How does COPPA apply to AI-generated content targeting children under 13?

The Children's Online Privacy Protection Act (COPPA), originally enacted in 1998 and updated through subsequent FTC rulemaking, governs the online collection and use of personal information from children under 13. The FTC's January 2025 rule revision — finalized in late 2024 after a 2019-2024 rulemaking process — added several provisions directly relevant to AI-generated content directed at children. The core COPPA framework requires verifiable parental consent before any operator of a website or online service directed at children under 13 collects, uses, or discloses personal information from those children. The framework defines 'directed at children' through a multi-factor test considering subject matter, visual content, language, audience composition, and advertising practices. The 'verifiable parental consent' standard is procedurally specific — credit card verification, government-ID verification, signed-and-returned forms, or one of a small set of FTC-approved alternatives. The 2025 rule revision added three AI-specific provisions. First, the consent requirements now extend explicitly to the use of children's data for training AI models. Operators collecting data from children under 13 must obtain separate verifiable parental consent before using that data to train any AI model, whether developed in-house or shared with third parties. The provision closed a perceived loophole where operators were arguing that AI training was a 'use' of data that fell within general consent rather than requiring specific opt-in. Second, the rule added data minimization obligations specific to children. Operators must collect only the data strictly necessary for the specific service provided to the child, and must delete the data when no longer necessary. The minimization standard is stricter than the general COPPA framework's prior 'reasonably necessary' test. Third, the rule added specific provisions on AI-generated content directed at children. Where an operator deploys AI-generated content (chatbot interactions, AI-personalized recommendations, AI-generated educational material) in services directed at children, the operator must disclose the AI nature of the content to parents at the point of consent and must implement safety controls limiting the AI's ability to interact in harmful ways. The provisions are operational rather than aspirational — the rule specifies that the FTC will treat AI content directed at children as a high-priority enforcement area through 2026. For advertisers, the COPPA framework attaches when ads are served on services directed at children under 13. Advertisers running AI-generated creative on YouTube Kids, on COPPA-compliant configurations of major platforms, or on dedicated children's apps must consider both the AI-content disclosure obligations (whether the creative discloses its AI nature) and the data-use obligations (whether targeting data was collected with appropriate consent). The TikTok $5.7M precedent and subsequent enforcement actions establish that advertiser-side liability attaches even where the platform is the primary COPPA-regulated entity, particularly when advertiser targeting choices contributed to the violation. For coordinated compliance review across federal and state frameworks see the Legal Compliance Scan and the US Meta Compliance Guide .

What is KOSA and how would it change advertiser obligations for AI content targeting minors?

The Kids Online Safety Act (KOSA) is a federal bill that would substantially expand the regulatory framework for online services directed at minors under 17. The bill passed the Senate by a 91-3 vote in July 2024 but did not advance in the House before the 118th Congress adjourned. KOSA was reintroduced in the 119th Congress in early 2025 with bipartisan sponsorship and has had Senate committee hearings through 2025-2026 but has not received a Senate floor vote in the 119th Congress as of Q1 2026. The bill's substantive provisions, if enacted in approximately their introduced form, would impose six categories of obligations on covered services and their advertisers. First, duty of care: covered services would owe a 'duty of care' to minors to prevent and mitigate specified harms including mental-health harms, addiction, online bullying, sexual exploitation, and substance-abuse promotion. The duty of care has been the bill's most controversial element, with civil liberties groups expressing concern about its First Amendment implications and potential for over-removal of legitimate content. Second, safeguards and parental tools: covered services would be required to implement specified safeguards including default privacy settings for minor users, restricted communication functionality, and limits on engagement-maximizing design features. Parental tools would include account-monitoring access, time-limit setting, and content-filter customization. Third, age verification and design responsibility: services would be required to know whether their users are minors through a reasonable verification mechanism and to design their services with minor-appropriate defaults. The age-verification requirement has been a subject of ongoing legislative refinement to address privacy concerns. Fourth, transparency and reporting: covered services would be required to publish annual transparency reports detailing safeguards, complaints, and remediation actions. The reports would be enforceable through the FTC and state attorneys general. Fifth, advertising restrictions: certain categories of advertising would be restricted or prohibited when targeted at minors, including ads for products illegal for minors to purchase (alcohol, tobacco, gambling), ads using AI-generated synthetic content depicting realistic people without disclosure, and ads using engagement-maximizing design features that exploit minors' developmental psychology. Sixth, AI-content disclosure: AI-generated content directed at minors would require specific disclosure that the content is AI-generated, with format requirements specified by FTC rulemaking. The disclosure requirement would apply to advertisers, not just platforms — and would establish advertiser-side liability for non-disclosed AI content reaching minor audiences. Several states have adopted modified versions of KOSA-style provisions while the federal bill remains pending — Maryland's Age-Appropriate Design Code (effective Q4 2024), Connecticut's online-safety bill (effective 2025), and New York's SAFE for Kids Act (effective late 2025). Advertisers should plan for KOSA-style obligations regardless of federal passage because the state-level adoption pattern is producing a de facto national framework through stacked state laws. For ongoing legislative tracking see /policy-tracker .

