If you’ve ever wondered how children’s data is protected online, a key federal update just took effect. On April 22, 2026, updates to the Children’s Online Privacy Protection Act (COPPA) officially went into effect. COPPA is the primary U.S. law governing how companies collect and use children’s data online. Organizations subject to the rule are expected to be fully compliant with its revised requirements.
For families and communities, these updates shape how children’s information is collected, used, and protected online. In practice, this means stricter rules around what data can be collected, how long it can be kept, and how clearly parents must be informed and give consent.
The Federal Regulation and Rulemaking Process
The updated rule comes from the Federal Trade Commission (FTC), which is responsible for implementing and enforcing COPPA. While Congress passed the original law in 1998, agencies like the FTC issue regulations to define how those laws operate in practice.
To learn more about this process, see our Government Regulation Policy Circle Brief.
Key Updates to the COPPA Rule
These changes are designed to give parents more visibility and control but they also raise important questions about how privacy protections work in practice.
At a high level, the updates focus on three areas:
- Expanded Personal Information Definition: The rule broadens the definition of “personal information” to include biometric identifiers, such as fingerprints, voiceprints, facial templates, and other unique biological or behavioral characteristics. This reflects the growing role of emerging technologies in the apps, platforms, and services children use every day.
- Formalized Data Governance Requirements: Operators are now required to maintain written information security programs and data retention policies. These policies must be publicly available and outline how children’s data is collected, used, stored, and ultimately deleted, giving parents greater clarity about how their child’s information is handled. The rule also emphasizes limiting data retention to what is reasonably necessary.
- Enhanced Parental Consent Standards: Parental permission was often treated as a one-time approval for all data-related activities. The updated rule introduces more specific consent requirements. Operators must now obtain separate, verifiable parental consent before disclosing a child’s information to third parties, unless that sharing is integral to the service. Access for children cannot be conditioned on agreeing to secondary data sharing, an effort aimed at giving parents more direct control over how their child’s data is used.
Considerations and Tradeoffs in Children’s Privacy
While these updates aim to strengthen protections, they also highlight real tradeoffs.
Some observers note that “right to delete” applications, while intended to help children manage their digital footprint, could make it harder to identify online harms. For example, if a young person or parent deletes account data that includes private messages, they may unintentionally remove evidence of predator grooming before the issue is identified or reported.
There is also increasing attention on how federal and state privacy laws interact. While COPPA establishes a national framework, many states are adopting additional requirements. Because COPPA is increasingly treated as a floor rather than a ceiling, states are layering on more restrictive standards. This evolving patchwork may create compliance challenges, particularly for smaller organizations with limited legal and technical resources.
Looking Ahead at Protecting Children
With the compliance deadline now in effect, organizations should actively implement and monitor these changes. Ongoing policy updates, internal training, and oversight will likely play an important role in maintaining compliance over time.
As digital services continue to evolve, how COPPA is implemented may shape broader debates around children’s privacy, innovation, and the role of regulation. All are issues that increasingly affect how families navigate technology, education, and daily life.
In the coming weeks, The Policy Circle will explore these questions further in an upcoming Protecting Children Online Brief, examining the policy landscape, key tradeoffs, and considerations for stakeholders.
