Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 18, 2026 · 7 min read

The FTC's Updated Children's Privacy Rule Takes Effect April 22—Here's What Changed

The biggest update to COPPA in over a decade adds biometric identifiers, mandatory security programs, and new parental consent methods. The compliance deadline is four days away.

A child using a tablet with a padlock overlay symbolizing digital privacy protection

The Deadline

On April 22, 2026, the FTC's amended COPPA Rule reaches its full compliance deadline. Every operator of a website or online service directed at children under 13, or that knowingly collects personal information from children, must comply with a significantly expanded set of requirements. There is no extension and no grace period.

The amendments were published on April 22, 2025, and took effect on June 23, 2025. Operators had a full year to prepare. But the scope of changes is broad enough that many companies are still scrambling to catch up.

Personal Information Now Includes Biometrics

The most significant change expands the definition of "personal information" to include biometric identifiers: fingerprints, handprints, retina patterns, iris patterns, genetic data, voiceprints, gait patterns, facial templates, and faceprints. Any system that uses these for automated or semi automated recognition of an individual is now covered.

This matters because children's apps increasingly use face filters, voice assistants, and camera based features. An AR app that maps a child's face is now collecting personal information under COPPA, even if it never asks for a name or email address. The same applies to voice based interfaces that create voiceprints for speaker recognition.

Government issued identifiers including Social Security numbers, state IDs, birth certificates, and passport numbers are also now explicitly classified as personal information under the rule.

Third Party Sharing Requires Separate Consent

Operators can no longer bundle data collection consent with third party disclosure consent. Parents must be given separate options to approve collection and use without automatically consenting to their child's data being shared with outside parties, unless that sharing is integral to the service itself.

Privacy notices must now identify the specific categories of third parties receiving children's data and explain the purposes of each disclosure. Vague language like "we may share data with partners" no longer meets the requirement.

Mandatory Security Programs

For the first time, COPPA now requires operators to establish, implement, and maintain a written information security program. This is not optional guidance. Operators must:

  • Designate specific personnel to manage and coordinate information security.
  • Conduct annual risk assessments evaluating internal and external threats to children's data.
  • Design safeguards matching the sensitivity and volume of data collected.
  • Continuously test and monitor those safeguards.
  • Review and update the program annually.
  • Obtain written security assurances from any third party service providers before granting them access to children's data.

Data Cannot Be Kept Forever

The amended rule requires operators to maintain a written data retention policy that specifies what personal information is collected, why it is collected, and when it will be deleted. Indefinite retention is explicitly prohibited. Companies must securely delete children's data once it is no longer necessary for the original collection purpose.

This directly targets the common practice of collecting children's data for one stated purpose, then retaining it indefinitely for analytics, training machine learning models, or future monetization.

New Ways to Verify Parents

The amendments introduce new methods for obtaining verifiable parental consent:

  • Knowledge based authentication: Dynamic multiple choice questions designed to be too difficult for children under 13 to answer.
  • Government ID plus facial verification: Parents submit a government issued photo ID, then confirm their identity via webcam or phone camera. All documents must be deleted immediately after verification.
  • Text plus confirmation: Text message consent followed by a verification call, letter, or follow up text.

These supplement existing methods like credit card verification and email plus. The FTC explicitly noted that the facial verification data collected during the consent process must be deleted promptly and cannot be retained or repurposed.

Why This Matters Beyond Children's Apps

COPPA does not only apply to apps explicitly designed for children. Any "mixed audience" website or service that attracts both children and adults must implement age screening before collecting personal data. If a user is under 13, the full COPPA framework applies regardless of whether the service targets children.

This has implications for social media platforms, gaming services, educational tools, and any service that does not effectively age gate its users. The broader trend toward privacy regulation at both the federal and state level is accelerating. Nineteen US states now have comprehensive data privacy laws, and the FTC's COPPA amendments signal that enforcement will intensify for companies that treat children's data carelessly.

The requirements around biometric data and mandatory security programs reflect a regulatory direction that will likely extend to adult privacy protections in coming years. Companies building compliant children's data practices now will be better positioned when those broader rules arrive.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.