Which state laws currently impose specific obligations on AI content targeting minors?

The state-law matrix for AI content targeting minors expanded significantly in 2024-2025 and continues to evolve through 2026. Five active frameworks impose distinct obligations on advertisers and platforms, with overlapping but non-identical scope. California's Age-Appropriate Design Code (AADC), enacted in 2022 with implementation through 2024, imposes data-protection-by-design obligations on services likely to be accessed by users under 18. The framework requires services to estimate the age of their users, configure privacy settings to high-privacy defaults for minor users, and avoid using minors' personal information in ways materially detrimental to their well-being. AI-content provisions attach when AI personalization is used in services accessed by minors — the AADC's 'dark patterns' provisions cover AI-driven design choices that exploit minor users' developmental psychology. The framework faced First Amendment challenges that produced injunctions against several provisions through 2023-2024; the surviving framework still imposes substantial obligations. Texas SCOPE Act (Securing Children Online through Parental Empowerment), effective September 2024, requires services to obtain parental consent for users under 18 to create accounts, restricts targeted advertising to known minors, and imposes data-minimization obligations. AI-content provisions attach through the targeted-advertising restriction — AI-personalized advertising to known minors triggers the SCOPE Act's consent requirements. The Texas Attorney General has been active in enforcement, with several published investigations through 2025. Florida HB 3, effective January 2025, prohibits social media accounts for users under 14 entirely and requires parental consent for users 14-15. The prohibition is in litigation but operational pending court ruling. AI-content provisions attach through the platform's overall design obligation — AI features deployed on the platform must comply with the under-14 prohibition. Utah Social Media Regulation Act, effective March 2024 and amended through 2025, requires parental consent for minor account creation, restricts platform design features that maximize engagement for minor users, and imposes notice-and-takedown obligations for content harmful to minors. The Utah framework was the first state-level KOSA-style law and has been a model for subsequent state legislation. New York SAFE for Kids Act, effective late 2025, prohibits 'addictive feed' design for users under 18 without parental consent and imposes notification-time restrictions. The framework is the most recent and is still in early enforcement. The five frameworks overlap in scope but differ in specifics — Texas applies to under-18 with parental consent for any account; Florida prohibits under-14 entirely; California applies privacy-by-design without an age threshold for restrictions; Utah and New York focus on design-feature regulation. Advertisers running campaigns reaching multi-state audiences must comply with the strictest applicable framework in each market, which produces a de facto national framework approximating the strictest state's rules. For coordinated cross-state compliance see the Legal Compliance Scan and for ongoing tracking /policy-tracker .

How do platform age-gates work and what's the advertiser's role in age-verification compliance?

