COPPA Compliance in 2026: What Your Children’s Privacy Policy Must Include

Home  /  Business Law  /  COPPA Compliance in 2026: What Your Children’s Privacy Policy Must Include

The FTC’s updated Children’s Online Privacy Protection Rule went into effect on April 22, 2025, and the COPPA compliance 2026 requirements demand more from website and app operators than any prior version of the rule. The amendments add biometric data to the definition of personal information, require written security programs with annual risk assessments, mandate formal data retention and deletion policies, and expand the list of approved parental consent methods. Operators who built compliance programs around the 2013 rule are not compliant today.

1. What Changed in the Updated COPPA Rule

The Federal Trade Commission published the final amended COPPA Rule at 90 FR 16977, with an effective date of April 22, 2025. The rule applies to operators of websites and online services directed to children under 13 and to general audience sites where operators have actual knowledge that children are using the service.

The core changes fall into five categories:

  • An expanded definition of “personal information” that now explicitly includes biometric identifiers
  • Mandatory written information security programs with annual risk assessments
  • Formal written data retention and deletion policies
  • New parental consent verification methods, including text message consent and facial recognition verification
  • Strengthened safe harbor program reporting and transparency obligations

Each of these changes creates new compliance obligations. Operators who collected data from children under the previous rule must audit their practices and documentation against the amended requirements.

2. Expanded Definition of Personal Information

Under the updated rule, “personal information” now explicitly covers biometric identifiers. Section 312.2 of the amended rule defines biometric identifiers as data that can be used for the automated or semi-automated recognition of an individual, including fingerprints, iris patterns, DNA, voiceprints, and facial recognition templates. Any operator whose platform captures a child’s image, voice recording, or fingerprint for any purpose is now collecting personal information subject to full COPPA notice and consent requirements.

For app developers and website operators who use any form of biometric authentication or facial recognition features in products that may reach children, this change requires immediate review of privacy notices and parental consent flows.

The full list of personal information categories under the amended rule includes:

  • First and last name
  • Physical address (street name, city, or town)
  • Online contact information (email, IM identifier, VoIP identifier, video chat identifier)
  • Screen or user name functioning as contact information
  • Telephone number
  • Government-issued identifiers (Social Security number, passport, state ID)
  • Persistent identifiers (cookies, IP addresses, device serial numbers, unique device identifiers)
  • Photos, videos, or audio files containing a child’s image or voice
  • Geolocation data sufficient to identify a street and city
  • Biometric identifiers (fingerprints, iris patterns, DNA, voiceprints, facial templates)
  • Any child or parent information combined with the identifiers above

If your platform collects any of these data types from children, your privacy policy and parental notice must reflect the updated categories. A privacy policy lawyer can review your existing notices against the amended rule’s disclosure requirements.

3. Mandatory Written Information Security Programs

One of the most operationally significant changes in the updated rule is the requirement for a formal, written information security program. This is not a policy document you can draft once and file away. Section 312.8 of the amended rule requires ongoing administration and annual review.

The rule specifies five baseline requirements for this program:

  • Designated personnel: At least one employee must be assigned to coordinate the information security program.
  • Annual risk assessments: The operator must identify and assess internal and external risks to children’s personal information and document those assessments.
  • Risk-based safeguards: Security controls must be designed based on the volume and sensitivity of data at risk, plus the likelihood and severity of potential harm.
  • Regular testing and monitoring: Operators must test and monitor the effectiveness of their safeguards on an ongoing basis.
  • Annual program evaluation: The security program itself must be reviewed and updated annually to address new risks, technology changes, and operational shifts.

Additionally, before sharing children’s data with third-party service providers, operators must take reasonable steps to confirm that those providers maintain equivalent security safeguards. Contracts with vendors who receive children’s data should reflect these requirements.

4. Written Data Retention and Deletion Policies

Section 312.10 of the amended rule now mandates that operators create and maintain a written data retention policy specifying how long each category of children’s personal information will be kept and the criteria used to determine that timeline.

The core principle is straightforward: operators may retain children’s personal information only as long as is reasonably necessary to fulfill the specific purpose for which it was collected. Indefinite retention is prohibited. If a child’s account is closed or a parent requests deletion, operators must delete the data promptly — the amended rule does not define a specific window, but the FTC has indicated that prompt means within a matter of days, not weeks.

Operators must also publish their data retention policy as part of the privacy notice posted on their website or online service. If your current privacy notice does not specify retention periods by data category, it does not meet the amended rule’s requirements.

For companies operating across multiple jurisdictions, these retention requirements interact with US state privacy laws and international frameworks. Building a retention schedule that satisfies COPPA, CCPA, and applicable state laws requires coordinated review of your terms of service and privacy documentation.

5. Updated Parental Consent Methods

The updated rule expands the list of acceptable methods for obtaining verifiable parental consent. Section 312.5(b)(2) now explicitly authorizes two methods not included in the 2013 rule.

Facial Recognition Verification

Operators may now verify a parent’s identity by having them submit a government-issued photo ID, which is checked for authenticity and matched against a live selfie using facial recognition technology. The photo ID and selfie must be deleted immediately after verification. This method allows operators to confirm they are dealing with an adult without storing sensitive identity documents.

