COPPA Rule Amendments: FTC Begins Strict New Enforcement Phase

As of today, April 22, 2026, the digital landscape for children under the age of 13 has fundamentally shifted. The Federal Trade Commission (FTC) has officially commenced enforcement of the most sweeping COPPA rule amendments since the regulation’s last major update in 2013. This is not merely a bureaucratic adjustment; it is a full-scale structural overhaul designed to address the sophisticated data-harvesting capabilities of modern AI, augmented reality (AR), and the vast ecosystem of data brokers that have emerged over the last decade.

For years, children’s privacy advocates and regulators have warned that the original Children’s Online Privacy Protection Act (COPPA) was struggling to keep pace with “smart” toys, voice-activated assistants, and biometric-heavy mobile applications. Today’s enforcement date marks the end of the compliance “grace period” for the 2025 final rule, forcing tech giants and independent developers alike to implement “privacy by design” or face debilitating civil penalties. The COPPA rule amendments introduce unprecedented requirements for data minimization, consent segregation, and the inclusion of biometric identifiers under the legal umbrella of personal information.

Expanding the Frontier of Personal Information: The Biometric Shift

Perhaps the most significant technical change within the COPPA rule amendments is the formal expansion of the definition of “personal information.” In the pre-2026 era, COPPA primarily focused on static data points: names, physical addresses, online contact information, and persistent identifiers like cookies or IP addresses. The new enforcement regime explicitly adds biometric identifiers to this list, acknowledging that a child’s physical presence is now a primary data source for modern apps.

Under the updated § 312.2, personal information now includes any biometric identifier that can be used for the automated or semi-automated recognition of an individual. This technical expansion covers:

• Facial Templates and Faceprints: Moving beyond simple photos, the rule now covers the mathematical representations of facial features used in AR filters, facial recognition login systems, and AI-driven emotion detection.
• Voiceprints: As voice assistants become central to the “smart home,” the unique acoustic features of a child’s voice are now protected data. Even if an app does not know a child’s name, the collection of a voiceprint for speaker recognition triggers full COPPA obligations.
• Gait Patterns: Reflecting the rise of wearable fitness trackers and VR systems, the way a child moves—their unique walking rhythm or physical stance—is now classified as a biometric identifier.
• Genetic Data: Explicitly including DNA sequences and other hereditary information, ensuring that direct-to-consumer genetic services are strictly regulated when interacting with minors.

Furthermore, the amendments have closed a long-standing loophole regarding government-issued identifiers. Social Security Numbers (SSNs), state identification card numbers, birth certificate numbers, and passport numbers are now explicitly categorized as personal data. While many child-directed services did not historically collect this information, the rise of “age assurance” and “age verification” technologies has made these identifiers more common in the verification workflow, necessitating clear parental consent before they can be processed.

The Death of Bundled Consent: Segregating Third-Party Disclosures

In the previous decade, many operators utilized a “take it or leave it” approach to parental consent. When a parent provided Verifiable Parental Consent (VPC), they were often forced to agree to a bundle of permissions: the collection of data for the app’s core functionality *and* the disclosure of that data to third-party marketing partners or data brokers. The 2026 COPPA rule amendments effectively dismantle this practice.

Operators are now legally required to provide parents with a standalone choice regarding third-party disclosures. A parent must be allowed to consent to the collection and internal use of their child’s data (to make the app work) while simultaneously opting out of sharing that same data with outside entities for targeted advertising or secondary monetization. The only exception to this “segregated consent” rule is when the disclosure is “integral” to the nature of the service—for example, sharing data with a cloud hosting provider that stores the app’s infrastructure.

This shift is a tactical blow to the business models of many free-to-play mobile games and “ad-tech” dependent platforms. By forcing a granular opt-in for third-party sharing, the FTC is attempting to sever the pipeline that feeds children’s behavioral data into the massive, opaque systems used for behavioral profiling and predictive analytics.