Platform age-gate implementation varies significantly across the four major platforms hosting children-targeted advertising (Meta, TikTok, YouTube, Snapchat), and the variation directly shapes advertiser-side compliance obligations. Understanding the per-platform mechanics is essential for advertisers running campaigns that could reach minor audiences. Meta's age-gate operates at account creation, with users entering date of birth at signup. Meta employs additional age-estimation techniques including AI-based estimation from user photos, content interaction patterns, and connection-graph analysis to identify accounts with high probability of misrepresented age. Identified accounts are subject to age-verification requirements (typically government-ID upload or video selfie). For known under-13 users, Meta operates a restricted experience with substantially limited features, no targeted advertising, and parental-control integration. For under-18 users, Meta restricts certain ad categories and applies default privacy settings consistent with state-law obligations. The advertiser role: when configuring campaign targeting, advertisers should explicitly exclude minor age brackets unless the campaign is intended for minors and has appropriate compliance documentation. Meta's targeting interface does not enforce this exclusion automatically — the advertiser must select it. TikTok's age-gate operates similarly at account creation, with significant subsequent investment in age-estimation following the 2019 FTC settlement and subsequent enforcement. TikTok's restricted experience for under-13 users prohibits all advertising, prevents direct messaging, restricts content sharing, and limits content creation. For 13-17 users, TikTok applies content-moderation defaults more aggressive than for adult accounts and restricts certain ad categories. The advertiser role: similar to Meta, advertisers must select minor exclusion explicitly in campaign setup. TikTok's ad approval flow includes additional review for any campaign that could reach minor users, with rejection or restriction common for ad categories prohibited for minors. YouTube operates two distinct experiences: YouTube Kids (separate app, COPPA-compliant by design, restricted advertising and content) and standard YouTube with age-gated content categories. Account-level age verification follows Google account practices, with date-of-birth entry and subsequent ID verification for certain age-restricted features. For known minor accounts, YouTube applies default privacy settings, restricts certain video features, and limits ad categories. The advertiser role: YouTube Kids advertising is gated to a specific advertiser program with strict creative requirements; standard YouTube advertising allows minor exclusion through campaign targeting settings. Advertisers should verify their settings against the YouTube ad-policy categories that prohibit serving to minors. Snapchat's age-gate operates at account creation with date-of-birth entry and subsequent verification triggered by suspicious activity. For minor accounts, Snapchat restricts certain features (location sharing, public profile visibility) and limits advertising categories. The platform's overall design has emphasized minor protection more prominently than some competitors. The advertiser role: campaign targeting can exclude minor age brackets, and Snapchat's ad approval flow flags campaigns that could reach minor users for additional review. Across all four platforms, the operational discipline for advertisers is to: (1) explicitly exclude minor age brackets in campaign targeting unless campaign is intentionally minor-directed, (2) document the exclusion as part of campaign compliance package, (3) periodically audit campaign delivery to confirm no minor delivery is occurring through targeting expansion or platform-side categorization changes, (4) flag any campaign that approaches minor-content categories for legal review before launch, and (5) maintain account-level documentation of compliance posture for FTC inquiry response. The discipline is foundational; failures in any of the five steps account for most enforcement-actionable advertiser violations in 2025-2026. For automated compliance audit see the AI Compliance Audit .

What's the practical advertiser checklist for AI content targeting minors in 2026?