Text Message Consent

For operators who do not disclose children’s personal information to third parties, the rule now permits text message-based consent. The operator sends a text to the parent’s phone number, the parent replies to confirm consent, and the operator then sends a confirmation text with information about how to revoke consent.

The full list of approved consent mechanisms under the current rule includes signed consent forms (returned by mail, fax, or electronic scan), credit or debit card verification, government-issued ID check, video conference with trained personnel, facial recognition verification, and text message consent (for non-disclosing operators). Email-with-confirmation is permitted only for internal operations that do not disclose children’s data to third parties.

Regardless of which method you choose, the FTC requires it to be “reasonably calculated, in light of available technology,” to verify that the person providing consent is actually the child’s parent or legal guardian.

6. Enhanced Notice Requirements

The amended rule reinforces the obligation to provide both direct notice to parents and a public-facing privacy notice on the website or service. These are two separate documents with different content requirements.

Direct notice to parents must clearly identify:

  • The specific personal information to be collected
  • How the information will be used and potentially disclosed
  • The identities or specific categories of third parties receiving the data
  • A hyperlink to the full online privacy notice
  • The means for providing verifiable consent
  • A statement that the operator will delete the parent’s and child’s information if consent is not received within a reasonable time

For mixed audience websites, the rule continues to require that age information be collected in a neutral manner that does not encourage children to provide a false age. Age gates that use leading prompts or present adult ages first may themselves trigger regulatory scrutiny.

7. Safe Harbor Program Changes

The updated rule imposes stricter accountability and transparency obligations on FTC-approved COPPA safe harbor programs. Programs that previously self-certified compliance must now submit more detailed annual reports to the FTC and make certain compliance information publicly available.

Annual reports to the FTC must include copies of consumer complaints, aggregated summaries of independent compliance assessments, information about new members and members who left the program, and details of any enforcement actions taken against members. Safe harbor programs must also publish the identities of their member operators on a publicly accessible website.

For operators who rely on safe harbor membership as their primary compliance strategy, these changes mean greater scrutiny of the programs themselves. Membership in a safe harbor does not eliminate the need to audit your own practices against the updated rule requirements.

8. Enforcement and Penalties

COPPA violations are treated as unfair or deceptive acts under Section 18(a)(1)(B) of the FTC Act. The FTC has consistently pursued civil penalties for COPPA violations. Recent settlements have ranged from several million to over $100 million for major platform operators. The updated rule’s mandatory written security and retention programs give the FTC clearer benchmarks for measuring compliance — and clearer grounds for penalty calculations when those benchmarks are not met.

State attorneys general also have authority to enforce COPPA, which means operators face potential action at both the federal and state level. Several states have also enacted their own children’s privacy laws that impose requirements beyond COPPA, including the California Age-Appropriate Design Code Act and legislation in states like Texas, New York, and Illinois.

Frequently Asked Questions

When did the updated COPPA rule take effect?

The amended COPPA Rule was published in the Federal Register at 90 FR 16977 and took effect on April 22, 2025. All operators subject to COPPA should have updated their compliance programs, privacy notices, and parental consent flows by that date.

Does COPPA apply to my website if it is not specifically designed for children?

COPPA applies to general audience websites and online services if the operator has actual knowledge that it is collecting personal information from a child under 13. Actual knowledge can arise from age information collected during registration, content or design features clearly directed at children, or direct communication from the child or a parent. If there is any possibility your site reaches children, a legal review is advisable.

What counts as a biometric identifier under the updated rule?

The amended rule defines biometric identifiers as data that can be used for the automated or semi-automated recognition of an individual. This includes fingerprints, iris patterns, DNA sequences, voiceprints, and facial recognition templates. If your platform captures a child’s image or voice for any authentication or personalization purpose, that data is now personal information subject to full COPPA requirements.

What must a written information security program include?

Under Section 312.8, the program must designate at least one employee to coordinate security efforts, conduct annual risk assessments, implement risk-based safeguards, test and monitor those safeguards regularly, and evaluate and update the program annually. Operators must also take steps to ensure that third-party service providers who receive children’s data maintain adequate security measures.

Can I use email to get parental consent?

Yes, but only if your operation does not disclose children’s personal information to third parties. You must send a confirmation email after receiving consent, and you must provide a mechanism for parents to revoke consent. If your platform shares data with any third-party service providers for purposes beyond internal operations, email-based consent is not sufficient.

How long can I retain personal information collected from a child?

Only as long as is reasonably necessary for the specific purpose for which the information was collected. Indefinite retention is prohibited. Your written retention policy must specify the retention period for each category of personal information and the criteria used to determine that timeline. The policy must be published as part of your public-facing privacy notice.


Protect Your Business With Proper COPPA Compliance

The updated COPPA compliance 2026 requirements demand more from website and app operators than any previous version of the rule. Written security programs, formal retention policies, expanded biometric data rules, and new consent methods all require legal review and documentation that goes beyond simply posting a privacy policy.

TOS Lawyer helps businesses build compliant privacy policies, terms of service, and data governance frameworks that satisfy the amended COPPA Rule and related state laws. Book a consultation to get your compliance documentation reviewed.


Comments are closed.