COPPA is the FTC rule that requires verifiable parental consent before any service knowingly collects personal information from a child under 13. The amended COPPA Rule (published April 22, 2025) expanded the definition of personal information to biometric and government identifiers, demanded separate consent for third-party disclosures, and mandated a written retention policy. Full compliance was required by April 22, 2026. Bubble has no built-in verifiable parental consent flow, only lists COPPA for information. With $53,088 per-violation civil penalties and a $10M Disney settlement on the board, the honest options are a real consent flow on a controlled stack, or a full rebuild.
The honest verdict
Not officially. Not the way you’d ship COPPA in production.
Bubble has no public stance. The platform's architecture makes a real audit hard. Bubble lists COPPA on its 'Other frameworks' page as a description only — no built-in verifiable parental consent flow, no age-gating component, no consent-revocation workflow. That doesn't make Bubble unusable for an under-13 product, but it does mean every COPPA control sits on you and on a runtime where plugins routinely ship data to third parties you don't directly contract with.
US law governing online privacy and data protection for children
Reviewed by
Greg· Founder, bubbletocode.com — has migrated 30+ Bubble apps to code
Bubble's stance
Silent
COPPA listed for information only
Maximum penalty
$53,088 / violation
FTC civil penalty, 2025 inflation-adjusted, no aggregate cap
Industries impacted
Edtech · Kids' apps · Gaming · Ad-tech · Connected toys
Compliant rebuild
$40k–$100k · 8–14 weeks
Rebuild with VPC consent flow + written retention policy
What COPPA actually requires
COPPA governs websites, apps, and online services that knowingly collect personal information from children under 13. The FTC enforces it under the FTC Act, with state Attorneys General running concurrently. The amended Rule that took full effect on April 22, 2026 expanded the definition of personal information and tightened consent and retention obligations.
Post a clear privacy policy describing what is collected from children, how it is used, and disclosure practices, including any third parties (16 CFR 312.4(d)).
Provide direct notice to parents and obtain verifiable parental consent before collecting personal information from a child (16 CFR 312.5).
Obtain a separate verifiable parental consent before disclosing children's personal information to third parties for any non-integral purpose (16 CFR 312.5, as amended 2025).
Give parents the right to review the child's information, delete it, and refuse further collection (16 CFR 312.6).
Maintain reasonable data security and a written data-retention policy — children's data cannot be retained indefinitely (16 CFR 312.8 and 312.10, as amended 2025).
Treat biometric identifiers and government-issued identifiers as personal information under the expanded definition (16 CFR 312.2, as amended 2025).
Official source: ecfr.gov
Why Bubble fails COPPA
Every reason below comes from Bubble’s published platform limits or their own documentation. Reading the list top-to-bottom tells you which one will bite you first.
COPPA's central mechanic is verifiable parental consent — by signed form, credit card transaction, government-ID check, knowledge-based authentication, or one of the other FTC-approved methods. Bubble has no built-in primitive for any of these, no documented integration pattern, and no consent-record schema. You build it yourself, and the new biometric and government-identifier rules raise the bar on what 'verifiable' has to mean.
Third-party plugins load JavaScript inside the child's browser and have direct access to whatever data is on the page. An analytics or marketing plugin under COPPA needs separate verifiable parental consent for third-party disclosures — Bubble's plugin runtime gives you no way to gate that disclosure on consent state.
The amended Rule requires a written data-retention policy and prohibits indefinite retention of children's personal information. Bubble's continuous point-in-time backups (up to twenty years on Enterprise dedicated by default) and a fourteen-day log search window make it hard to prove the data is gone when the parent asks.
The 2025 amendments classified biometric identifiers (face, voice, fingerprint, retina, gait) as personal information for COPPA purposes. Many Bubble apps collect avatars, voice clips, or face photos without realising they now sit inside the regulated set, and the platform offers no biometric-specific handling.
Sources[07]
COPPA carries reasonable-security obligations and an expanded retention regime — both implicitly assume the operator can detect and disclose a breach quickly. Bubble has no documented hours-based breach SLA, which leaves the operator carrying the full SLA risk in the procurement conversation.
Sources[05]
When the FTC or a state AG asks who saw what and when, you need an audit trail that goes back further than fourteen days. Bubble's log search is capped at the previous two weeks. The operator can ship logs externally, but the platform itself isn't engineered for that workload.
Sources[03]
Bubble vs a compliant stack
The same 7requirements an auditor will ask about, scored on both stacks. Read across each row — every red cell is a deal you can’t close on Bubble.
