COPPA Compliance
for Reef Remix, LLC
Everything every team member, brand ambassador, and content creator at Reef Remix, LLC needs to know to protect children, protect the company, and stay on the right side of US federal law.
What is COPPA?
The Children's Online Privacy Protection Act (COPPA) is a US federal law that controls how companies collect, use, and share personal information from children under the age of 13. It was first enacted in 1998 and updated most recently in April 2025 with significant new rules that affect any brand in the children's space.
COPPA is enforced by the Federal Trade Commission (FTC). It applies to any website, app, or online service that is either directed at children under 13, or that knowingly collects data from children under 13 — even if the site is aimed at all ages.
US Federal Law
COPPA applies to US-based companies and to any company that targets US children — including non-US companies.
Under 13
The protected age group is children under 13. Federal COPPA focuses specifically on under-13s.
"Knowingly" Matters
If you have any reason to believe a user is under 13, COPPA kicks in. Ignorance is not a defence if warning signs were ignored.
Just Updated
The 2025 amendments took effect June 23, 2025. Full compliance required by April 22, 2026. Some old guidance is now legally insufficient.
Real Cases. Real Fines. Real Consequences.
These are not hypothetical scenarios. Every case resulted in actual fines paid, court orders signed, and in some cases individuals personally named in federal complaints. The FTC collected over $600 million in COPPA penalties between 2019 and 2025 — and enforcement is accelerating.
| Company | Year | What They Did Wrong | Penalty | Source |
|---|---|---|---|---|
| Epic Games (Fortnite) | 2022 | Collected personal information from children without notifying parents or obtaining consent. Made it deliberately difficult for parents to delete their children's data. Children were automatically matchmade with strangers in voice chat. | $275 million Largest COPPA fine in history at the time | FTC v. Epic Games, Feb 2023 |
| Google / YouTube | 2019 | YouTube collected personal data from children watching child-directed videos without parental consent. Used that data to serve targeted ads. Paid content creators more for child-directed content, creating a financial incentive to target kids. | $170 million FTC + NY Attorney General joint action | FTC / NYAG, 2019 |
| Microsoft (Xbox) | 2023 | Collected personal information from children who created Xbox accounts without notifying parents or obtaining verifiable parental consent. Retained children's data longer than necessary even when consent was never granted. | $20 million Plus mandatory 10-year compliance program | FTC v. Microsoft, June 2023 |
| Disney | 2025 | Failed to correctly label child-directed videos on YouTube. Collected children's personal data without parental notice or consent. | $10 million Plus mandatory 10-year audience review program | FTC v. Disney, Dec 2025 |
| Cognosphere (Genshin Impact) | 2025 | Unfairly marketed loot boxes to children and teens. Failed to notify parents or obtain verifiable parental consent before collecting personal information from children under 13. | $20 million | FTC v. Cognosphere, Jan 2025 |
| TikTok / ByteDance | Ongoing — filed 2024 | Knowingly allowed millions of children under 13 on the platform for years. Failed to honour parents' deletion requests. Built profiles on children even in "Kids Mode." Had already paid $5.7M in a 2019 COPPA settlement and repeated the violations anyway. | Up to $51,744 per violation per day Total exposure: potentially billions. Case ongoing. | DOJ v. ByteDance, Aug 2024 |
| Amazon (Alexa) | 2023 | Retained children's voice recordings indefinitely — even when parents requested deletion — and used them to train Alexa's speech recognition algorithm. Violated COPPA's data retention requirements. | $25 million Plus mandatory deletion of wrongfully retained data | FTC v. Amazon, July 2023 |
| NGL Labs (anonymous messaging app) | 2024 | Marketed anonymous messaging app to children and teens. The two co-founders were personally named in the FTC complaint — not just the company. | Founders personally banned from offering services to minors | FTC v. NGL Labs, July 2024 |
Who COPPA Covers — and Why That Includes You
COPPA covers "operators" — the companies running websites and online services. But it also affects every person who works on behalf of that company, because your actions online can create legal liability for Reef Remix, LLC.
Reef Remix is a "mixed audience" site — one that serves both children and adults (parents). The 2025 rules created a formal definition for this category.
| Audience Type | COPPA Applies? | What That Means |
|---|---|---|
| Children's site (primary audience is under 13) | Yes — fully | All COPPA rules apply to every user by default |
| Mixed audience site (Reef Remix — serves kids + parents) | Yes — for under-13 users | Must age-screen before collecting data; COPPA rules apply once a user is identified as under 13 |
| General audience site (not directed at children) | Only if you knowingly collect from a child | Still applies if you have actual knowledge you're dealing with a child under 13 |
For social media team members and brand ambassadors specifically: When you post content, respond to comments, collect DMs, run giveaways, or gather any information on behalf of Reef Remix — you are acting as an extension of the company. If a child under 13 participates and data is collected without consent, that is a COPPA issue regardless of which platform you're on.
