What is the most important change in the amended COPPA Rule for advertisers?

The most important change in the amended COPPA Rule for advertisers is the unbundling of consent, which requires operators to obtain separate verifiable parental consent before disclosing a child's personal information to third parties for purposes such as targeted advertising — meaning third-party behavioral advertising to children is now blocked by default unless a parent expressly opts in. Under the prior approach, the consent an operator obtained for collecting and using a child's data could effectively carry along the disclosure of that data to third parties, and targeted advertising rode on that general permission. The amended Rule severs that link. Collecting and using a child's data is one permission; disclosing that data to third parties for targeted advertising is a separate permission that must be obtained on its own, unless the disclosure is integral to providing the service — and targeted advertising is generally not integral. The practical consequence is a default flip: where third-party behavioral advertising to children might previously have proceeded under a broad consent, it now cannot occur at all unless a parent affirmatively opts in to that specific use, separately from agreeing to the service's basic data collection. For advertisers and ad tech, this is not a paperwork change; it is a structural constraint on the children's advertising data supply. Child-directed and mixed-audience services must redesign their consent flows so the targeted-advertising disclosure is presented as its own choice that a parent can decline while still letting the child use the service, and operators must ensure their systems do not pass children's data to third-party advertising partners absent that separate opt-in. Because many parents will not opt in to behavioral advertising for their children, the realistic effect is a substantial reduction in the volume of children's data available for third-party targeted advertising, which pushes child-directed services toward contextual advertising that does not depend on disclosing personal information. The amended Rule became effective on June 23, 2025, with a general compliance date of April 22, 2026, so the redesign needs to be complete by that deadline. Audit where children's data flows to third parties with the AI Compliance Audit , and ground the US framework with the United States advertising compliance guide . The organizing principle is that consent is now unbundled: targeted-advertising disclosure needs its own parental opt-in and defaults to off.

When does the amended COPPA Rule take effect and when must companies comply?

The amended COPPA Rule became effective on June 23, 2025, and the general compliance date for most of its obligations is April 22, 2026, with certain safe-harbor-related deadlines arriving earlier — and the gap between those dates is the planning trap operators must avoid. The timeline runs as follows: the Federal Trade Commission announced the finalized amendments in January 2025, the amended Rule was published in the Federal Register on April 22, 2025, it became effective sixty days later on June 23, 2025, and most operators have until April 22, 2026 — one year from publication — to bring their practices into full compliance with the new obligations. The reason this two-date structure matters is that an operator that reads only the effective date might assume everything was required as of mid-2025 and either panic or, conversely, an operator that focuses only on the compliance date might defer all work to 2026 and run out of runway, because the changes — rebuilding consent flows, re-mapping data categories, writing retention and security policies — take months to implement properly across a product and its vendor relationships. The disciplined reading is that the Rule is legally in effect now and the obligations crystallize at the compliance date, so the window between mid-2025 and April 2026 is implementation time, not optional time. Organizations that operate FTC-approved safe harbor programs face earlier deadlines for certain updates and should confirm those specific dates. A further reason not to treat the compliance date as soft is that the FTC has signaled that children's privacy is an enforcement priority, so operators should assume the agency expects timely compliance rather than a grace period beyond the stated date. Because the FTC has continued to issue implementation guidance, and children's privacy remains an active regulatory area, operators should verify the current obligations and any refinements against the FTC's official sources rather than relying on a single summary written at one point in time. To track the Rule's status and related developments, use the Policy Change Tracker , and to map your obligations across jurisdictions use the Legal Compliance Scan . The organizing principle is that the Rule is effective as of June 23, 2025 with general compliance due April 22, 2026, so the intervening period is implementation time and the deadline should be treated as firm.

How does the amended Rule expand the definition of children's personal information?

