All insights
Regulatory TrackerJuly 3, 2026 6 min read

The 2025 COPPA Amendments: What Changed, Who It Reaches, and the April 2026 Compliance Deadline

The FTC's overhaul of the children's privacy rule expanded what counts as personal information and added a separate consent gate for advertising. The full compliance deadline has now passed.

Risk intelligence, not legal advice. The patterns below are indicators that have appeared in real litigation or enforcement — not proof of a violation, and not a substitute for counsel.

The Children's Online Privacy Protection Act rule had not seen a substantial overhaul in more than a decade. That changed in 2025. The FTC published amended COPPA Rule provisions in the Federal Register on April 22, 2025; the amendments became effective June 23, 2025, with a general compliance deadline of April 22, 2026. As of this writing that deadline has passed, which moves these provisions from "coming soon" to operative.

This tracker summarizes what changed, who it reaches, and the behaviors worth checking now. It is risk intelligence, not legal advice, and the rule's finer points will be shaped by enforcement over the coming year.

What changed

The amendments are evolutionary in structure but meaningful in scope. The most consequential changes:

  • A broader definition of personal information. The rule now expressly includes biometric identifiers — face templates, fingerprints, retina scans, and voiceprints — as well as government-issued identifiers. This sweeps newer data types squarely into COPPA's consent and handling requirements.
  • A separate consent gate for non-integral disclosures. Operators must now obtain separate verifiable parental consent before disclosing a child's personal information for purposes that are not integral to the service — most notably third-party and targeted advertising. Bundling ad-related sharing into a single blanket consent is the pattern this provision targets.
  • A written data retention policy. Operators must maintain a written policy that specifies retention periods; indefinite retention "just in case" is no longer defensible. Data must not be kept longer than reasonably necessary for the purpose collected.
  • A written information security program. The rule now requires a documented security program with safeguards appropriate to the sensitivity of children's data.
  • New consent mechanisms. The FTC approved additional verifiable-parental-consent methods, including text-message-based consent and knowledge-based authentication, reflecting how parents actually communicate.
  • Tighter Safe Harbor transparency. FTC-approved Safe Harbor programs face additional disclosure and reporting expectations.

Who it reaches

COPPA applies to operators of websites and online services directed to children under 13, and to operators with actual knowledge they are collecting personal information from under-13 users. The practical reach is wider than "kids' sites." A general-audience service can fall within scope through actual knowledge, and the expanded personal-information definition means features like voice interfaces or biometric logins can pull a service into the analysis it might previously have avoided.

Mixed-audience services — those with both child and adult users — remain the hardest cases, and the consent-gating change makes the advertising configuration on those services a focal point.

What is contested or still developing

Several questions will be answered by enforcement rather than text. The boundary of what counts as "integral" to a service — and therefore exempt from the separate advertising-consent gate — leaves room for interpretation. The interaction between COPPA and state children's privacy laws, including age-appropriate-design statutes, adds overlapping obligations that do not always align. And the FTC has signaled that children's privacy is an enforcement priority, which raises the stakes on how aggressively the new provisions are read. Expect the contours to firm up over the next several quarters.

Practical signals to check now

Much of COPPA compliance is documentary and internal, but several elements are observable in how a service behaves:

  • Whether advertising and analytics trackers fire on child-directed pages before any verifiable parental consent.
  • Whether third-party advertising SDKs or pixels are present on services that are child-directed or mixed-audience.
  • What identifiers leave the page — including newly-covered categories like voiceprints or device identifiers tied to children.
  • Whether the consent flow distinguishes integral functionality from advertising-related sharing, rather than bundling them.
  • Whether a written retention policy and security program exist and are reflected in actual data practices.

A scan cannot read your retention policy or confirm a parent's age verification, but it can show which trackers load on a given page and what they transmit — the starting point for checking whether a child-directed surface is sharing data in ways the amended rule now treats as requiring separate consent. Running a scan of the relevant pages is a fast way to see what is actually firing.

[Before/after diagram: a single bundled consent vs. a separate verifiable-parental-consent gate for advertising disclosures]

Sources

See what your own pages do

The behaviors above are observable on the wire. LawsuitGuard loads your site in a real browser, maps every tracker and when it fires, and shows the evidence behind each finding.

Run a free scan

Keep reading