What Counts as "Personal Information"
Under COPPA, "personal information" is broader than most people assume. The 2025 amendments expanded the definition further.
| Type of Information | Examples | New in 2025? |
|---|---|---|
| Name | First name, last name, nickname | No — existing |
| Contact information | Email, phone number, home address, social media username | Mobile numbers added in 2025 |
| Location data | Precise GPS location, IP address linked to physical location | No — existing |
| Persistent identifiers | Cookies, device IDs, ad tracking IDs | No — existing |
| Photos, videos, audio | Any image or recording that could identify the child | No — existing |
| Biometric identifiers | Fingerprints, face templates, voiceprints, retina patterns | ✅ New 2025 |
| Government identifiers | Social Security number, passport, birth certificate number | ✅ New 2025 |
For Reef Remix's daily operations, the most relevant categories are names, email addresses, and any data entered into AI-powered features in the app. Every data collection touchpoint must have proper consent in place before under-13 data is collected.
Parental Consent — The Core of COPPA
Before any personal information is collected from a child under 13, a parent or legal guardian must give verifiable parental consent (VPC). This means consent that can actually be verified — a child clicking "I agree" on behalf of their parent does not count.
Valid Consent Methods
Signed consent form sent/returned via post or fax; credit card verification; video call with parent; knowledge-based authentication; parent email with follow-up confirmation loop.
Not Valid Consent
Child clicking a checkbox. Parent's name typed by the child. A general terms of service agreement. An age gate that just asks "Are you over 13?" with no verification.
Separate Consent for Sharing
New in 2025: if you want to share a child's data with a third party (e.g. for ads or analytics), you need a separate consent for that — the original consent doesn't cover it.
Right to Delete
Parents can request deletion of their child's data at any time. You must honour this request. You must also tell parents this right exists in your privacy notice.
For Reef Remix specifically: parent accounts own all data. Children never create their own accounts. If a family member under 13 wants to use any data-collecting feature, the parent account must have completed verifiable consent first.
A 10-year-old sees our content on social media. A post asks followers to comment their email to enter a giveaway. The child comments with their email address.
✅ Correct action: Do not record or use that email. Reply (without using their name publicly) to let them know a parent needs to enter for them, and direct them to our official entry method which requires parent consent. Delete the comment email from any records immediately.
Data Retention — New 2025 Rules
One of the most significant 2025 changes is the strict new data retention requirement. Previously, retention was vague guidance. Now it is a hard legal obligation.
1. Children's data may only be kept for as long as is reasonably necessary for the specific purpose it was collected.
2. You must have a written retention policy stating why data is kept, the business need, and when it will be deleted.
3. That written policy must be published in your public-facing privacy notice.
Indefinite retention of children's data is now explicitly illegal. The FTC has specifically called out AI model training as an area where indefinite data retention from children is not acceptable.
| Data Type | Why Collected | Retention Limit |
|---|---|---|
| Parent email (subscription) | Account management | Duration of subscription + reasonable post-cancellation window, then delete unless new consent obtained |
| Age bracket selection | Serve age-appropriate content | Active subscription only — not retained after account deletion |
| Playback/usage data | Resume content, improve experience | Active subscription period only — deleted on cancellation on request |
| Family profile data | Right Now personalisation | Active account only — full deletion available to parent on demand at any time |
AI Features & Technology — Special Risks
AI-powered features are specifically on the FTC's radar in the 2025 updates. Reef Remix's Right Now engine uses contextual data to surface relevant content — and we've designed it correctly — but every team member needs to understand the risks so nothing accidentally undermines that protection.
Reef Remix's Right Now engine is designed correctly: family context (age tiers, situation) is used in real time to match content — it is not used to build behavioral profiles of individual children or feed into any model training pipeline. The content matching is context-based, not behavior-based. This is the legally correct design per our Architecture & Principles.
✅ Do This
- Use AI features that match context without storing child-level behavioral data
- Clearly disclose to parents what information powers the Right Now engine
- Verify any third-party API provider's data retention policy before integrating
- Route all data collection through the parent account, never directly from the child
- Age-gate all features — family profile is set by parent, not child
❌ Never Do This
- Log individual child interaction data in any database without explicit parental consent for that purpose
- Use a third-party AI tool with a child-facing feature without checking their COPPA/data policy
- Use children's interactions to train, improve, or fine-tune any AI model
- Let children under 13 create profiles or accounts without going through the parent consent flow
- Add analytics tracking to child-facing features without verifying consent coverage
Social Media Rules for the Reef Remix Team
Social media is where COPPA violations are most likely to happen accidentally. Here are the specific situations the Reef Remix social team will encounter and exactly how to handle them.
