The New COPPA Rules: What Every Parent Needs to Know

The biggest update to children's online privacy law in over a decade is now in effect. Here's what changed, what it means for your family, and what you can do right now.

If your child uses apps, plays games online, or streams videos, there's a federal law working behind the scenes to protect their data. It's called COPPA — the Children's Online Privacy Protection Act — and it just got its most significant overhaul since 2013. The updated rules took effect last year and companies were required to be fully compliant by April 22, 2026.

That deadline has passed. So what changed, and does it actually matter for your family?

The short answer: yes. And here's why.

What COPPA Does (and Why It Matters)

COPPA has been around since 2000. Its core purpose is to prevent websites and apps from collecting personal information from children under 13 without a parent's knowledge and consent. Before these updates, the law had a solid foundation but significant gaps — gaps that tech companies had learned to exploit as the digital landscape evolved far beyond what legislators in 2000 could have imagined.

Think about how different the internet was in 2013, the last time COPPA was updated. TikTok didn't exist. AI-generated recommendations weren't embedded in every kids' app. The average child wasn't carrying a smartphone with a face scanner. The FTC recognized these gaps and spent years developing a response. In January 2025, the final amendments were announced. By April 2026, companies had to comply.

The 4 Biggest Changes

Companies Now Need Your Explicit "Yes" Before Targeting Your Child with Ads

This is the headline change. Under the old rules, companies could share your child's data with third-party advertisers as long as they'd obtained general parental consent somewhere in their terms of service — often buried in fine print. Under the new rules, that's no longer legal.

If an app or website wants to disclose your child's personal information to a third-party company for targeted advertising or other commercial purposes, they must obtain separate, explicit opt-in consent from you as the parent. Not buried in a 40-page privacy policy. A clear, standalone ask.

This is meaningful. Targeted advertising to children is a multi-billion-dollar industry, and it has historically relied on parents not fully understanding that their consent to "use the app" was also consent to let advertisers build behavioral profiles on their kids.

Your Child's Data Can No Longer Be Kept Forever

Under the old rule, companies had vague obligations around data retention. Under the new rule, companies can only keep children's personal information for as long as is "reasonably necessary" to fulfill the specific purpose for which it was collected. They cannot retain it indefinitely.

In plain English: if an app collects your child's name and email to create an account, it can't hold onto that data forever "just in case." Once the purpose is fulfilled — or once your child (or you) deletes the account — that data must go.

This matters because data that sits in corporate servers is data that can be hacked, sold, or misused years later.

Biometrics Are Now Legally Considered Personal Information

The updated definition of "personal information" under COPPA now explicitly includes biometric identifiers: fingerprints, facial recognition templates, voiceprints, retina and iris patterns, gait patterns, and genetic data. Government-issued identifiers are also included.

This expansion was long overdue. Many kids' apps use voice recognition, some games use facial detection, and educational tools increasingly incorporate biometric engagement tracking. Under the old rules, this data existed in a legal gray zone. Now it's clearly covered — meaning apps must get verifiable parental consent before collecting any of it from kids under 13.

Safer, More Modern Ways to Verify Parental Consent

The rules also expanded what counts as acceptable "verifiable parental consent." Previously, the methods were limited and cumbersome. Now they include knowledge-based authentication (dynamic questions that a child would be unlikely to answer correctly), submission of a government-issued photo ID, and text-message-based verification with a follow-up confirmation step.

This matters because consent is only meaningful if the verification actually works. Better verification methods make it harder for children to impersonate their parents and give the consent requirements real teeth.

What Didn't Change (and Why That's Worth Noting)

The FTC considered — but decided against — two other proposals. First, they did not finalize restrictions on push notifications directed at children, though the agency stated it "remains concerned" about engagement techniques that keep kids online in ways that could harm their mental health. Second, they did not adopt new rules specifically targeting educational technology companies that operate in school settings.

These omissions are worth flagging. Push notifications are a primary driver of screen addiction in children, and edtech apps collect some of the most sensitive data on kids of any category of software. The FTC left the door open on both fronts, but parents shouldn't assume protections exist where the law hasn't yet acted.

What This Doesn't Cover

COPPA applies to children under 13. Teenagers get essentially no equivalent federal protection. A 14-year-old on Instagram, TikTok, or Snapchat has the same legal data rights as an adult. Several states — including California, Texas, and Illinois — have passed their own laws offering broader protections, but there's no comprehensive federal framework for teens.

Also critical: COPPA applies to apps and websites that are directed at children or that have actual knowledge they're collecting data from children. Platforms routinely claim they don't know their users are under 13 and set their minimum age at 13 to sidestep the law — even when their content is clearly designed for younger audiences.

What You Can Do Right Now

Audit the apps on your child's device. Check privacy settings on every app. Look for parental consent settings, data deletion options, and targeted advertising toggles. Many apps now have dedicated parent dashboards.

Opt out of targeted advertising wherever possible. Even where companies ask for consent, they may default to "opted in." Look for ad personalization settings and switch them off.

Request data deletion. Under COPPA, you have the right to request that a company delete your child's personal information. Many apps have a process for this in their privacy settings or via a dedicated email address.

Check app ratings critically. An app rated "4+" in the App Store isn't automatically COPPA-compliant. Look for apps that specifically advertise COPPA compliance or that are enrolled in FTC-approved Safe Harbor programs.

Talk to your kids. Even young children can understand that apps collect information about them, and that some of that information is used to show them ads. Building this awareness early is one of the most powerful tools you have.

The Bottom Line

The updated COPPA rules are a genuine step forward. They close real loopholes, expand what counts as protected data, and — most significantly — require companies to ask your permission before targeting your child with ads. That's a meaningful shift in the default.

But the law is only as strong as its enforcement, and there are still significant gaps, particularly for teenagers and for edtech. The rules set a floor, not a ceiling. As a parent, you still need to stay engaged, read the fine print, and make active choices — not just assume that "the government has it covered."

The first generation growing up with AI deserves better than that. You're already ahead of the curve by knowing these rules exist.

Sources: FTC Press Release, January 16, 2025; Federal Register, April 22, 2025 (16 CFR Part 312)