ARTICLE
9 July 2026

The Amended Children’s Online Privacy Protection Act (COPPA) Regulations: What Your Business Needs To Know

FH
Foley Hoag LLP

Contributor

Foley Hoag provides innovative, strategic legal services to public, private and government clients. We have premier capabilities in the life sciences, healthcare, technology, energy, professional services and private funds fields, and in cross-border disputes. The diverse experiences of our lawyers contribute to the exceptional senior-level service we deliver to clients.
The Federal Trade Commission has finalized major amendments to the Children's Online Privacy Protection Act (COPPA), introducing stricter requirements for businesses that collect data from children under 13. With the April 22, 2026 compliance deadline now passed, companies must navigate expanded definitions of personal information, enhanced notice requirements, new consent mechanisms, and mandatory data retention policies that fundamentally reshape how online services interact with young users.
United States Privacy
Colin J. Zick’s articles from Foley Hoag LLP are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Oil & Gas, Pharmaceuticals & BioTech and Retail & Leisure industries

This change has been a long time in the making. On April 22, 2025, the Federal Trade Commission (FTC) published final amendments to COPPA, marking the first major change to COPPA since 2013. These amendments reflect the FTC’s recognition of technological changes over the past decade and shifts in how children interact with online services. As of April 22, 2026, the compliance deadline for the amended regulation has passed, and businesses subject to COPPA are now required to comply with the following key amendments to the COPPA regulations.

As a refresher COPPA applies to businesses that: 

(1) operate commercial websites or online services (including mobile apps and IoT devices) directed to children under 13 that collect, use, or disclose personal information from children; 

(2) operate general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13; or 

(3) operate websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.

The key amendments to COPPA are summarized below:

New and Expanded COPPA Definitions

  • “Personal information” now includes biometric identifiers (e.g., fingerprints, handprints, retina patterns, iris patterns, genetic data, voiceprints, gait patterns, facial templates, or faceprints) and government-issued identifiers (e.g., Social Security numbers, state identification cards numbers, birth certificates, and passport numbers). 
  • “Mixed audience website or online services” now means an online site or service directed to children, but that does not target children as its primary audience and does not collect personal information from any visitor before collecting age information (other than for the limited purposes set forth in Section 312.5(c)). These limited purposes include:
    • providing parental notice, 
    • responding directly to a specific request from the child, and 
    • protecting the safety of the child, 

provided the operator of the mixed audience website or online service does not otherwise use or disclose such personal information for any other purpose. Any collection of age information must be done in a neutral manner that does not default to a set age or encourage visitors to falsify age information.

  • “Online contact information” now includes “a mobile telephone number, provided the operator uses it only to send text messages to a parent in connection with obtaining parental consent.” 

Enhanced COPPA Notice Requirements

  • Direct Notice: To allow parents to make informed choices, the COPPA amendments require that direct parental notices include information on: 

(1) the specific items of personal information to be collected and how the operator intends to use them; 

(2) the identities or specific categories of third parties to whom information may be disclosed and the purposes for the disclosure; 

(3) how a parent can consent to collection and use without consenting to third-party disclosure; and 

(4) a hyperlink to the operator’s online notice of its information practices. 

  • Online Notice: The COPPA amendments require operators to include the following in their online notices: 

(1) the name, address, telephone number, and email address of all operators collecting or maintaining personal information from children through the website or online service; 

(2) a description of the information collected from children, including whether the website or online service enables a child to make personal information publicly available, how the operator uses such information, the operator’s data retention policy, and the operator’s disclosure practices, including identities and specific categories of any third parties to which the operator discloses personal information; 

(3) how the operator uses persistent identifiers to support internal operations; and 

(4) if the operator collects audio files containing a child’s voice, a description of how the operator uses such files and confirmation that the operator deletes such files immediately after responding to the request for which they were collected. 

New COPPA Consent Requirements and Mechanisms

The COPPA amendments also require operators to obtain separate verifiable parental consent before disclosing a child’s personal information to third parties unless such disclosure is integral to the website or online service. Consent is not required if third-party disclosures are integral to the website or online service or are to a person or entity who provides “support for the internal operations of the website or online service” and who does not use or further disclose the information for any other purpose. Disclosures of a child's personal information to third parties for monetary or other consideration, for advertising purposes, or to train or otherwise develop artificial intelligence technologies are not integral to the website or online service and require separate consent.

The COPPA amendments expand acceptable methods for obtaining verifiable parental consent, including the following:

  1. Text Plus method: Consent obtained via text message coupled with additional verification steps, such as a follow-up text, letter, or phone call. This consent method is available only where the operator does not disclose children’s personal information.
  2. Knowledge-based authentication: Dynamic, multiple-choice questions of sufficient difficulty that a child aged 12 or younger could not reasonably answer.
  3. Photographic identification: Submission of a government-issued photo ID verified against a live image using facial recognition technology and promptly deleted after confirming a match.

COPPA Compliance Steps for Your Business

  1. Confirm and update your data collection and retention practices: Operators should confirm that their data collection and retention practices satisfy the amended COPPA requirements. The COPPA amendments prohibit operators from retaining children’s personal information indefinitely and require operators to maintain a written data retention policy. The written retention policy must specify “the purposes for which children’s personal information is collected, the business need for retaining such information, and a timeframe for deletion.” These amendments also clarify that operators may only retain children’s personal information for as long as it is reasonably necessary to fulfill the specific purposes for which the data was collected.
  2. Review and update written information security programs: Operators should confirm that they have established, implemented, and maintained a written comprehensive information security program to protect children’s personal information, tailored to your company’s size and the complexity and sensitivity of the information collected. Operators with existing security programs that already cover children’s data and meet COPPA requirements do not need to maintain separate children’s information security programs
  3. Review and update your parental notices and consent mechanisms: Operators should confirm that both direct and online notices include the required details about the purposes for which data is collected, the identities or specific categories of third-party recipients, and the purposes for which the data is shared. Operators should also evaluate the expanded consent mechanisms and implement those that are appropriate for their data practices.

Remember too that states are now beginning to regulate this space, such as Texas and its Senate Bill 2420, which requires major app stores to verify users’ ages and gives parents greater control over the apps that their children download. .

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More