COPPA Rule Amendments Take Effect April 22, 2026: What Is Changing and Your Compliance Checklist

The April 22, 2026 Deadline Is Here

On April 22, 2025, the Federal Trade Commission published sweeping amendments to the Children’s Online Privacy Protection Rule (COPPA Rule). Operators were given exactly one year to comply. That deadline — April 22, 2026 — is now weeks away.

If your website, app, or online service collects personal information from children under 13 — or if you operate a “mixed audience” service where some users may be children — these amendments apply to you. The changes are substantial: the FTC has expanded the definition of personal information, added mandatory data retention limits for the first time, required separate parental consent for third-party data sharing, and introduced new parental consent verification methods.

This guide covers every key change, explains what each means for your operations, and provides a step-by-step compliance checklist. For a broader overview of the COPPA framework, see our COPPA Compliance Guide for 2026.

What Is Changing: The Seven Major Amendments

1. Expanded Definition of Personal Information

The updated COPPA Rule broadens the definition of “personal information” to include new categories of data that were not previously covered:

• Biometric identifiers — Fingerprints, handprints, retina and iris patterns, genetic data, voiceprints, gait patterns, facial templates, and faceprints are now explicitly classified as personal information under COPPA
• Government-issued identifiers — State identification card numbers, birth certificate numbers, and passport numbers join Social Security numbers as covered identifiers

This expansion means that any service using facial recognition, voice assistants, or fingerprint login for children under 13 now falls squarely within COPPA’s notice and consent requirements. Companies using biometric technologies face dual compliance obligations under both COPPA and state biometric privacy laws such as Illinois BIPA.

2. Mandatory Data Retention Limits

For the first time, the COPPA Rule now prohibits operators from retaining children’s personal information indefinitely. The new standard:

• Operators may retain children’s personal information only for as long as reasonably necessary to fulfill the specific, documented purpose for which it was collected
• Once the purpose is fulfilled, the data must be deleted
• Operators must establish and maintain written data retention policies that specify retention periods and deletion procedures

This aligns COPPA with the data retention requirements already present in several state privacy laws, particularly Maryland’s MODPA, which has the strictest data minimization standard among state laws.

3. Separate Consent for Third-Party Data Sharing

The amended Rule requires operators to obtain separate verifiable parental consent before sharing a child’s personal information with third parties. Previously, a single consent covered both collection and sharing. Now:

• Consent for collection is separate from consent for third-party disclosure
• The privacy notice must identify third-party recipients by name or category
• Parents must be able to consent to collection while declining third-party sharing

This is particularly significant for ad-supported children’s services. The PlayOn Sports enforcement action ($1.1 million CPPA fine) demonstrates that sharing children’s data with advertising and analytics partners without proper consent triggers both federal and state enforcement.

4. New Privacy Notice Requirements

The updated Rule strengthens the “direct notice” that operators must provide to parents. The notice must now include:

• A description of all categories of personal information collected, including biometric and government-issued identifiers
• The specific purposes for each category of data collected
• Data retention periods and deletion procedures
• Identification of third parties by name or specific business category
• A description of any internal use of personal information for automated decision-making or profiling

This goes beyond what most state privacy law notice requirements demand and creates the most detailed notice obligation for any US privacy regulation.

5. New Parental Consent Verification Methods

The FTC has added new approved methods for obtaining verifiable parental consent:

• Text message verification — Operators may use SMS-based consent, provided the parent confirms their identity through a follow-up step
• Knowledge-based authentication (KBA) — Operators can verify parental identity through challenge questions based on information in the parent’s credit history or public records
• Facial recognition comparison — Operators may compare a photo of the parent’s government-issued ID to a live selfie, provided the images are deleted after verification

These new methods supplement existing options like credit card verification, toll-free phone calls, and signed consent forms. The FTC also retained a “sliding scale” approach where less rigorous consent methods may suffice for purely internal uses of data.

6. Mixed Audience Website Definition

The amendments introduce a formal definition for “mixed audience website or online service.” A mixed audience site is one that is directed to children but does not target children as its primary audience. Operators of mixed audience sites may collect limited personal information for age-screening purposes without first obtaining parental consent, provided:

• The data collected is used only to determine whether the user is a child
• If the user is identified as a child, full COPPA requirements apply before any additional collection
• If the user is not a child, the age-screening data may be retained and used under the operator’s general privacy policy

7. Safe Harbor Program Updates

The FTC has strengthened requirements for COPPA Safe Harbor programs, which provide a compliance framework administered by industry groups. Safe Harbor programs must now conduct annual comprehensive reviews of participating members, rather than periodic spot checks. Programs that fail to meet the updated standards risk losing their FTC approval.

Who Is Affected?

These amendments apply to any operator of a website or online service that:

• Is directed at children under 13 (determined by subject matter, visual content, age of models, language, advertising, and similar factors)
• Has actual knowledge that it collects personal information from children under 13
• Has actual knowledge that another entity (such as an advertising partner) collects personal information through its service from children under 13
• Operates a mixed audience site where some users may be under 13

Key industries affected include EdTech, gaming, social media, streaming services, educational apps, and any ad-supported platform with a young user base. If you are unsure whether your business falls under COPPA, use our Privacy Law Calculator to check your compliance obligations.

Enforcement Context: The FTC Is Watching

The FTC has repeatedly signaled that children’s privacy is a top enforcement priority for 2026. Recent enforcement actions underscore this focus:

• PlayOn Sports (March 2026) — $1.1 million CalPrivacy fine for sharing student data with advertising partners without proper consent. This state-level action complements federal COPPA enforcement.
• Multiple FTC COPPA actions in 2025 — The FTC resolved several COPPA cases throughout 2025, establishing precedent for the expanded enforcement that the new amendments enable.