The amended COPPA Rule expands the definition of personal information to include biometric identifiers and government-issued identifiers beyond Social Security numbers, which widens the surface area of the entire regulation because every COPPA obligation attaches to data that counts as regulated personal information. Under the amended definition, personal information now expressly includes a biometric identifier that can be used for the automated or semi-automated recognition of an individual — examples include fingerprints, handprints, retina and iris patterns, voiceprints, and genetic data — and it includes government-issued identifiers other than Social Security numbers, while retaining the established categories such as geolocation data and persistent identifiers used to track a user across sites or services. The significance of this expansion is that data which a service might previously have treated as outside COPPA's reach is now squarely regulated when it concerns a child under 13, which means the consent, retention, security and disclosure obligations all apply to it. For advertisers and the vendors that support them, the biometric expansion is the most operationally important piece, because modern advertising and engagement features increasingly touch biometric data: face filters and augmented-reality try-on experiences process facial geometry, voice-interactive features process voiceprints, and recognition technologies of various kinds process biometric identifiers. When any of these features are offered to or used by children, the biometric data they process is now regulated children's personal information, and collecting or using it requires verifiable parental consent, cannot be retained indefinitely, must be protected by the written security program, and cannot be disclosed to third parties for targeted advertising without the separate opt-in. This forces a re-examination of any child-facing feature that captures biometric signals, because such features may have been built on the assumption that the data was not COPPA-regulated. The expansion also reflects the broader regulatory recognition that biometric data is especially sensitive and that children warrant heightened protection for it. Operators should inventory every feature that could process a child's biometric or government-issued identifier, confirm whether the service is child-directed or has actual knowledge it is dealing with a child, and bring those data flows under the full COPPA program. For the advertising-specific biometric crossover, see the Snapchat AR try-on guide , and audit data collection with the AI Compliance Audit . The organizing principle is that biometric and additional government identifiers are now regulated children's data, so any child-facing feature touching them falls under the full set of COPPA obligations.

What are the new data retention and security obligations under the amended Rule?

The amended COPPA Rule adds two affirmative obligations beyond consent: operators must establish a written data-retention policy and may not retain children's personal information indefinitely, and they must maintain a written information-security program — duties that convert previously vague expectations into documented, demonstrable requirements. On retention, the Rule requires that children's personal information be kept only for as long as reasonably necessary to fulfill the specific purpose for which it was collected, after which it must be deleted, and it requires operators to establish and maintain a written policy describing their retention practices. This is a meaningful shift because it forecloses the common practice of holding onto data indefinitely on the theory that it might be useful later — including for future advertising or product uses. Under the amended Rule, there must be a defined purpose, a retention period tied to that purpose, and deletion when the purpose is met, all documented in a written policy. For advertisers, this reinforces the data-minimization direction that runs through modern US privacy law: you cannot stockpile children's data for undefined future targeting, and you must be able to show the policy that governs how long you keep it and why. On security, the Rule requires operators to establish, implement and maintain a written information-security program containing safeguards appropriate to the sensitivity of the children's personal information they handle, which formalizes the duty to protect that data rather than leaving security to ad hoc practice. Together these obligations mean an operator must be able to produce two documents on demand — a retention policy and a security program — and to show that its actual practices match them. The practical work is to inventory what children's data is collected, assign each category a purpose and a retention period, build deletion into the data lifecycle so information is purged when its purpose is fulfilled, and document the security safeguards protecting the data in storage and transit. Because these are written-policy requirements, the absence of documentation is itself a compliance gap even if the underlying practices are reasonable, so operators should not defer the paperwork. The retention limit also interacts with the consent and disclosure rules: data that should have been deleted cannot lawfully linger in systems that feed advertising. Map your data lifecycle and retention exposure with the Legal Compliance Scan , and track obligations on the Policy Change Tracker . The organizing principle is that the amended Rule requires documented retention limits and a written security program, so children's data must be kept only as long as necessary, deleted when its purpose is met, and protected under a written program.

Does the amended COPPA Rule apply to my service, and how should I prepare?

