Filed under: Data Rights, Children's Privacy, Regulatory Enforcement
On 22 April 2026, the compliance deadline for the Federal Trade Commission's amended Children's Online Privacy Protection Rule arrives. The amendments, published in April 2025 and effective since June 2025, represent the most substantial revision to COPPA in over a decade. From this month, every operator of a website or online service directed at children, or that knowingly collects personal information from children under 13, must demonstrate full compliance with the new requirements.
The timing is not incidental. The updated rule arrives alongside more than 20 state level youth privacy and online safety laws that have taken effect or are due to take effect across 2026. Children's data is now treated as high risk data by regulators across the United States, requiring formal governance, documented safeguards and demonstrable controls across the data lifecycle.
What changes
The amended COPPA Rule expands the definition of personal information to include biometric identifiers: fingerprints, retina patterns, iris patterns, genetic data, voiceprints, gait patterns, facial templates and faceprints. It also brings government issued identifiers, such as state identification card numbers and birth certificate numbers, within scope for the first time.
The most consequential change concerns targeted advertising. Operators will now need to obtain separate verifiable parental consent before disclosing children's personal information to third parties for advertising purposes. This is a departure from the previous framework, under which a single blanket consent could cover multiple data uses. The FTC has drawn a clear line: monetising children's data through targeted advertising requires its own, distinct authorisation.
Data retention requirements have also tightened. Operators may no longer retain children's personal information indefinitely. They must establish, implement and maintain a written data retention policy specifying the purposes for collection, the specific business need for retention and a timeline for deletion.
The enforcement landscape
The FTC can impose civil penalties of up to 53,088 dollars per violation. For operators with large user bases, the arithmetic is severe. Each instance of non compliant data collection from a child constitutes a separate violation.
Is the real risk the fine itself, or the signal it sends about how regulators now view the relationship between platforms and their youngest users?
The amended rule also strengthens Safe Harbor programme requirements. Approved programmes must now publicly disclose their membership lists and submit periodic reports to the FTC, including annual disclosures of disciplinary actions against member operators. The transparency requirement converts self regulatory bodies from shields into instruments of accountability.
Mixed audiences and the definitional question
The amendments introduce a formal definition of "mixed audience" websites and services. A mixed audience service is one directed at children but that does not target children as its primary audience and does not collect personal information from any visitor before collecting age information. This definition matters because it determines which platforms can rely on age gating mechanisms and which must treat all users as potentially under 13.
For platforms that serve both adults and children, the practical implication is that age verification must precede data collection. The order of operations is no longer optional.
Opinion: The Architecture of Consent
COPPA was enacted in 1998, when children's internet use was mediated almost entirely by desktop computers in shared family spaces. The 2026 amendments arrive in a world where children carry internet connected devices in their pockets, interact with AI chatbots, stream video through algorithmically curated feeds, and generate biometric data through face filters and voice assistants.
The FTC's amendments are an attempt to update a consent architecture that was designed for a fundamentally different technological environment. The expansion to biometric data, the separation of advertising consent from general consent, and the requirement for written retention policies all point in the same direction: the regulator is trying to impose structural constraints on systems that were not designed with structural constraints in mind.
The question is whether consent, even enhanced and separated and documented, is adequate to the task. Parental consent assumes that parents understand what they are consenting to and that the systems processing their children's data will operate within the boundaries described at the point of consent. Both assumptions are increasingly difficult to sustain.
Sources
Federal Trade Commission, Children's Online Privacy Protection Rule, Final Rule Amendments, published 22 April 2025, compliance deadline 22 April 2026
Federal Register, 16 CFR Part 312, "Children's Online Privacy Protection Rule"