We run a "win a Reef Remix subscription" giveaway. A child who appears to be under 13 enters by commenting with their email or DMing us personal details.
✅ Do not record or use any personal data from the child. Ask a parent to enter on their behalf via our official form, which requires parent consent. Do not publicly call out the child's age or details.
A parent posts a photo of their young child enjoying a Reef Remix song and tags our brand. It's perfect for our Instagram. Can we repost it?
✅ Contact the parent (not the child) via DM to request explicit written permission to repost the image. Confirm in writing that they are the parent/guardian and consent to their child's image being used in our marketing. Screenshot and save that consent. Only then repost.
A child DMs our account saying they love the songs and asks a question. They mention they're 9 years old.
✅ You may respond to the question in a general, helpful way. Do not ask for any personal information. Do not add them to any list. Keep responses warm but brief, and suggest they show our website to their parent/guardian.
We're at a family expo. Kids are interacting with Reef Remix content and their parents are photographing them. We want to capture this for our socials.
✅ Before filming or photographing any identifiable child for brand use, obtain written parental consent on the spot. Keep a consent form (physical or digital) available at all events. Do not post any image where a child is clearly identifiable without confirmed written parental consent on file.
Brand Ambassadors — Your Specific Obligations
If you are a brand ambassador, affiliate, or influencer who creates content featuring or promoting Reef Remix, LLC, COPPA obligations travel with the brand. Your audience, your platform settings, and your content choices all matter.
Know Your Audience
If a significant portion of your audience is under 13, any data collection in partnership with Reef Remix (giveaways, competitions, email captures) must follow COPPA consent rules for that audience segment.
Disclose the Partnership
FTC rules require you to clearly disclose paid partnerships. Failure to disclose is a separate FTC violation on top of any COPPA issues. Always use #ad or #sponsored.
No Direct Data Collection
Never collect email addresses, personal information, or contest entries from followers on behalf of Reef Remix without our official consent form in place. Direct all entries to our official channel.
Children in Your Content
If you feature your own children or other children using Reef Remix products, you are responsible for ensuring their image is used with full parental consent — written consent from other parents.
What to Do If Something Goes Wrong
No system is perfect. If you suspect a COPPA violation has occurred — or is about to — here is what to do:
Step 1: Stop
Immediately cease whatever activity may have created the issue. Do not delete anything yet — that could be evidence tampering. Stop collecting, stop posting, stop the process.
Step 2: Report
Contact your manager or Reese immediately. Do not try to quietly fix it yourself. Report what happened, when, and what data may have been affected.
Step 3: Document
Write down exactly what happened, what you saw, and what actions you took. Date and time it. This documentation protects both you and Reef Remix, LLC.
Step 4: Legal Review
Depending on severity, we may need to consult a lawyer. Do not issue any public statements or contact affected families without legal guidance.
The FTC Six-Step Compliance Plan
The Federal Trade Commission publishes an official six-step compliance plan for businesses. Questions 16 through 20 in the quiz are drawn directly from this framework. Read each step carefully before attempting the quiz.
Step 1 — Determine If COPPA Applies
Before anything else, assess whether your site or service collects personal information from children under 13. If your site is directed at children or you have actual knowledge users are under 13, COPPA applies. You cannot comply with a law you haven't confirmed applies to you.
Step 2 — Post a Compliant Privacy Policy
Your privacy policy must clearly state: (1) the name and contact details of every operator collecting data, (2) what personal information is collected, (3) how it is used and disclosed, and (4) parents' rights — including the right to review, correct, and delete their child's data.
Step 3 — Notify Parents Directly
Before collecting any personal information from a child, you must provide direct notice to the parent — not the child — describing your data practices. This notice must happen before collection begins, not during or after.
Step 4 — Obtain Verifiable Parental Consent
Valid methods include: credit card verification, knowledge-based authentication, signed consent form, or video call with trained staff. A child clicking a checkbox for their parent is never valid. A ToS agreement is never valid consent.
Step 5 — Honour Parents' Ongoing Rights
After initial consent, parents retain the right to: review data collected from their child, correct inaccurate data, request complete deletion, and revoke consent at any time. You must have a clear, working process for these requests.
Step 6 — Implement Data Security
Take reasonable steps to protect the security, confidentiality, and integrity of children's personal information. This includes using reputable service providers, limiting data retention to what is necessary, and having a documented breach response plan.
🛡️ COPPA Compliance Quiz
Answer all 20 questions. You need 100% to pass and receive your Reef Remix, LLC COPPA certificate. Review the lessons, then attempt the quiz. Unlimited attempts.
Certificate of Completion
This certifies that