxy interview	Parent describes their child’s experience. No child data collected	Second-hand account, less reliable than direct observation

Method	COPPA trigger	Mitigation
Screen recording usability testing	Captures child’s interactions, potentially identifiable input	Parental consent. Record screen only (no webcam). Disable any input that captures names or identifying information
Think-aloud usability testing	Audio recording of child’s voice	Parental consent. Alternatively: do not record audio, have researcher take real-time notes
Video-recorded sessions	Video of child’s face and voice	Parental consent with specific video consent checkbox. Delete within stated timeframe
Online surveys	May collect identifiers depending on platform	Use anonymous surveys that do not collect email, name, or device ID. If truly anonymous, COPPA may not apply
Diary studies	If child logs entries through an online tool	Use paper-based diary entries. If digital, parental consent required
Remote unmoderated testing	Platform may collect device ID, IP address, or session identifiers	Use COPPA-compliant testing platform or do not use unmoderated testing with children under 13

How to design age-appropriate research sessions

Session design by age group

Age group	Session length	Facilitator approach	Task design	Data collection
5-7 years	10-15 minutes max	Warm, playful, patient. Use the child’s vocabulary. A familiar adult (parent or teacher) should be present	Simple, concrete tasks: “Tap the [character]” or “Find the [item].” No reading-dependent tasks. One task at a time	Observation + notes preferred. Screen recording with consent. No think-aloud (too cognitively demanding)
8-10 years	15-20 minutes	Encouraging, non-evaluative. Emphasize “no wrong answers.” Check for fatigue at 10 minutes	Tasks can involve reading. Still concrete: “Complete this level” or “Find where to start the activity.” 3-5 tasks maximum	Screen recording with consent. Simple preference questions: “Which one did you like better?“
11-12 years	20-30 minutes	Conversational, respectful of pre-teen sensitivity. Avoid talking down to them	Tasks can be more complex. Can handle 5-7 tasks. Can articulate opinions and preferences	Screen + audio recording with consent. Modified think-aloud works: “Tell me what you are thinking as you try this”

The parent-in-room question

For ages 5-7: Parent should be present. Young children are more comfortable and perform more naturally with a parent nearby. Ask the parent to sit behind or beside the child and not help unless the child becomes distressed.

For ages 8-10: Parent can be present or nearby (in the next room with the door open). Ask the child’s preference. Some 8-10 year olds perform more naturally without a parent watching.

For ages 11-12: Parent nearby but not in the room (for in-person) or not on camera (for remote). Pre-teens often perform differently when parents observe. Inform the parent they can monitor but should not be visible to the child during the session.

Facilitator training for children’s research

Researchers who work with children need skills beyond standard UX facilitation:

Comfort with silence. Children take longer to respond. Do not fill every pause
Non-leading language. “What happened?” not “Did that confuse you?” Children are highly suggestible
Distress recognition. Know the signs: withdrawal, fidgeting, looking at parent, refusing to continue. Stop immediately if the child shows distress
Neutral praise. “Thank you for trying that” not “Good job!” (which implies evaluation and changes behavior)
Exit protocol. If a child wants to stop, stop. No persuasion, no “just one more task.” Thank them and end

Data handling and retention

COPPA data minimization requirements

Principle	Research application
Collect only what you need	If you need screen interaction data, record the screen. Do not also record the child’s face “just in case”
Anonymize when possible	Use participant numbers (P1, P2), not names. Remove any identifying information from files and analysis
Retain only as long as needed	Define a retention period in your consent form (30-90 days is typical for research). Delete on schedule
Secure during retention	Encrypted storage, access controls, audit trail. Same standards as HIPAA data handling
No secondary use	Data collected for usability testing cannot be repurposed for marketing, advertising, or any purpose not covered by the consent

Data deletion protocol

After analysis is complete, review all data for identifiable information
Delete original recordings per the timeline stated in the consent form
Retain only anonymized findings (written reports, aggregated data, de-identified screenshots)
Document the deletion: what was deleted, when, by whom
If a parent requests deletion before your scheduled timeline, comply immediately

COPPA compliance checklist for research

Pre-study

Determine whether COPPA applies (age + online service + personal information)
If COPPA applies, choose a verifiable parental consent method
Draft parental consent form with all required elements
Draft child assent script appropriate for the age group
Design sessions to minimize data collection (screen-only recording, anonymous tasks)
Select COPPA-compliant tools (no tracking, no persistent identifiers)
If using school consent pathway, verify educational purpose and sign data use agreement
Train facilitators in age-appropriate research techniques
Prepare a privacy policy for the research (or adapt your existing one)

During study

Verify parental consent is on file before the child participates
Obtain child assent at the session start
Do not collect any data not covered by the consent form
If a child provides personal information unprompted (says their full name, address), note it for deletion
Monitor for child distress. Stop immediately if the child wants to stop
Do not use behavioral tracking, cookies, or analytics during the session

Post-study

Review all recordings for unintended personal information capture
Anonymize all data (replace names with IDs, blur faces if needed)
Delete original recordings per the stated retention schedule
Document deletion with dates and methods
Fulfill any parent requests for data review or deletion
Archive consent forms separately from research data (for compliance records)

Frequently asked questions

Does COPPA apply to in-person research?

COPPA specifically applies to the collection of personal information from children under 13 through online services (websites, apps, connected devices). Purely in-person research (paper prototypes, in-person observation without digital recording through an online service) does not fall under COPPA. However, if you record sessions digitally, store data in cloud services, or use online platforms, COPPA likely applies. When in doubt, obtain parental consent.

What happens if a child accidentally reveals personal information during a session?

Document the incident, redact the information from your records, and delete any recording segment containing the disclosure. Note the deletion in your compliance records. Do not include the disclosed information in your findings. If the disclosure was significant (e.g., the child shared their home address), inform the parent.

Can you test a kids’ app with adult participants instead of children?

You can test basic usability (navigation, button placement, readability) with adults, and this avoids COPPA entirely. However, adults cannot simulate children’s cognitive development, attention spans, reading ability, motor skills, or emotional responses. Adult testing catches interface problems. Child testing catches developmental mismatch problems. Both are needed. Use adult testing for early iterations, child testing for validation.

Does COPPA apply to A/B testing or analytics on a live kids’ product?

Yes, if the A/B test or analytics collect persistent identifiers (cookies, device IDs) or any other personal information from children under 13. COPPA does not distinguish between “research” and “product analytics.” If you collect personal information from children through an online service, COPPA applies. Many analytics platforms collect device IDs by default. Configure them not to, or obtain parental consent.

What is the penalty for COPPA violations in research?

COPPA violations carry civil penalties of up to $50,120 per violation (adjusted for inflation). The FTC has levied penalties ranging from thousands to hundreds of millions of dollars. For UX research, a violation would likely involve unauthorized collection of children’s data without parental consent. Beyond fines, a COPPA violation creates reputational damage that is particularly severe for companies marketing to children and families.

How does COPPA interact with FERPA for edtech research?

COPPA and FERPA can both apply when researching edtech used by children under 13 in schools. COPPA governs the collection of personal information through online services. FERPA governs student education records maintained by educational institutions. In practice: the school can provide COPPA consent as a parental agent for educational-purpose research, and FERPA requires that any student education records accessed during research are protected. Follow both: COPPA for data collection consent, FERPA for education record handling. See our K-12 research guide for the integrated approach.