COPPA Compliance in 2026: New FTC Rules, April Deadline, and What Your Business Must Do

What Is COPPA Compliance?

The Children's Online Privacy Protection Act (COPPA) is a federal law that protects children under 13 from having their personal information collected online without parental consent. If your website, app, or online service collects data from children — or is directed at children — you must comply with COPPA and its implementing rule, enforced by the Federal Trade Commission (FTC).

In 2025, the FTC published the most significant amendments to the COPPA Rule since 2013. These changes take effect with a compliance deadline of April 22, 2026 — less than a month away. If you handle children's data in any capacity, now is the time to act.

What Changed: Key 2026 COPPA Rule Amendments

1. Expanded Definition of Personal Information

The amended rule adds several new categories to the definition of "personal information" that is protected under COPPA:

• Biometric data — fingerprints, face scans/templates, voiceprints, and DNA
• Government-issued identifiers — Social Security numbers, passport numbers
• Phone numbers — now explicitly covered (previously only email addresses were listed)
• Audio recordings — voice recordings containing a child's voice
• Precise geolocation data — street-level location information

If your service collects any of these data types from users who may be under 13, you are now subject to the full COPPA consent and notice requirements for that data. This is especially relevant for apps using voice assistants, facial recognition, or location services. See our guide on sensitive data under state privacy laws for how state laws layer additional protections on top of COPPA.

2. Separate Consent for Third-Party Sharing

One of the most impactful changes: companies must now obtain separate parental consent before sharing children's personal information with third parties for advertising or AI model training purposes. This means:

• A parent can consent to your collection and use of their child's data without consenting to you sharing it with advertisers or data brokers
• Blanket consent that bundles collection with third-party sharing is no longer sufficient
• AI and machine learning companies that train models on children's data must obtain specific consent for that purpose

3. Enhanced Direct Notice Requirements

The "direct notice" you send to parents before collecting children's information must now include:

• The identities of all third-party recipients of the child's information
• The specific categories of data shared with each recipient
• The purposes for each disclosure
• A clear statement that parents can consent to collection/use without consenting to third-party disclosure

4. Mandatory Data Retention Policies

The amended rule bans indefinite data retention for children's information. You must now:

• Establish, implement, and maintain a written data retention policy
• Describe the purposes for which children's data is collected
• Set a specific timeframe for when the data will be deleted
• Publish the data retention policy in your online privacy notice

5. New Parental Consent Methods

The FTC has approved additional methods for obtaining verifiable parental consent:

• Text message verification — parents can now consent via SMS
• Knowledge-based authentication — security questions based on the parent's identity
• Existing methods remain valid: signed consent form, credit card verification, government ID check, video call

6. Strengthened Vendor Oversight

You are now explicitly responsible for how third-party vendors and service providers handle children's data that you share with them. This means contractual obligations, auditing, and oversight of downstream data practices.

COPPA Compliance Checklist for April 2026

Use this checklist to prepare for the April 22, 2026 compliance deadline:

Step	Action	Details
1	Audit data collection	Identify all points where your service collects personal information from users under 13, including the newly covered categories (biometrics, geolocation, audio, phone numbers)
2	Update privacy notice	Your COPPA-specific notice must list all third-party recipients by name, the categories of data shared, and the purpose of each disclosure
3	Implement separate consent flows	Create distinct consent mechanisms: one for data collection/use, another for third-party sharing (especially for ads and AI training)
4	Write a data retention policy	Document what children's data you collect, why, and when you will delete it. Publish this policy in your online privacy notice
5	Review vendor contracts	Ensure all third-party vendors handling children's data have COPPA-compliant agreements in place. Audit their practices
6	Update consent mechanisms	Consider adding text message or knowledge-based authentication as new parental consent options alongside existing methods
7	Train your team	Ensure developers, product managers, and customer support staff understand the new requirements
8	Test and document	Run through the entire consent-to-deletion lifecycle. Document compliance for potential FTC inquiries

Who Must Comply With COPPA?