The practical advertiser checklist for AI content potentially reaching minor audiences in 2026 operates across five work areas, with sequential dependencies that mirror the COPPA/KOSA/state-law compliance flow. The checklist should be executed before any campaign launch that could reach minor audiences, and refreshed for any campaign change that adds minor-reach surface area. Area one — campaign scope determination. Before any compliance work, determine whether the campaign is intentionally minor-directed (a children's product, a school-age service, a teen-targeted brand), incidentally minor-reaching (an adult-targeted campaign that may reach minors through algorithmic delivery), or strictly adult-only (an adult-restricted product). The classification determines which framework applies and what compliance posture is required. Intentionally minor-directed campaigns face the full COPPA+state-law framework and should be developed with specialized counsel from inception. Incidentally minor-reaching campaigns should aggressively exclude minor audiences through platform targeting. Strictly adult-only campaigns should additionally use age-restricted ad categories where available. Area two — content compliance review. Where the campaign includes AI-generated creative, the AI nature of the content must be disclosed to parents (for under-13 audiences under COPPA) or to viewers (for older minor audiences under state laws and pending KOSA). The disclosure format varies by jurisdiction but should be plainly visible on the creative rather than relying on platform-applied labels alone (platform detection is imperfect; advertiser-side disclosure provides defensible compliance posture regardless of platform behavior). Area three — data and targeting compliance. Where the campaign uses targeting data, document the consent basis for the data — was it collected with verifiable parental consent for under-13 users? Was the targeting expansion (lookalike modeling, interest-based targeting) verified to not include minor populations? Document the targeting parameters and the platform-side audience exclusions applied. Area four — platform-specific compliance setup. Configure platform-specific settings for minor exclusion, age-restricted ad categories where available, and any platform-specific compliance attestations. Document the configurations for audit purposes. Where platform options are insufficient (smaller platforms with limited age-gate capability), consider whether the campaign should proceed at all or whether the platform should be excluded. Area five — ongoing monitoring and incident response. Monitor campaign delivery metrics for any signs of minor-user reach (unusual demographic shifts, complaint volume, platform-side notifications). Establish incident response procedures for any minor-user complaint or platform notification, including immediate campaign pause and review. Document the monitoring and incident-response posture for audit purposes. The five-area discipline produces a compliance posture that defends against most published enforcement scenarios. The discipline does not eliminate risk — platform-side categorization changes, regulatory framework updates, and unanticipated content categorization can produce compliance gaps that require remediation rather than prevention. For coordinated cross-jurisdiction review see the Legal Compliance Scan , for live policy tracking see /policy-tracker , and for related synthetic-media enforcement context see Synthetic Media Enforcement Index Q1 2026 .

Children's AI Content Compliance 2026: COPPA, KOSA, State

Quick Answer

AI content targeting children faces a stacking US compliance framework in 2026: federal COPPA (under-13) updated by FTC's 2025 rule revision adding consent and data-minimization requirements for AI-generated content; KOSA (Kids Online Safety Act) still pending in the 119th Congress but adopted in modified form by several states; California Age-Appropriate Design Code (AADC) imposing data-protection-by-design obligations; Texas SCOPE Act, Florida HB 3, Utah Social Media Regulation Act, and New York SAFE for Kids Act imposing age-gate and parental-consent requirements. The TikTok $5.7M COPPA settlement (2019, FTC v. Musical.ly) established the operational baseline; the FTC's 2024-2025 enforcement priorities and inflation-adjusted per-violation penalties signal 2026 settlements running 5-10× higher for similar violations.

Children's AI Content Compliance 2026 — COPPA, KOSA & State AI Laws Targeting Minors

Why This Cluster of Laws Matters in 2026

AI content directed at children and teens sits at the intersection of three rapidly evolving regulatory frameworks in 2026: federal COPPA enforcement reinvigorated by the FTC's 2025 rule revision, KOSA-style obligations adopted in modified form by multiple states while the federal bill remains pending in the 119th Congress, and a tightening cluster of state-level AI and minor-protection laws that produce a de facto national framework through cumulative reach.

The enforcement trajectory has shifted from the 2019 TikTok $5.7M COPPA settlement baseline toward substantially higher penalties driven by inflation-adjusted per-violation maximums, expanded scope under the 2025 rule revision, and active state attorney general enforcement of state-law frameworks. The 2026 published cases through Q1 reached aggregate penalty figures in the low nine figures across federal and state actions, with the pattern projected to escalate through the remainder of the year as state attorneys general bring backlogged cases under the 2024-2025 frameworks.

For advertisers, the practical exposure runs in three directions. First, direct violation: AI-generated creative reaching under-13 users without verifiable parental consent under COPPA, or reaching minors without appropriate disclosure under state laws. Second, derivative violation: AI content using data collected from minors without proper consent, even where the AI content itself is not directed at minors. Third, platform-cascade violation: campaigns running on platforms with documented under-age user populations create concurrent advertiser-side liability when advertiser targeting choices contributed to platform-level violations.

