Schedule Consultation
Schedule Consultation

COPPA Rule Amendments: What Businesses Need to Know (and Do) Now

Effective date: June 23, 2025
Compliance deadline: April 22, 2026

In April 2025, the Federal Trade Commission finalized sweeping amendments to the Children’s Online Privacy Protection Rule (COPPA). These changes significantly expand what counts as regulated data and tighten the rules for collecting and sharing children’s information online.

If your business operates a website, app, or digital service that may attract users under 13, even unintentionally, it’s time to reassess your data practices and compliance framework.


What’s Changed and Why It Matters

Operators must now obtain distinct parental consent for two things:

  • Collecting personal information from a child
  • Sharing that information with third parties


This replaces the prior approach where a single consent covered both.

Real-world example: A children’s learning app that shares user data with an analytics provider now needs a separate parental opt-in for that data sharing.

Exceptions apply when sharing is “integral” to the website or service. However, what counts as “integral” may be narrowly interpreted by the FTC.

Using children’s data to train or tune AI models is never considered “integral.” The FTC says it always requires a separate opt-in.

2. Biometric Data Is Now Covered

COPPA now includes biometric identifiers as personal information. This covers:

  • Facial recognition data
  • Voiceprints
  • Fingerprints
  • Iris scans
  • DNA sequences


The list is illustrative, not exhaustive, so anything with uniquely identifying biological data may be included.

Implications: Platforms using facial recognition for parental verification must implement safeguards, and even then, the FTC may pursue action under Section 5 if risk assessments are inadequate.

3. New Clarity on Inferred Data

The FTC clarified that inferred data, information about a child derived from other sources, is not considered personal information under COPPA.

However, that doesn’t exempt it from other legal scrutiny under state privacy laws or Section 5 of the FTC Act.

4. Dark-Pattern Engagement in the Crosshair

The FTC declined to ban engagement features like push notifications or badges, but warned that “dark patterns” designed to prolong screen time or nudge use in harmful ways could still trigger enforcement under Section 5.

Takeaway: Not all nudges are illegal, but if they’re designed to keep kids online longer at the expense of wellbeing, they may come under fire.


What Types of Businesses Are Affected?

The amended rule applies to:

  • Children’s content platforms (games, learning, entertainment)
  • General-audience platforms that collect data from users under 13
  • EdTech platforms used in K–8 settings
  • Parental verification and identity verification vendors
  • Adtech and analytics vendors serving child-directed content


What You Should Do Now

With a compliance deadline of April 22, 2026, the clock is ticking.

Operators should immediately:

  • Audit all third-party data sharing: Is it integral? Is consent separated? Have reasonable steps been taken to ensure third parties can safeguard children’s data?
  • Review biometric data usage: Are you collecting facial, voice, or other identifiers?
  • Update privacy notices: Do you clearly name third parties and explain their purpose?
  • Reassess parental verification workflows: Are facial scans being used? Is there a documented risk assessment?
  • Coordinate COPPA and state privacy compliance: Many states now protect older minors (13–17), creating a dual compliance burden.
  • Draft and publish a written retention and security program: COPPA now requires a formal data retention policy and reasonable measures to protect the confidentiality, security, and integrity of children’s data.


Need Help Navigating COPPA and Beyond?

COPPA compliance is no longer just about collecting an email from a parent—it now involves deep scrutiny of third-party data flows, biometric risk, and engagement design.

At Sapience Law, we help digital operators, platforms, and education providers:

  • Develop compliant consent strategies
  • Structure privacy notices and workflows
  • Integrate federal and state-level minor privacy protections
  • Conduct risk and data assessments


Reach out to us today to ensure your platform is ready before regulators come knocking.