Companies that are not compliant by April 22 face civil penalties of up to $53,088 per violation. Given the FTC’s pattern of calculating penalties per child and per day of non-compliance, a single enforcement action can easily reach millions of dollars.

Compliance Checklist: 10 Steps Before April 22

Use this checklist to prepare your organization for the updated COPPA Rule. Each step addresses a specific requirement from the amendments:

1. Audit your data inventory for new PI categories — Check whether your service collects biometric identifiers (facial data, voice recordings, fingerprints) or government-issued identifiers from children. If so, these are now covered by COPPA’s consent requirements even if they were not previously.
2. Create a written data retention policy — Document the specific purpose for each category of children’s data you collect, set a maximum retention period tied to that purpose, and establish deletion procedures. See our data retention guide for a framework you can adapt.
3. Separate your consent flows — Implement a consent mechanism that allows parents to consent to data collection while separately consenting to (or declining) third-party sharing. A single “I agree to everything” checkbox is no longer compliant.
4. Update your privacy notice — Revise your COPPA-required direct notice to include the new required disclosures: all PI categories including biometric and government IDs, specific purposes for each category, retention periods, third-party recipients by name or category, and any automated decision-making uses.
5. Audit your third-party data sharing — List every third party that receives children’s personal information from your service. For each, document what data they receive and why. Prepare to name them in your privacy notice and to obtain separate consent for the sharing.
6. Disable unauthorized advertising tracking — If you cannot obtain separate consent for sharing children’s data with advertising partners, disable all advertising-related tracking, pixels, and SDKs for authenticated child users. The Disney and PlayOn enforcement actions show that advertising-related data sharing is the highest-risk activity.
7. Implement or update age-screening — If you operate a mixed audience site, implement an age-screening mechanism that determines whether a user is under 13 before collecting personal information beyond what is needed for the screen. Document how your age gate works and what happens when a child is identified.
8. Review your parental consent method — Verify that your consent verification method meets the updated standards. If you want to adopt one of the new methods (text message, KBA, or facial recognition comparison), ensure you have the technical infrastructure in place. Remember that facial recognition images must be deleted immediately after verification.
9. Conduct a data protection assessment — While not strictly required by COPPA itself, a data protection impact assessment for your children’s data processing is strongly recommended and may be required by applicable state laws. Document the risks, benefits, and safeguards for each processing activity involving children’s data.
10. Train your team — Ensure that product managers, developers, data analysts, and customer support staff understand the new requirements. Document your training program — the FTC considers the existence of a compliance training program as a factor in enforcement decisions.

How State Privacy Laws Interact with the New COPPA Rule

COPPA compliance alone does not satisfy state privacy law obligations. Many state comprehensive privacy laws include additional requirements for processing children’s data:

• California (CCPA/CPRA) — Requires opt-in consent before selling or sharing personal information of consumers under 16 (not just under 13). The CPPA has shown willingness to enforce against children’s data violations, as the PlayOn case demonstrates.
• Connecticut (CTDPA) — Requires a data protection assessment for processing children’s data and prohibits targeted advertising to children. The 2026 SB 4 amendments strengthen children’s privacy protections further.
• Maryland (MODPA) — Among the strictest state laws: prohibits selling children’s data entirely and requires data minimization for all processing. Enforcement begins April 1, 2026 — weeks before the COPPA deadline.
• Oregon (OCPA) — Includes specific protections for children’s data and bans the sale of precise geolocation data without consent.

For businesses operating across multiple states, compliance requires meeting the most protective standard across all applicable laws. Use our state comparison tool to evaluate your obligations.

Frequently Asked Questions

When exactly do the COPPA amendments take effect?

The amendments were published in the Federal Register on April 22, 2025, and became effective on June 23, 2025 (60 days after publication). However, the FTC provided a one-year compliance window for operators to update their practices. The compliance deadline is April 22, 2026. After that date, the FTC may take enforcement action against operators that have not updated their practices to meet the new requirements.

Does the updated COPPA Rule apply to schools?

COPPA applies to the operators of websites and online services, not directly to schools. However, schools that authorize EdTech vendors to collect student data may consent on behalf of parents under COPPA’s “school consent” provision — but only for school-authorized educational purposes. The updated Rule does not change this framework, but the separate consent requirement for third-party sharing means schools must understand what data is being shared and with whom before consenting. See our FERPA vs COPPA guide for more on this interaction.

What happens if I miss the April 22 deadline?

The FTC can bring enforcement actions with civil penalties of up to $53,088 per violation. In practice, the FTC calculates penalties based on the number of children affected and the duration of the violation. Large-scale violations have resulted in penalties exceeding $100 million (as in the Epic Games/Fortnite case). The FTC has also increasingly sought injunctive relief requiring companies to delete improperly collected data and implement comprehensive privacy programs.

Do the new data retention limits apply to data collected before April 22?

Yes. The data retention requirements apply to all children’s personal information held by the operator as of the compliance date, regardless of when it was collected. If you are storing children’s data that has already served its original collection purpose, you should delete it before the deadline to avoid potential enforcement risk.

Can I still use a single consent form for collection and sharing?

No. The amended Rule requires separate verifiable parental consent for (1) collecting personal information and (2) disclosing it to third parties. Parents must be able to consent to collection while refusing third-party sharing. A single checkbox or signature covering both activities is no longer compliant.

Last updated: March 29, 2026.