This guide walks the FTC's 2025 COPPA rule revision and what changed for AI content, the KOSA federal status and state-level adoption pattern, the five active state-law frameworks (California AADC, Texas SCOPE, Florida HB 3, Utah, New York SAFE for Kids), the TikTok $5.7M precedent deconstruction with implications for 2026 enforcement scale, the per-platform age-gate implementation across Meta/TikTok/YouTube/Snapchat, and the practical compliance checklist for advertisers running campaigns that could reach minor audiences.

"Children's privacy and safety online is one of the FTC's highest enforcement priorities and will remain so."
— FTC Chair statement accompanying the 2025 COPPA rule revision (January 2025)

COPPA — The 2025 FTC Rule Revision

The Children's Online Privacy Protection Act, originally enacted in 1998, governs the online collection and use of personal information from children under 13. The FTC's January 2025 rule revision — finalized in late 2024 after a 2019-2024 rulemaking process — added several provisions directly relevant to AI-generated content directed at children.

Core framework recap

The pre-revision COPPA framework required operators of websites or online services directed at children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from those children. 'Directed at children' was assessed through a multi-factor test considering subject matter, visual content, language, audience composition, and advertising practices. 'Verifiable parental consent' followed procedurally specific approval methods — credit card verification, government-ID verification, signed-and-returned forms, or FTC-approved alternatives.

What the 2025 revision changed

Provision	Pre-2025	Post-2025
AI training data	General consent presumed to cover AI training use	Separate verifiable parental consent required for AI training
Data minimization	"Reasonably necessary" standard	Strict minimization — only data necessary for specific service
AI content disclosure	No specific provision	Disclosure to parents required at consent point
Safety controls for AI	No specific provision	Mandatory safety controls for AI interacting with children
Per-violation penalty maximum	~$51,744 (2024 indexed)	~$53,088 (2025 indexed) with structural increase signaled

Operational implications for advertisers

Advertisers running AI-generated creative on services directed at children under 13 face concurrent compliance obligations under the revised framework. Where the creative includes AI-personalized content (chatbots, AI-customized recommendations, AI-generated educational material), the advertiser should verify that the platform has obtained appropriate parental consent and has implemented the required safety controls. Where the creative uses targeting data, the advertiser should verify that the data was collected with consent specifically including AI use.

The FTC's published 2026 enforcement priorities placed children's privacy in the top tier, with AI content directed at children specifically called out as a high-priority enforcement area. The published 2025-2026 case load reflects the priority — multiple FTC enforcement actions against operators of children's services for COPPA violations including AI-specific provisions, with settlements substantially exceeding the 2019 TikTok baseline.

For coordinated US compliance review see the US Meta Compliance Guide.

KOSA — Federal Status & State Adoption

The Kids Online Safety Act (KOSA) is a federal bill that would substantially expand the regulatory framework for online services directed at minors under 17. The bill passed the Senate by a 91-3 vote in July 2024 but did not advance in the House before the 118th Congress adjourned. KOSA was reintroduced in the 119th Congress in early 2025 with bipartisan sponsorship and has had Senate committee hearings through 2025-2026 but has not received a Senate floor vote as of Q1 2026.

The bill's six obligation categories

If enacted in approximately its introduced form, KOSA would impose obligations in six categories on covered services and their advertisers.

Duty of care — covered services would owe a duty to minors to prevent and mitigate specified harms including mental-health impacts, addiction, online bullying, sexual exploitation, and substance-abuse promotion. The duty of care has been the most controversial provision because of First Amendment concerns.
Safeguards and parental tools — default privacy settings for minor users, restricted communication functionality, limits on engagement-maximizing design features, and parental account-monitoring access.
Age verification and design responsibility — services would need to know whether users are minors through reasonable verification, and to design services with minor-appropriate defaults.
Transparency and reporting — annual transparency reports detailing safeguards, complaints, and remediation actions.
Advertising restrictions — categories of ads restricted or prohibited when targeted at minors, including ads for products illegal for minors to purchase, AI-generated synthetic content depicting realistic people without disclosure, and engagement-maximizing design features exploiting minors' developmental psychology.
AI-content disclosure — AI-generated content directed at minors would require specific disclosure that the content is AI-generated, with format requirements specified by FTC rulemaking. The disclosure would apply to advertisers, establishing direct advertiser-side liability.

