The primary goal of COPPA is to place parents in control over what personally identifiable information (PII) is collected online from their children (under the age of 13). The Rule applies to: operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children; operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13; and operators that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
Generally, sites covered by the Rule must: post a clear privacy policy; give notice and obtain verifiable parental consent (with limited exceptions) before collecting PII online from children; give parents choice of consenting to the collection and use of child’s PII, but prohibit its disclosure to third parties; provide parents access to their child's PII for review, deletion and/or to prevent further use or collection; and maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security.
Remember: even PII lawfully collected from a child must be retained only for as long as is necessary to fulfill the purpose for which it was collected. Then the information must be deleted in a manner that protects against its unauthorized access or use.
Resource: https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions