April 22, 2026 was the final compliance deadline for the FTC's updated Children's Online Privacy Protection Rule. If your business operates a website, app, or online service that could reach children under 13, the enforcement window is now open. There is no grace period. There is no cure period for most violations. The FTC does not need a consumer complaint to open an investigation.
This guide pulls together everything small and mid-size businesses need to understand: what changed in the updated rule, who it actually applies to, what the new requirements demand, and what to do right now if you are not yet compliant. If you want to understand the broader case for why privacy compliance matters for your business, that context is worth reading alongside this.
Enforcement is active. The updated COPPA Rule took effect June 23, 2025. The full compliance deadline was April 22, 2026. Businesses operating in violation after this date face civil penalties of up to $53,088 per violation per day, assessed by a court under FTC authority.
What COPPA Is and Why It Applies to More Businesses Than You Think
The Children's Online Privacy Protection Act was enacted in 1998. The FTC's implementing rule, first issued in 2000 and last updated in 2013, requires operators of websites and online services to obtain verifiable parental consent before collecting personal information from children under 13. The 2026 update is the first major revision in over a decade.
COPPA applies in two situations. First, if your website or service is directed to children. Second, if you have actual knowledge that you are collecting personal information from children. The "directed to children" test uses multiple factors: the subject matter of your content, the visual presentation, the use of animated characters or child-friendly music, the age of models or influencers you feature, and the composition of your actual audience based on analytics.
This second category catches businesses off guard most often. A pediatric dental practice, a tutoring platform, a youth sports registration system, a summer camp website, or any service that collects contact information without age screening can be covered if children can access and use it. The FTC does not require that children be your intended audience. It only requires that they be part of your actual audience.
A common mistake is assuming that a terms of service clause stating "you must be 13 or older to use this site" provides protection. It does not. If children are using your service, that clause is not enforcement. You need active age screening and, where children are present, parental consent before any data collection occurs.
What Changed in the Updated Rule
The 2026 rule represents the most significant expansion of COPPA's requirements since 2013. Below is a factually accurate summary of what was adopted. Note that some provisions proposed in the original 2024 rulemaking were specifically declined by the FTC.
Separate Parental Consent for Third-Party Data Sharing
Under the old rule, a single general parental consent covered data collection and sharing. The updated rule requires separate, specific parental consent before disclosing children's personal information to third parties for targeted advertising or other non-essential purposes. General consent bundled into your privacy policy or terms of service does not satisfy this requirement. The consent must be specific, clearly explained, and obtained before the disclosure occurs. This has significant implications for businesses using advertising platforms, tracking pixels, or analytics tools that receive children's data.
Stricter Data Retention Limits
The old rule allowed indefinite retention of children's data with vague guidance. The updated rule is explicit: you may only retain children's personal information for as long as it is reasonably necessary to fulfill the purpose for which it was collected. You must have a defined retention policy, and you must actually delete the data when it is no longer needed. Over-retention is now a standalone COPPA violation, not just a secondary concern.
Expanded Definition of Personal Information
The updated rule expands what counts as personal information subject to COPPA protections. Biometric identifiers (fingerprints, facial recognition data, voiceprints) and government-issued identifiers are now explicitly included. Mobile telephone numbers are included within the definition of online contact information when used to send text messages to parents. This matters for businesses using biometric authentication, age verification, or any system that captures physical identifiers from users.
New "Mixed Audience" Definition
The FTC formalized a long-standing concept with a new defined term: "mixed audience website or online service." These are services directed to a general audience but where children are a known portion of that audience. The definition does not expand the scope of COPPA but provides clearer operational guidance for how operators must implement age screening and tiered consent. If your service has a mixed audience, you must implement a mechanism to identify child users and apply appropriate protections before collecting their data.
Written Information Security Program Required
Operators covered by COPPA must now maintain a written information security program that includes administrative, technical, and physical safeguards appropriate to the sensitivity of children's personal information they collect. This requirement also extends to written contracts with service providers requiring those providers to implement appropriate security measures. A verbal understanding or standard vendor agreement without data security provisions no longer suffices.
What Was Not Adopted
The FTC proposed but specifically declined to adopt amendments related to push notifications and engagement-enhancing techniques. The final rule does not include new consent requirements for push notifications to children. The FTC reaffirmed it will address deceptive engagement practices through Section 5 of the FTC Act, but those are not new COPPA requirements.
Who Is Covered: A Practical Test
Before reviewing your compliance posture, confirm whether COPPA applies to your business. Run through these questions honestly.
- Does your website or app address subject matter that appeals to children, games, cartoons, educational content, entertainment, youth activities, health topics relevant to children?
- Does your service use animated characters, child-oriented music, or feature celebrities or influencers popular with children?
- Do your analytics show that a portion of your users are under 13?
- Does your service include user-generated content, community features, or social interactions accessible to any user regardless of age?
- Do you collect email addresses, names, phone numbers, or any identifiable information without first verifying the user's age?
- Do you use tracking technologies (cookies, pixels, device identifiers) on pages accessible to children?
If you answered yes to any of these, COPPA compliance requires your attention. The FTC applies these criteria strictly, and the updated rule adds marketing materials and similar websites as additional factors the FTC will consider when determining whether a service is directed to children. This is new in the 2026 update.
The Parental Consent Standard
If your business collects personal information from children under 13, you must obtain verifiable parental consent before collection begins. The "email plus" method that was widely used under the old rule (send a notification email, assume consent unless the parent objects) has been eliminated for most purposes under the updated rule's heightened consent standards.
Acceptable consent methods under the current rule include digital signatures, video conferencing with trained staff, consent forms submitted by credit card, and other methods the FTC approves as providing reasonable assurance that the person giving consent is actually the parent. You must also provide parents with a clear description of what personal information you intend to collect, how you will use it, and whether you will disclose it to third parties.
Separately, and this is new in 2026, you must obtain a distinct, specific consent before sharing children's data with third parties for advertising or other non-essential purposes. That is a second consent on top of the initial collection consent, and it must be clearly distinguished from general terms and conditions.
Age Verification: What the FTC Actually Requires
The FTC requires that age screening mechanisms be neutral. This means the design of your age gate cannot encourage or guide users toward providing a particular answer. Dropdown menus that default to an age above 13, screens that frame the age question in a way that leads users to provide older ages to access content, or any design that makes it easier to get through the gate by providing a false age all fail the neutrality test.
Neutral age screening collects accurate information without prejudging the outcome. You ask for a birth date or confirm an age range, and the system responds appropriately based on the answer. Age gates are not just for entertainment platforms. Any service that collects personal data and could reach children needs a mechanism to identify child users before data collection begins.
Third-Party Vendor Obligations
COPPA liability does not end at your front door. If a third-party service you use collects data from children on your behalf, an analytics provider, an advertising network, a live chat platform, a payment processor that stores customer information, you bear responsibility for that collection under COPPA.
The updated rule codifies that you must have written contracts with service providers requiring them to implement appropriate security measures. Reviewing your vendor agreements and understanding what data each vendor collects is not optional. This is consistent with the vendor risk review process that every COPPA-covered operator should have in place. If you are unsure how to evaluate vendor data practices, a structured privacy gap analysis can identify where your exposure lies.
The Enforcement Record
COPPA enforcement is not theoretical. The FTC has collected hundreds of millions of dollars in penalties, including from companies that believed they were too small or too niche to attract attention. A few examples from the actual enforcement record:
- Musical.ly, which became TikTok, paid $5.7 million in 2019 and was subject to a 2023 consent decree carrying $92.4 million in penalties and structural reforms.
- Epic Games, maker of Fortnite, paid $275 million in 2022, which remains the largest COPPA penalty in FTC history.
- The FTC has also pursued enforcement against smaller operators: children's educational app developers, gaming platforms, and sites that collected data through newsletter signups without age verification.
The enforcement pattern has shifted. The FTC is not only pursuing large platforms. It is targeting businesses that should have known their practices were non-compliant and took no corrective action. The penalty is assessed per violation. If your newsletter collected email addresses from 200 children without age verification, that is 200 violations. At $53,088 per violation, the arithmetic becomes severe quickly.
You can read more about how the FTC's case-by-case enforcement approach affects small businesses, and the broader pattern visible in cases like the Meta $375 million fine that carries direct lessons for smaller operators.
Your Compliance Action List
If you have not completed COPPA compliance work, here is where to start. These are ordered by risk priority, not difficulty.
- Audit your actual audience. Pull your analytics. If any portion of your users appear to be under 13, COPPA applies regardless of your intended target market. Document this assessment and date it.
- Inventory every data collection point. Contact forms, newsletter signups, account creation flows, payment forms, live chat, comment sections, and any third-party tools that collect identifiable data from users of your site. Map every point.
- Implement neutral age screening at every data collection point. The design must not lead users toward a particular age response. If a user indicates they are under 13, no personal information should be collected until verifiable parental consent is obtained.
- Establish a verifiable parental consent process. Email notification alone is not sufficient. You need a consent method that provides reasonable assurance the person consenting is actually the parent. Document the method you choose and why it satisfies the FTC's standard.
- Separate the consent for third-party data sharing. If you share data with advertising platforms, analytics providers, or other third parties, obtain a distinct, specific consent for that sharing separate from your general consent to collect.
- Define and enforce data retention limits. Children's data cannot be retained indefinitely. Write your retention policy, set deletion timelines, and implement the deletion process. Document it.
- Update your privacy policy. Your privacy policy must specifically address what information you collect from children, how you use it, how long you retain it, whether you share it and with whom, and how parents can exercise their rights. Vague general language does not satisfy COPPA's notice requirements.
- Review all vendor contracts. Every service provider that may receive children's personal information from you must have a written contract that includes data security obligations. Audit your current vendor agreements against this requirement.
- Build a written information security program. Document the administrative, technical, and physical safeguards you have in place to protect children's data. This does not need to be elaborate, but it must exist in written form and be defensible.
- Train everyone who touches customer data. Compliance fails when the team does not understand the requirements. Anyone who manages your website, handles customer inquiries, or operates your data systems needs to understand what COPPA requires and why.
Note on state laws: COPPA is a federal law with no consumer count or revenue threshold. It applies to any covered operator regardless of size. This is different from state privacy laws, which often have thresholds. You can review state privacy law threshold requirements here to understand where your business may have additional obligations beyond COPPA.
What Parents Can Do Under the Updated Rule
COPPA also establishes specific rights for parents. If your business collects data from children, you must be operationally ready to fulfill these requests. Parents have the right to review the personal information you have collected from their child, to request deletion of that information, and to refuse further collection or use. They also have the right to consent to collection and use while refusing consent to disclosure to third parties. Delayed or complicated responses to these requests are themselves COPPA violations.
The Bottom Line
The compliance deadline has passed. The FTC does not need to receive a complaint to investigate. It can identify non-compliant operators through its own monitoring of websites, apps, and online services. Businesses that have taken no action since the updated rule was published are now operating with legal exposure that compounds daily.
The cost of compliance is always lower than the cost of a violation. A structured review of your data practices, privacy notices, consent mechanisms, and vendor agreements is a manageable investment. An FTC enforcement action is not.
If you are a business building a privacy program from scratch, or if you need to understand specifically what applies to your operations, a flat-fee Privacy Exposure Review is the right place to start. It identifies your top three compliance risks and tells you exactly what to address first.