COPPA applies to two categories of businesses:

• Operators of websites or online services directed to children under 13 — if your service is designed for or marketed to kids, you must comply regardless of whether you know the user's age
• Operators with actual knowledge of collecting information from children under 13 — even general-audience services must comply once they learn a user is under 13

This includes websites, mobile apps, IoT devices, voice assistants, gaming platforms, educational technology, and any service accessible to children online. Use our Privacy Law Calculator to check which federal and state privacy laws apply to your business.

COPPA vs. State Children's Privacy Laws

COPPA sets the federal floor, but several states have enacted additional children's privacy protections that go further:

• California — the California Age-Appropriate Design Code Act (CAADCA) requires data protection impact assessments for products likely accessed by children and mandates default high-privacy settings for minors
• Maryland — the Maryland Kids Code requires default privacy settings for children on social media, prohibits collecting minors' precise location, and requires DPIAs for children's products
• Nebraska and Vermont — have enacted age-appropriate design code laws with additional protections

Many of the 20+ comprehensive state privacy laws also include heightened protections for children's data, typically requiring opt-in consent before processing personal information of children under 13 (and in some cases, under 16 or 18). Check our sensitive data guide for details on each state's approach.

COPPA 2.0: What's Coming Next?

On March 5, 2026, the U.S. Senate unanimously passed the Children and Teens' Online Privacy Protection Act (COPPA 2.0, S.836). If enacted, it would:

• Extend COPPA protections to teens under age 17 (currently limited to under 13)
• Ban targeted advertising directed at minors
• Create an "Eraser Button" giving minors the right to delete their data
• Strengthen FTC enforcement powers and increase penalties

The bill still needs to pass the House and be signed by the President, but the unanimous Senate vote signals strong bipartisan support. Businesses should begin preparing for potential teen-focused privacy requirements now.

Penalties for COPPA Violations

The FTC can impose civil penalties of up to $53,088 per violation (adjusted annually for inflation). Recent high-profile COPPA enforcement actions demonstrate the FTC's willingness to pursue significant penalties. The FTC's Division of Privacy and Identity Protection has signaled that enforcing the updated COPPA Rule is a key priority for 2026.

Beyond federal penalties, California and other states with children's privacy laws can bring separate enforcement actions under their state statutes, potentially compounding the financial risk. See our penalties and fines guide for more details.

Frequently Asked Questions

Does COPPA apply to my business if I don't target children?

Yes, if you have "actual knowledge" that you are collecting personal information from users under 13. General-audience websites and apps must comply once they become aware a user is a child. Some businesses implement age gates or age verification to manage this risk.

What is the compliance deadline for the new COPPA rules?

April 22, 2026. The FTC published the amended COPPA Rule on April 22, 2025, with an effective date of June 23, 2025, and a one-year compliance deadline. After April 22, 2026, the FTC can bring enforcement actions for violations of the new requirements.

How does COPPA interact with state privacy laws like the CCPA?

COPPA is a federal law and sets a nationwide floor for children's online privacy. State laws like the CCPA/CPRA can add additional requirements on top of COPPA. For example, CCPA requires businesses to honor opt-out signals (including GPC) for consumers of all ages, and provides additional rights for minors aged 13-16. Businesses must comply with both COPPA and any applicable state laws.

Do the new rules affect educational technology (EdTech) companies?

Yes. EdTech companies that collect personal information from students under 13 must comply with the updated COPPA Rule, including the new biometric data protections, data retention requirements, and third-party disclosure rules. The school authorization exception still applies, but the requirements around it have been tightened. FERPA compliance does not exempt you from COPPA.

What should I do if I discover I've been collecting children's data without COPPA compliance?

Stop the non-compliant collection immediately, delete any improperly collected data, implement proper consent mechanisms, and consult with legal counsel about potential self-reporting to the FTC. Proactive remediation can be a mitigating factor in enforcement proceedings.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 29, 2026.