What Is COPPA? A Parent's Guide for 2026
The pixelOS team researches child development, AI safety, and digital wellbeing to help parents make informed decisions about kids and technology.
- COPPA (Children's Online Privacy Protection Act) requires apps to get parental consent before collecting data from kids under 13
- Updated rules taking effect April 22, 2026 significantly strengthen protections, especially around AI and biometric data
- Google paid $170M and Epic Games paid $275M for COPPA violations — enforcement is real
- Look for platforms that are COPPA-compliant by architecture, not just by policy page
COPPA is a federal law that requires websites and apps to get parental consent before collecting personal information from kids under 13. It stands for the Children's Online Privacy Protection Act, and the FTC enforces it. If an app your kid uses collects their name, email, location, photos, or voice recordings, COPPA says the company needs your permission first.
That's the simple version. The 2026 updates make it significantly stronger, especially when it comes to AI.
Why COPPA Exists
Congress passed COPPA in 1998 because the internet was growing fast and kids were signing up for websites that collected their data with no restrictions. The law created a basic rule: if your product is directed at kids under 13, or if you know a user is under 13, you need verifiable parental consent before collecting their personal information.
The FTC has enforced COPPA consistently over the years. In 2019, Google and YouTube paid $170 million to settle FTC charges that YouTube collected personal information from kids without parental consent. In 2023, Epic Games (Fortnite's parent company) paid $275 million for COPPA violations related to collecting kids' data and using manipulative design practices. In 2024, the FTC took action against multiple ed-tech companies for similar violations.
These aren't small fines. They signal that the FTC takes this seriously.
What Changed in the 2025 Amendments
The FTC finalized major updates to the COPPA rule in 2025. These changes take effect on April 22, 2026. Here's what's different:
| Area | Old Rule | New Rule (Effective April 22, 2026) |
|---|---|---|
| Personal information | Covered names, emails, addresses, photos, video, audio | Now also covers biometric identifiers (face prints, voice prints, fingerprints) |
| Consent for AI | Single blanket consent could cover multiple data uses | Separate consent required specifically for using kids' data to train AI models |
| Data retention | No specific time limits on keeping kids' data | Companies must delete kids' data when it's no longer needed for its original purpose |
| Targeted advertising | Some restrictions existed | Stronger prohibition on conditioning service access on unnecessary data collection |
| Third-party sharing | Required consent for sharing | Tighter rules on what operators can share with third parties and for what purposes |
The most significant change for parents is the AI provision. If an app uses AI that interacts with your kid, the company now needs your explicit consent before feeding your child's interactions into AI training data. This wasn't required before.
What This Means for Apps Your Kid Uses Right Now
Most popular kids' apps are already COPPA compliant in some form. But "compliant" has a range. Some companies do the minimum required by law. Others build privacy into their product design.
Here's what to think about:
Apps that were already COPPA-compliant will need to update. The new biometric data rules mean that any app using voice input, facial recognition, or fingerprint authentication with kids under 13 needs to revisit their consent processes. If your kid uses a voice-controlled AI tool, the company needs your consent specifically for that voice data.
AI tutoring and educational apps face new requirements. Tools like Khanmigo, Duolingo, and other AI-powered learning apps that interact with kids will need separate consent for using those interactions to improve their AI models. Some may already have this in place. Others will need to add it.
Apps that rely on "we didn't know they were kids" will have a harder time. The FTC has been increasingly skeptical of the argument that a platform didn't know its users included children. If your product is popular with kids, the FTC expects you to act accordingly.
How to Check If an App Is COPPA Compliant
You don't need a law degree. Check for these four things:
-
Privacy policy mentions children. Look for a section specifically about users under 13 or "children's privacy." If there's no mention of kids at all, the company either doesn't think kids use their product or hasn't bothered to address it. Neither is great.
-
Data collection is disclosed. The privacy policy should clearly state what data is collected from kids, why it's collected, and how it's used. Vague language like "we may collect certain information" is a red flag.
-
Parental consent process exists. There should be a real mechanism for getting your consent, not just a checkbox that says "I am over 13." COPPA requires "verifiable" parental consent, which means the company needs to actually verify that a parent approved the account. Methods include credit card verification, signed consent forms, or video calls.
-
Data deletion is possible. You should be able to request that the company delete your child's data. If you can't find instructions for how to do this, the company is likely not handling data deletion properly.
Where COPPA Falls Short
COPPA is better than nothing, but it has real limitations.
The age cutoff is 13. A 14-year-old gets zero COPPA protection. Their data is treated the same as an adult's. This is a problem because a 14-year-old's judgment about data privacy is not the same as an adult's.
Enforcement is reactive. The FTC investigates and fines companies after violations happen, not before. There's no pre-approval process for kids' apps. A company can launch a product that violates COPPA and operate for years before the FTC catches up.
Self-reported age is still the primary screening method. Almost every app asks for your birthdate during signup and trusts whatever you enter. Kids know this. They've known this since long before AI.
How pixelOS Approaches Privacy
We built pixelOS to go beyond what COPPA requires, not just meet the minimum.
No data is sold. No data is shared with third parties for advertising. No data is used to train external AI models. Kids' creations stay in their private workspace. Parents control the creative boundaries through Parent Prompt. And when the new COPPA rules take effect in April 2026, we won't need to scramble to comply because the product was designed around these principles from the start.
For more on how to evaluate AI tools for your kid's safety, read our AI safety guide. For context on why safety matters so much right now, see what's happening with Roblox.
COPPA isn't perfect, but the 2026 updates are a meaningful step forward, especially on AI and biometric data. As a parent, knowing what the law requires gives you a baseline for evaluating the apps your kid uses. If an app can't meet even the minimum standard, it shouldn't be on your kid's device.
If you're looking for a kids' creative platform built around privacy from day one, get started with pixelOS.
Frequently Asked Questions
What age does COPPA protect?
COPPA protects children under 13. Any website or app that collects personal information from kids under 13, or that is directed at children under 13, must comply with COPPA requirements including verifiable parental consent. Children 13 and older receive no COPPA protection and their data is treated the same as an adult's.
When do the new COPPA rules take effect?
The updated COPPA rules finalized by the FTC in 2025 take effect on April 22, 2026. Key changes include expanded definitions of personal information to cover biometric data, separate consent requirements for using children's data to train AI models, stricter data retention limits, and stronger restrictions on targeted advertising to children.
How do I check if an app is COPPA compliant?
Check four things: the privacy policy mentions children or users under 13 specifically, data collection practices are clearly disclosed, a real parental consent mechanism exists beyond just a checkbox, and you can request deletion of your child's data. If the privacy policy doesn't mention kids at all, the company either doesn't think children use their product or hasn't addressed compliance.