Modernized VPC Methods: “Text Plus” and Beyond

To facilitate these stricter consent requirements without creating insurmountable friction, the FTC has approved modernized methods for obtaining Verifiable Parental Consent. Beyond the traditional “credit card for a nominal fee” or “signed form” methods, the 2026 enforcement allows for:

1. Knowledge-Based Authentication (KBA): Utilizing dynamic, multiple-choice questions based on the parent’s financial or public record history that would be difficult for a child to answer.
2. Government Photo ID Uploads: Securely capturing a parent’s ID to verify age and identity, provided the image is deleted immediately after verification.
3. The “Text Plus” Method: A multi-step process where an operator sends a text message to a parent’s phone followed by a secondary confirmation (such as a phone call or a link to a secure portal) to ensure the person responding is indeed the guardian.

Mandatory Security Programs and the End of Indefinite Retention

Prior to these COPPA rule amendments, the requirement to keep children’s data “secure” was vaguely defined, often leading to lax data management practices. Today’s enforcement clarifies these obligations through the mandate of a Written Information Security Program (WISP). Operators can no longer claim they have “reasonable” security; they must prove it through a formal, documented framework.

A compliant WISP under the new COPPA regime must include:

• Designated Accountability: At least one specific employee must be appointed to coordinate and oversee the information security program.
• Annual Risk Assessments: Companies must conduct a comprehensive assessment of internal and external risks to the confidentiality and integrity of children’s data at least once a year.
• Safeguard Testing: Operators must regularly test and monitor the effectiveness of their encryption, access controls, and firewall configurations, updating them in response to newly discovered vulnerabilities.

Hand-in-hand with these security requirements is a strict new stance on data retention. The 2026 amendments prohibit the indefinite retention of children’s personal information. Data may only be kept for as long as is “reasonably necessary” to fulfill the specific purpose for which it was collected. Once that purpose is satisfied—such as a child finishing a specific game level or deleting their account—the data must be securely deleted. Crucially, companies must now publish their data retention and deletion schedules in their public-facing privacy notices. Parents are no longer left guessing how long their child’s voiceprints or facial templates will live on a server in a different jurisdiction.

The “Mixed Audience” Dilemma and Age Verification

The FTC has also sought to clarify the “Mixed Audience” designation—platforms that are not primarily directed at children but are nonetheless popular with them. Under the new enforcement guidelines, mixed-audience sites have a limited window to collect information for the sole purpose of determining a user’s age. This “age verification exception” is highly restrictive: the data collected (such as a birthdate or a face-scan for age estimation) must be used only for age verification and must be deleted immediately after the check is complete.

This reflects a broader regulatory trend toward age assurance. However, the FTC has warned that using biometric “age estimation” tools (which analyze facial features to guess a user’s age) triggers COPPA requirements if those tools store the facial data. Operators of mixed-audience sites must now navigate a razor-thin margin between verifying age to keep kids safe and accidentally violating COPPA by collecting the very biometrics used for that verification without prior consent.

Enforcement Reality: Civil Penalties and the Path Ahead

The financial stakes for non-compliance have reached record highs. Under the current adjusted rates, the FTC can seek civil penalties of over $50,000 per violation. In the context of a popular mobile app with millions of young users, a single systemic failure in consent management or data deletion could result in fines reaching into the hundreds of millions or even billions of dollars.

We have already seen the precursors to this new enforcement era. Settlements with companies like The Walt Disney Company ($10 million) and the developers of Genshin Impact ($20 million) in late 2025 demonstrated that the Commission is no longer satisfied with “warning shots.” These cases focused on the mislabeling of content and the failure to implement neutral age gates—violations that are now even easier for the FTC to prove under the clarified 2026 language.

The 2026 COPPA rule amendments signal a transition from a “notice and choice” model to a “substantive protection” model. It is no longer enough to bury a privacy policy in a link at the bottom of a page. Operators must actively minimize data collection, encrypt what they do collect, and prove to the regulator—and the parent—that they are treatring children’s digital identities with the same sanctity as their physical safety. As the “Ninja Editor” of this new digital age, we see this as the beginning of a more transparent, accountable, and parent-centric internet.