The Federal Trade Commission’s amended Children’s Online Privacy Protection Rule takes full effect on April 22, 2026. For operators of websites, apps, and online services directed at children under 13 — or that knowingly collect personal information from children — that date is not an aspirational target. It is a hard compliance deadline after which the FTC’s enforcement authority over non-compliant operators is fully activated.

The updated rule, published in the Federal Register on April 22, 2025 with an effective date of June 23, 2025 and a compliance date of April 22, 2026, represents the most significant overhaul of COPPA’s implementing regulations since the original rule was revised in 2013. The changes were driven by more than a decade of technological evolution — the rise of connected devices, biometric data collection, algorithmic personalization, and the widespread use of children’s platforms as data pipelines feeding third-party advertising networks.

Operators who have not completed their compliance implementations need to move this week.

What Changed: The Five Major Amendments

1. Biometric Identifiers Are Now Personal Information

The updated rule expands the definition of “personal information” under COPPA to explicitly include biometric identifiers — fingerprints, retina scans, facial geometry, voice prints, and other physiological or behavioral characteristics that can be used to identify a specific individual.

This change has broad implications for any platform using facial recognition for login, voice recognition for commands, or behavioral biometrics for fraud detection. If your service collects any of these identifiers from users who may be under 13, that collection now triggers the full suite of COPPA parental consent and data protection obligations.

EdTech platforms that use facial monitoring for attention tracking or test proctoring are directly in scope. Gaming platforms with voice chat that records children. Fitness apps that collect movement or physiological data. All of these must now audit their data collection against the expanded personal information definition.

Previously, COPPA required verifiable parental consent before collecting personal information from children. The updated rule adds a new consent layer: operators must now obtain separate verifiable parental consent before disclosing children’s personal information to third parties for purposes that are not “integral” to the core service.

This is the provision that most directly disrupts the behavioral advertising model that has funded free children’s services for years. Sharing children’s data with ad networks, analytics providers, and data brokers for targeting purposes is not integral to operating a children’s app — it is a monetization model. Under the updated rule, doing so requires a standalone parental consent that is clearly distinguishable from consent to the service itself.

The FTC’s guidance makes clear that bundling this consent into general terms of service will not satisfy the separate consent requirement. It must be presented distinctly, explained clearly, and obtained affirmatively.

3. Mandatory Written Information Security Program

Operators subject to COPPA must now establish, implement, and maintain a written information security program (WISP) that includes:

  • Administrative, technical, and physical safeguards appropriate to the size, complexity, and sensitivity of children’s personal information collected
  • Reasonable procedures to select and retain service providers capable of maintaining appropriate security
  • Written contracts with service providers requiring them to implement and maintain appropriate security measures

This requirement formalizes an obligation that was previously implied under COPPA’s general security requirement. The shift to a written, documented program is significant: it creates an auditable artifact that the FTC can request during an investigation, and it creates accountability for operators to demonstrate that security measures were actually designed and implemented rather than assumed.

4. Written Data Retention Policies

Operators must now maintain a written data retention policy specifying:

  • The purposes for which each category of children’s personal information is collected
  • The length of time each category will be retained
  • The criteria used to determine retention periods
  • The deletion procedures applied when data is no longer necessary

COPPA has always required that personal information be deleted when no longer needed for the purpose for which it was collected. The updated rule requires that these determinations be documented in writing and applied systematically — not made ad hoc when a deletion request arrives.

The practical implication: if you cannot articulate in writing why you are retaining a specific category of children’s data and for how long, you likely should not be retaining it.

5. Enhanced Safe Harbor Program Requirements

FTC-approved COPPA safe harbor programs — industry self-regulatory organizations that have received FTC approval to administer COPPA compliance for their member operators — face new transparency requirements. Safe harbor programs must now publish their assessment criteria, make their membership lists publicly available, and submit to more rigorous FTC review.

For operators currently relying on safe harbor program membership as part of their compliance strategy, verify that your safe harbor program has updated its program requirements to reflect the new rule and that your practices align with the updated program standards.

Scope: Who Is Covered

COPPA applies to:

Operators directed to children: Websites, apps, and online services whose primary audience is children under 13. Determining whether a service is “directed to children” requires assessing subject matter, visual content, animated characters, music, celebrities popular with children, and advertising that targets children.

Operators with actual knowledge: Services not primarily directed to children but that have actual knowledge they are collecting personal information from a child under 13. This includes general audience platforms where children have registered or where the operator has received information — through a parent complaint, an age verification flag, or other signal — that a specific user is under 13.

Mixed audience services: Services directed to both children and general audiences. The updated rule provides more detailed guidance on mixed audience services, allowing operators to age-screen users and apply COPPA protections only to verified children — but the age-screening mechanism must be robust enough to be meaningful.

Enforcement: What Non-Compliance Costs

The FTC’s civil penalty authority for COPPA violations is tied to the Federal Civil Penalties Inflation Adjustment Act. As of 2026, each violation carries a maximum penalty of $53,088 per day per violation. In the context of a data collection practice affecting millions of children, penalties accumulate rapidly.

The FTC has consistently pursued COPPA enforcement against major platforms:

  • YouTube/Google (2019): $170 million
  • Musical.ly/TikTok (2019): $5.7 million; followed by a 2023 consent decree carrying $92.4 million in penalties and structural reforms
  • Epic Games/Fortnite (2022): $275 million — the largest COPPA penalty in FTC history at that time

Post-April 22, operators who have not implemented the updated rule’s requirements are operating in violation of an active compliance deadline. The FTC does not need to wait for a consumer complaint or a publicized breach to open an investigation. Staff examination of app stores, privacy policies, and data practices is sufficient.

Immediate Compliance Checklist

By April 22, 2026:

Data inventory and mapping:

  • Identify all personal information categories collected from children, including any biometric identifiers (facial geometry, voice prints, movement patterns)
  • Map each data category to the purpose for which it is collected
  • Identify all third parties to whom children’s data is disclosed

Consent framework:

  • Verify that verifiable parental consent mechanisms meet current FTC standards
  • Implement separate consent flows for any third-party disclosures not integral to the service
  • Remove consent bundling that combines integral service consent with advertising or analytics data sharing

Written information security program:

  • Draft and adopt a written WISP that addresses administrative, technical, and physical safeguards
  • Review and update service provider contracts to include required security obligations
  • Document the security measures in place for children’s personal information specifically

Data retention policy:

  • Draft a written data retention policy covering every category of children’s personal information
  • Define retention periods based on documented, legitimate purposes
  • Implement deletion workflows triggered when retention periods expire

Privacy notice:

  • Update your COPPA-compliant privacy notice to reflect the expanded definition of personal information
  • Ensure the notice accurately describes all third-party disclosures and the separate consent mechanism
  • Confirm the notice is clearly written and accessible to parents

Service provider management:

  • Audit existing service provider agreements for COPPA-compliant security and data handling obligations
  • Update contracts that do not include required data protection terms
  • Verify that service providers handling children’s data have their own compliant security programs

Conclusion

April 22 is not a suggestion. The FTC published the updated rule a year ago specifically to give operators time to implement — and that time expires this week. The combination of expanded personal information definitions, new separate consent requirements for third-party data sharing, and mandatory written security and retention documentation represents a structural shift in how COPPA compliance must be built and maintained.

Operators who are not yet compliant should prioritize the consent framework and written WISP as their immediate focus — those are the areas where FTC enforcement has historically concentrated, and they are the provisions most likely to surface in an investigation. Everything else in the checklist follows from getting those two right.

This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel regarding their specific COPPA compliance obligations.