Verifiable parental consent flow
Fail
No built-in primitive
Consent UX has to be hand-built and audited
Pass
FTC-approved methods wired in
Separate consent for third-party disclosure
Fail
Plugins disclose without gating
Client-side JS reads page data regardless of consent
Pass
Server-side disclosure gates
Biometric data handled as PI
Fail
No biometric-specific handling
Pass
Encrypted store + separate consent
Written data-retention policy enforced
Fail
Continuous backups complicate deletion
Pass
Documented retention + soft-delete
Parental review / delete / refuse-collection
Partial
Possible but manual
Pass
Self-service portal with audit trail
Disclosure logs beyond 14 days
Fail
Log search ceiling
Pass
S3 archive + Postgres event log
Annual self-attestation evidence
Partial
Limited evidence Bubble can produce
Pass
Full control library mapped to FTC
What it costs your business
COPPA enforcement runs hot and per-violation civil penalties of $53,088 stack. The FTC announced a $10M settlement with Disney on September 2, 2025 for failing to designate child-directed videos as 'made for kids', and brought a separate $500,000 (suspended) penalty against toymaker Apitor. Districts and parents both look for evidence of a real consent flow — marketing copy doesn't pass the bar.
An FTC action multiplies $53,088 by every child whose data was collected without verifiable parental consent — there's no aggregate cap, so per-child / per-day counting compounds quickly.
A state Attorney General brings a concurrent action under one of the 121+ state student-privacy or children's privacy statutes, doubling the financial exposure and lengthening the timeline.
A district that previously approved your product reviews the new biometric definition and pulls the contract when it discovers the app collects avatars or voice clips without separate biometric consent.
An app-store reviewer flags missing verifiable parental consent and removes the app from the kids category, with the recovery path running through a forced rebuild of the consent flow.
Three honest paths forward
We don’t recommend a rebuild for every founder. Below: what each path costs you, what it preserves, and where it breaks for COPPA.
Cheapest now · riskiest later
Partial fitBuild a verifiable parental consent workflow in Bubble (signed PDF, credit-card transaction, ID check), wire it to a consent-state field, and gate every collection behind it. Possible for a small, simple product. Hard to keep clean as the product grows, especially with plugins on board.
Pros
Cons
Phased · auditor-defensible
ViableMove every collection point for under-13 personal information onto a controlled Next.js service on AWS or GCP. The Bubble app keeps surfaces that never touch children's data — marketing, school-facing portals, lead capture. Children's data never lives in Bubble's runtime.
Pros
Cons
Highest upfront · clean audit
ViableNext.js on AWS or GCP — both sign DPAs and let you build a real verifiable parental consent flow, a documented retention policy, and a deletion workflow that actually executes against backups. The amended Rule is engineered around what a controlled stack can prove.
Pros
Cons
Composite case study
K-12 learning app · 12 months on Bubble
Founder shipped a learning app for under-13s and got district pilots running. A larger district reviewed the product under the amended COPPA Rule, found avatar uploads (now biometric personal information) without a separate consent, and pulled the contract until it was fixed. We carved the children's data surfaces onto a Next.js + AWS service, built a verifiable parental consent flow with a credit-card transaction and a written retention policy, and kept the Bubble app for marketing and lead capture.
Outcome: District pilot reinstated within three weeks of the rebuild cutover; two additional district conversations cleared the same biometric question in the following quarter.
Composite case study assembled from patterns across multiple children's-product migrations we have shipped. Anonymised for client privacy — happy to walk you through the underlying rebuilds in a scoping call.
Frequently asked
Pulled from real conversations with founders running healthcare, fintech, and B2B SaaS apps off Bubble. Every answer is grounded in the source we cited above — no marketing fluff.
Sources
The numbered references in the body link here. We cite first-party documents — regulator guidance, vendor manuals, industry standards — never marketing copy.
Bubble Group Inc.manual.bubble.io
Bubble Group Inc.manual.bubble.io
Bubble Group Inc.manual.bubble.io
Bubble Group Inc.manual.bubble.io
Bubble Group Inc.manual.bubble.io
U.S. Federal Trade Commissionecfr.gov
U.S. Federal Trade Commission · 2025-04-22federalregister.gov
U.S. Federal Trade Commission · 2025-09-02ftc.gov
U.S. Federal Trade Commissionftc.gov
Want a real answer for your app, not your category?
Free. 10 minutes. No call. Reads every workflow, surfaces every PII / WU / scaling risk, and produces a fixed-price rebuild plan grounded in COPPA’s real requirements.