State-level adoption pattern

Several states have adopted modified versions of KOSA-style provisions while the federal bill remains pending. Maryland's Age-Appropriate Design Code (effective Q4 2024), Connecticut's online-safety bill (effective 2025), and New York's SAFE for Kids Act (effective late 2025) each implement subsets of KOSA's substantive framework. The state-level adoption pattern is producing a de facto national framework through cumulative reach — advertisers operating in multi-state markets must comply with the strictest applicable framework in each market.

The advertiser planning posture is to assume KOSA-style obligations will apply through state-law adoption regardless of federal passage. Compliance infrastructure built for the state-level frameworks will absorb federal KOSA passage with minimal incremental work. For ongoing legislative tracking see /policy-tracker.

State Law Matrix — 5 Active Frameworks

The state-law framework for AI content targeting minors expanded significantly in 2024-2025 and continues to evolve through 2026. Five active frameworks impose distinct obligations on advertisers and platforms, with overlapping but non-identical scope.

State	Framework	Effective	Age Scope	AI-Specific Provisions
California	Age-Appropriate Design Code (AADC)	Phased 2024	Under 18	Data-protection-by-design covers AI personalization; "dark patterns" provisions cover AI-driven design
Texas	SCOPE Act	September 2024	Under 18	Targeted advertising restrictions cover AI-personalized advertising to minors
Florida	HB 3	January 2025	Under 14 prohibited; 14-15 parental consent	Platform design obligations cover AI features
Utah	Social Media Regulation Act	March 2024 (amended 2025)	Under 18	Design-feature regulation covers AI engagement features
New York	SAFE for Kids Act	Late 2025	Under 18	"Addictive feed" prohibition covers AI-driven recommendation feeds

Per-framework operational impact

California AADC: Imposes data-protection-by-design on services likely to be accessed by users under 18. Services must estimate user age, configure privacy settings to high-privacy defaults for minor users, and avoid using minors' data in ways materially detrimental to well-being. AI-content provisions attach through 'dark patterns' restrictions covering AI-driven design choices that exploit minor users' developmental psychology. Faced First Amendment challenges producing injunctions against several provisions through 2023-2024; surviving framework still substantial.

Texas SCOPE Act: Requires services to obtain parental consent for users under 18 to create accounts, restricts targeted advertising to known minors, and imposes data-minimization. AI-content provisions attach through the targeted-advertising restriction — AI-personalized advertising to known minors triggers consent requirements. Texas AG has been active in enforcement with several published investigations through 2025.

Florida HB 3: Prohibits social media accounts for users under 14 entirely; requires parental consent for users 14-15. In litigation but operational pending court ruling. AI-content provisions attach through platform-design obligations — AI features deployed on the platform must comply with the under-14 prohibition.

Utah Social Media Regulation Act: First state-level KOSA-style law. Requires parental consent for minor account creation, restricts engagement-maximizing design for minor users, imposes notice-and-takedown for harmful content. Model for subsequent state legislation.

New York SAFE for Kids Act: Prohibits 'addictive feed' design for users under 18 without parental consent. Imposes notification-time restrictions during sleep hours. Most recent of the five frameworks; still in early enforcement.

Cross-state operational discipline

Advertisers running campaigns reaching multi-state audiences must comply with the strictest applicable framework in each market. The practical consequence is a de facto national framework approximating the strictest state's rules — Florida's under-14 prohibition combined with California's privacy-by-design combined with New York's addictive-feed prohibition. Compliance infrastructure built for the most restrictive framework will absorb the others with minimal incremental cost.

For coordinated cross-state compliance see the Legal Compliance Scan.

Hidden Gem — The $5.7M TikTok COPPA Precedent

The TikTok $5.7M COPPA settlement — formally In the Matter of Musical.ly, Inc. and ByteDance Ltd., FTC File No. 172 3004 — was announced by the FTC in February 2019 and represented the largest COPPA penalty to that date. The substantive facts and the FTC's reasoning establish the operational baseline for current COPPA enforcement against social-media platforms, and the framework directly informs how 2026 AI-content enforcement will scale.