The amended COPPA Rule applies to operators of websites and online services that are directed to children under 13, and to operators of general-audience or mixed-audience services that have actual knowledge they are collecting personal information from a child under 13 — and preparing means mapping your children's data, rebuilding consent, and standing up retention and security documentation before the April 22, 2026 general compliance date. The threshold question is whether your service is child-directed or whether you have actual knowledge that you are dealing with under-13 users; if either is true for any part of your service, COPPA's obligations apply to that data, and the amended Rule's new requirements come with it. Many advertisers and product teams underestimate this scope because they think of their service as general-audience, but a mixed-audience feature, a child-appealing section, or actual knowledge gained through age signals can pull a service into COPPA for the relevant data. Once you determine the Rule applies, preparation runs through several concrete steps. First, inventory where you collect, use and disclose data from children, and update that inventory to capture the newly regulated categories — biometric identifiers and government-issued identifiers beyond Social Security numbers — because those may not have been tracked before. Second, rebuild consent flows so that the permission to disclose children's data to third parties for targeted advertising is separated from general collection consent, presented as its own choice, and declinable without denying the child access to the service; and ensure third-party behavioral advertising to children defaults off absent that express opt-in. Third, write a data-retention policy that ties retention to purpose and builds in deletion when the purpose is fulfilled, eliminating indefinite retention. Fourth, establish and document a written information-security program covering children's data. Fifth, because the FTC has continued to publish implementation guidance and treats children's privacy as an enforcement priority, confirm the current obligations against the FTC's official sources before finalizing, rather than relying on a single summary. Finally, coordinate with your advertising and analytics vendors, because their handling of children's data is part of your compliance posture, and a vendor that passes children's data to third parties for targeted advertising without the separate consent creates exposure for you. To map exposure across jurisdictions use the Legal Compliance Scan , to audit data flows use the AI Compliance Audit , and for the broader children's framework see the children's AI content compliance guide . The organizing principle is that the Rule applies to child-directed services and to general services with actual knowledge of under-13 users, so determine your status first, then map data, rebuild consent, and document retention and security before the compliance date.

COPPA Rule Amendments 2026: Children's Data, Ad Consent

Quick Answer

The Federal Trade Commission's amended Children's Online Privacy Protection Rule is the most significant update to US children's privacy regulation in over a decade, and it changes how operators handle kids' data in ways that directly affect advertising. The FTC announced the finalized amendments in January 2025, the amended Rule was published in the Federal Register on April 22, 2025 and became effective on June 23, 2025, and the general compliance date for most obligations is April 22, 2026, with certain safe-harbor-related deadlines arriving earlier. Three changes matter most for advertisers and ad tech. First, operators must now obtain separate verifiable parental consent before disclosing a child's personal information to third parties for purposes such as targeted advertising, unless that disclosure is integral to the website or service; in practice this means third-party behavioral advertising to children is blocked by default unless a parent expressly opts in, separate from the consent that covers the operator's basic collection and use. Second, the definition of personal information is expanded to include biometric identifiers — such as fingerprints, retina and iris patterns, voiceprints and genetic data — and government-issued identifiers beyond Social Security numbers, widening what counts as regulated children's data. Third, operators must adopt a written data-retention policy and may not keep children's personal information indefinitely, retaining it only as long as reasonably necessary for the purpose collected, and must maintain a written information-security program. Because the law has been the subject of ongoing implementation guidance, confirm current obligations against the FTC's official sources before finalizing compliance. Audit data flows with the AI Compliance Audit, map exposure with the Legal Compliance Scan, and track changes on the Policy Change Tracker.

COPPA Rule Amendments in 2026: The Children's Privacy Overhaul That Changes Targeted Advertising, Biometrics and Data Retention

What the Amended COPPA Rule Is

The Children's Online Privacy Protection Rule is the Federal Trade Commission's regulation implementing COPPA, the statute that governs how online services collect and use the personal information of children under 13. In its 2025 amendments — the first major overhaul of the Rule in over a decade — the FTC tightened the consent regime for advertising, broadened the definition of regulated personal information, and added affirmative obligations around data retention and security.

For advertisers and ad tech, the amended Rule is consequential because it does not merely restate existing protections; it changes the default. Third-party behavioral advertising to children moves from something that could ride along with general consent to something that requires its own separate, explicit parental opt-in, and the categories of data that count as regulated children's information expand to include biometric and additional identifiers.

"The amended COPPA Rule's central move is to unbundle consent: collecting a child's data and disclosing it to third parties for targeted advertising are now separate permissions, and the second cannot be assumed from the first.
— AuditSocials analysis of the FTC's COPPA Rule amendments"

This guide covers the timeline, the new separate-consent requirement for targeted advertising, the expanded personal-information definition, the retention and security obligations, and what operators should do before the compliance date. Ground the US picture with the United States advertising compliance guide, and for the AI-content dimension see the children's AI content compliance guide.

Effective June 2025, Compliance April 2026

The amendment timeline matters because the effective date and the general compliance date are different, and planning to the wrong one creates exposure.

Key Dates

Date	Event
January 2025	FTC announces finalized amendments to the COPPA Rule
April 22, 2025	Amended Rule published in the Federal Register
June 23, 2025	Amended Rule becomes effective
April 22, 2026	General compliance date for most obligations

The structure gave operators a transition window: the Rule took effect in mid-2025, but full compliance with most of the new obligations is required by April 22, 2026, with certain safe-harbor-related deadlines arriving earlier. Because the FTC has continued to publish implementation guidance and signaled active enforcement of children's privacy, operators should confirm current obligations and any updates against the FTC's official sources rather than relying on a single point-in-time summary. Track movement on the Policy Change Tracker.

Separate Consent for Targeted Advertising

The change with the largest advertising impact is the unbundling of consent. Under the amended Rule, operators must obtain separate verifiable parental consent before disclosing a child's personal information to third parties for purposes such as targeted advertising, unless that disclosure is integral to the website or online service.

What Unbundled Consent Means in Practice

Two permissions, not one: The consent that covers the operator's basic collection and use of a child's data no longer automatically covers disclosing that data to third parties for targeted advertising; the second use needs its own express opt-in.
Default is off: The practical effect is that third-party behavioral advertising to children is blocked by default unless a parent affirmatively opts in to it.
Integral exception is narrow: Disclosures integral to providing the service are treated differently, but targeted advertising is generally not integral, so it does not fall within that exception.

For ad tech and operators of child-directed or mixed-audience services, this requires redesigning consent flows so the targeted-advertising permission is presented separately and can be declined without losing access to the service. Audit where children's data flows to third parties with the AI Compliance Audit, and ground platform rules for younger audiences with the YouTube Made for Kids guide.

Biometrics and an Expanded Personal-Information Definition

The amended Rule widens what counts as a child's personal information, which expands the surface area of the entire regulation because every obligation attaches to regulated personal information.

Newly Covered Categories

Biometric identifiers: The definition now includes biometric identifiers that can be used for automated or semi-automated recognition of an individual — such as fingerprints, handprints, retina and iris patterns, voiceprints and genetic data.
Government-issued identifiers: Coverage extends to government-issued identifiers beyond Social Security numbers.
Existing categories retained: Geolocation, persistent identifiers used for tracking, and the other established categories remain in scope.

For advertisers and the vendors they rely on, the biometric expansion is especially relevant to features such as face filters, voice interfaces and any recognition technology that might process a child's biometric data, because that data is now squarely regulated children's information subject to the consent, retention and security rules. For the augmented-reality and biometric crossover in advertising, see the Snapchat AR try-on guide, and define terms with the compliance glossary.

Data Retention Limits and Security

Beyond consent and definitions, the amended Rule adds affirmative obligations about how long children's data may be kept and how it must be protected.