The underlying conduct

Musical.ly (TikTok's predecessor app, acquired by ByteDance in 2017 and merged into TikTok in 2018) operated a music-and-video social network used heavily by children under 13. The app required users to enter date of birth at signup but did not effectively prevent under-13 users from creating accounts after declaring they were 13 or older. The FTC's investigation established that Musical.ly had actual knowledge of under-13 users through multiple channels — parent complaints, the platform's own analytics showing user-age distributions, and the visible age representation of accounts featured in the app's promoted content. Despite this actual knowledge, the platform did not obtain verifiable parental consent before collecting personal information from under-13 users and did not enforce age restrictions through its account-creation flow.

The FTC's reasoning

The FTC treated the violation as systemic rather than isolated — the company was not following individual user-by-user remediation when under-13 status became known but was instead operating an entire product line with knowledge that substantial fractions of users were under 13. The systemic framing produced an aggregate penalty calculation rather than per-violation maximums.

The $5.7M settlement included monetary penalty and a corrective order requiring TikTok to delete identified under-13 user data, implement effective age-gating, and submit to ongoing compliance monitoring. The settlement was the largest COPPA penalty in the FTC's history at that time.

Why 2026 penalties will be 5-10× higher for similar violations

Two developments since 2019 inform 2026 enforcement scale.

Inflation-indexed per-violation maximums: COPPA's per-violation penalty maximum is statutorily indexed to inflation and has risen from approximately $42,530 in 2019 to approximately $53,088 in 2025 — a 25% nominal increase. The 2025 rule revision signaled additional structural increases through future rulemaking. For violations affecting large user bases, the per-violation accumulation produces aggregate exposure several times the 2019 baseline.

Enforcement priority escalation: The FTC's 2023-2024 enforcement priorities placed children's privacy in the top tier of substantive enforcement areas. The agency communicated publicly that future COPPA settlements would likely run significantly larger to reflect the priority shift, the inflation adjustment, and the expanded scope under the 2025 rule revision.

The combined trajectory projects 2026 settlements for similar systemic violations running in the $50M-$200M range, with the high end driven by per-violation accumulation across large user bases combined with corrective-order costs (data deletion infrastructure, age-gate implementation, monitoring) that have grown substantially since 2019.

Lessons for 2026 enforcement scope

The TikTok precedent informs 2026 enforcement in three ways. First, scope: the FTC treats systemic violations as triggering elevated penalties beyond simple per-violation accumulation. Second, knowledge: 'actual knowledge' is established through multiple channels including platform analytics, not just direct user reports — and the 2025 rule's threshold for 'should have known' is even lower. Third, corrective orders: the FTC consistently requires deletion of under-13 user data, implementation of effective age-gating, and ongoing compliance monitoring as part of settlement frameworks.

Advertisers operating on platforms with documented under-13 access patterns face concurrent liability under FTC's expanded view of advertiser-side responsibility, particularly when advertiser targeting choices contributed to the violation. For ongoing enforcement tracking see /policy-tracker.

Platform Age-Gate Implementation

The four major platforms hosting children-adjacent advertising — Meta, TikTok, YouTube, Snapchat — implement age-gates with substantial per-platform variation. Understanding the per-platform mechanics is essential for advertisers running campaigns that could reach minor audiences.

Meta (Facebook + Instagram)

Meta's age-gate operates at account creation with date-of-birth entry. The platform employs additional age-estimation techniques including AI-based estimation from user photos, content interaction patterns, and connection-graph analysis to identify accounts with high probability of misrepresented age. Identified accounts are subject to age-verification requirements (typically government-ID upload or video selfie). For known under-13 users, Meta operates a restricted experience with substantially limited features, no targeted advertising, and parental-control integration. For under-18 users, Meta restricts certain ad categories and applies default privacy settings consistent with state-law obligations.

Advertiser role on Meta: When configuring campaign targeting, advertisers should explicitly exclude minor age brackets unless the campaign is intended for minors and has appropriate compliance documentation. Meta's targeting interface does not enforce this exclusion automatically — the advertiser must select it.