The New Affirmative Duties

Written retention policy: Operators must establish and maintain a written policy for the retention of children's personal information.
No indefinite retention: Children's personal information may not be retained indefinitely; it may be kept only as long as reasonably necessary to fulfill the specific purpose for which it was collected, and must then be deleted.
Written security program: Operators must establish and maintain a written information-security program with safeguards appropriate to the sensitivity of children's data.

These duties convert vague expectations into documented obligations: the data cannot be hoarded for undefined future uses, including future advertising uses, and the operator must be able to show a written policy and program. For advertisers, the retention limit reinforces the broader data-minimization direction of US privacy law — collect for a defined purpose, keep only as long as needed, and do not stockpile children's data. Map your data lifecycle with the Legal Compliance Scan.

What Advertisers and Operators Should Do

With the general compliance date set for April 22, 2026, operators of child-directed and mixed-audience services, and the advertisers and vendors who work with them, should treat the remaining window as implementation time.

Preparation Steps

Map children's data: Inventory where you collect, use and disclose data from children under 13, including biometric and government-issued identifiers now in scope.
Rebuild consent flows: Separate the targeted-advertising disclosure permission from general collection consent, so it can be presented and declined independently.
Default third-party ad disclosure off: Ensure third-party behavioral advertising to children does not occur without a parent's express, separate opt-in.
Write the retention policy: Document retention periods tied to purpose, with deletion when the purpose is fulfilled.
Stand up the security program: Maintain a written information-security program covering children's data.
Confirm current obligations: Because implementation guidance has evolved, verify the latest requirements against the FTC's official sources before finalizing.

Stress-test multi-jurisdiction exposure with the Legal Compliance Scan, and keep watch on developments through the Policy Change Tracker.

COPPA Amendments Readiness Checklist

[ ] Collection, use and disclosure of under-13 data inventoried, including new categories
[ ] Biometric and government-issued identifiers identified and treated as personal information
[ ] Targeted-advertising disclosure consent separated from general collection consent
[ ] Third-party behavioral advertising to children defaulted off without express opt-in
[ ] Consent flows allow declining ad disclosure without losing service access
[ ] Written data-retention policy established, tied to collection purpose
[ ] Indefinite retention eliminated; deletion on purpose fulfillment implemented
[ ] Written information-security program for children's data maintained
[ ] Compliance scheduled against the April 22, 2026 general compliance date
[ ] Current obligations confirmed against the FTC's official sources

Don't miss the next policy change.

Create a free account — track every policy change across 8 platforms, get instant alerts, and access every free compliance tool. Or try our Meta Rejection Predictor first.

Create Free Account

Report Keywords — Run AI Compliance Audit

#COPPA#Children's Privacy#Targeted Advertising#FTC#Biometric Data#Data Retention#Parental Consent#Kids & Teens#Advertisers#2026 Policy#United States#Compliance Guide 2026

Share This Report

Tweet Share

EU AI Act Article 50 Transparency Code of Practice June 2026: What AI Ad Creative Must Disclose Before August 2

The European Commission published its Transparency Code of Practice for AI-generated content on June 10, 2026 — weeks before EU AI Act Article 50 obligations apply on August 2. Here is what advertisers using AI ad creative must label, mark, and document.

EU DSA Article 26 — Political Advertising Transparency: First-Year Implementation Data Across 27 Member States

EU DSA Article 26 governs political ad transparency across the EU — first-year data shows uneven member-state activity, Ireland enforcement concentration, and a tiered penalty structure.

FTC AI Endorsement Rules 2026 — 16 CFR Part 255 Application to Synthetic Content & State Equivalents

The FTC's 16 CFR Part 255 framework now applies to synthetic endorsements with per-violation penalties up to $53,088, stacking with California, Colorado, and New York laws into compound liability.

COPPA Rule Amendments in 2026: The Children's Privacy Overhaul That Changes Targeted Advertising, Biometrics and Data Retention