TikTok

TikTok's age-gate operates similarly at account creation, with significant subsequent investment in age-estimation following the 2019 FTC settlement and subsequent enforcement. TikTok's restricted experience for under-13 users prohibits all advertising, prevents direct messaging, restricts content sharing, and limits content creation. For 13-17 users, TikTok applies content-moderation defaults more aggressive than for adult accounts and restricts certain ad categories.

Advertiser role on TikTok: Similar to Meta, advertisers must select minor exclusion explicitly in campaign setup. TikTok's ad approval flow includes additional review for any campaign that could reach minor users, with rejection or restriction common for ad categories prohibited for minors.

YouTube

YouTube operates two distinct experiences: YouTube Kids (separate app, COPPA-compliant by design, restricted advertising and content) and standard YouTube with age-gated content categories. Account-level age verification follows Google account practices, with date-of-birth entry and subsequent ID verification for certain age-restricted features. For known minor accounts, YouTube applies default privacy settings, restricts certain video features, and limits ad categories.

Advertiser role on YouTube: YouTube Kids advertising is gated to a specific advertiser program with strict creative requirements; standard YouTube advertising allows minor exclusion through campaign targeting settings. Advertisers should verify their settings against the YouTube ad-policy categories that prohibit serving to minors.

Snapchat

Snapchat's age-gate operates at account creation with date-of-birth entry and subsequent verification triggered by suspicious activity. For minor accounts, Snapchat restricts certain features (location sharing, public profile visibility) and limits advertising categories. The platform's overall design has emphasized minor protection more prominently than some competitors.

Advertiser role on Snapchat: Campaign targeting can exclude minor age brackets, and Snapchat's ad approval flow flags campaigns that could reach minor users for additional review.

Cross-platform operational discipline

Across all four platforms, the operational discipline for advertisers is to explicitly exclude minor age brackets in campaign targeting unless the campaign is intentionally minor-directed, document the exclusion as part of campaign compliance package, periodically audit campaign delivery to confirm no minor delivery is occurring through targeting expansion or platform-side categorization changes, flag any campaign that approaches minor-content categories for legal review before launch, and maintain account-level documentation of compliance posture for FTC inquiry response. The discipline is foundational; failures in any of the five steps account for most enforcement-actionable advertiser violations in 2025-2026.

Compliance Checklist

[ ] Determine campaign scope: intentionally minor-directed, incidentally minor-reaching, or strictly adult-only — different compliance posture applies
[ ] For AI-generated creative, disclose the AI nature plainly on the creative itself, not relying on platform-applied labels alone
[ ] Document the consent basis for any targeting data used in the campaign
[ ] Verify targeting expansion (lookalike, interest-based) does not include minor populations
[ ] Configure platform-specific minor exclusion settings and document the configurations
[ ] Use age-restricted ad categories where available for strictly adult-only products
[ ] Run state-by-state compliance review against California AADC, Texas SCOPE, Florida HB 3, Utah, New York SAFE for Kids
[ ] Monitor campaign delivery metrics for any signs of minor-user reach
[ ] Establish incident response procedures for minor-user complaints or platform notifications including immediate campaign pause
[ ] Maintain account-level documentation of compliance posture for FTC inquiry response

For coordinated cross-jurisdiction review see the Legal Compliance Scan. For live policy tracking see /policy-tracker. For related synthetic-media enforcement context see Synthetic Media Enforcement Index Q1 2026. For platform-specific AI labeling rules see Meta AI-Generated Content Label Policy 2026 and AI Content Detection Technology 2026.

Don't miss the next policy change.

Create a free account — track every policy change across 8 platforms, get instant alerts, and access every free compliance tool. Or try our Meta Rejection Predictor first.

Create Free Account

Report Keywords — Run AI Compliance Audit

#COPPA#KOSA#Children Privacy#AI Content#California AADC#Texas SCOPE Act#Florida HB 3#Minor Protection#FTC Enforcement#Compliance Guide 2026#Age-Gate#Synthetic Media

Share This Report

Tweet Share

Children's AI Content Compliance 2026 — COPPA, KOSA & State AI Laws Targeting Minors