COPPA’s Amended Rule Is Now in Full Effect: What Operators Need to Know

April 22, 2026, marked a hard deadline, not a suggested target. On that date, the Federal Trade Commission’s (FTC’s) amended Children’s Online Privacy Protection Act (COPPA) Rule took full effect for operators of child-directed websites and online services, as well as those with actual knowledge that they collect personal information from children under the age of 13. Operators that have not completed their compliance programs now face active enforcement exposure under the Rule. For a comprehensive review of the amendments themselves, see The FTC’s Updated COPPA Rule: Redefining Children’s Digital Privacy Protection. This article addresses what the deadline means in practice and where operator obligations now stand. 

The Deadline in Context 

The FTC published the final amendments to the COPPA Rule in the Federal Register on April 22, 2025. The Rule took effect 60 days later, on June 23, 2025, but most operators had until April 22, 2026, one year from the publication date, to achieve full compliance.

The financial exposure is considerable. COPPA civil penalties carry a maximum of $53,088 per violation. For operators whose noncompliant practices touch large user populations, that figure compounds quickly. 

Compliance Obligations Now in Effect 

The amended Rule imposes several new substantive requirements. The following represent the areas where operators are most likely to face gaps if they have not conducted a thorough review: 

• • Separate parental consent for third-party disclosures. A single, bundled consent covering both collection and third-party disclosure is no longer sufficient. Operators must now obtain distinct verifiable parental consent before disclosing children’s personal information to third parties for any purpose that is not integral to the service. Targeted advertising and artificial intelligence model training fall squarely outside the definition of integral. 

• • Written information security program. Operators must establish and maintain a written security program covering children’s personal information, including designated personnel, annual risk assessments, documented safeguards, regular testing of those safeguards, and annual evaluation and modification of the program. 

• • Written data retention policy. Operators must adopt a written retention policy that identifies what children’s personal information is collected, the business purpose for retaining it, and a specific deletion timeframe. The policy must be published in the operator’s online privacy notice. Indefinite retention is expressly prohibited. 

• • Expanded online notices. Privacy notices must now disclose the identities or categories of third parties receiving children’s information, the purposes of those disclosures, and the operator’s data retention policy. Operators that rely on the “support for internal operations” exception must also disclose the specific operations supported and the safeguards in place against unauthorized use. 

• • Third-party assurances. Before sharing children's personal information with vendors or other third parties, operators must take reasonable steps to confirm those parties are capable of maintaining appropriate data security and must obtain written assurances to that effect. 

• • Updated Data Subject Access Request (DSAR) processes. Because the amended Rule now includes biometric identifiers, such as voiceprints, faceprints, and facial templates, in the definition of personal information, operators must ensure that these data types are included when a parent exercises access rights under COPPA. 

Age Verification: A Parallel Development

On February 25, 2026, the FTC issued a Policy Statement limiting enforcement of the COPPA Rule when operators of mixed-audience or general-audience services collect children’s data solely to verify user age, without first obtaining parental consent.  

To qualify for this enforcement discretion, operators must meet several conditions, including restricting use of the collected data exclusively to age verification, employing reasonable security safeguards, deleting the data once verification concludes, and providing clear notice in their privacy policies. Operators must also take reasonable steps to ensure the age-verification method produces accurate results and limit any third-party disclosures to recipients capable of maintaining data confidentiality, backed by written assurances from those parties. Operators must be compliant with the COPPA Rule in every other respect to remain eligible. The FTC has indicated that it intends to pursue further rulemaking specifically addressing age-verification mechanisms through a standard notice-and-comment process. 

Where Operators Should Focus Now 

For operators still working through their compliance programs, the following priorities warrant immediate attention: 

• • Map children’s personal information across the full data lifecycle, from collection through deletion, and verify that actual practices match what published policies represent. 

• • Revise online privacy notices, and direct parental notices to incorporate the expanded third-party disclosure and data retention disclosures. 

• • Restructure consent flows to obtain separate, distinct consent for any third-party disclosures that fall outside the definition of integral to the service. 

• • Finalize written data retention and information security programs, ensuring each addresses children’s personal information specifically, and publish the data retention policy within the operator’s online privacy notice. 

• • Audit vendor and third-party agreements to confirm written security assurances are in place where required. 

• • Train personnel involved in the collection, handling, or processing of children’s personal information on the obligations now in effect. 

Looking Ahead 

The April 22, 2026, deadline marks the first comprehensive update to children's online privacy obligations in over a decade, and one of the most significant since COPPA took effect in 2000. Compliance, however, is not a one-time exercise. The FTC has indicated that further rulemaking on age verification is forthcoming, and the broader state legislative landscape continues to evolve. Operators should build ongoing monitoring of regulatory developments into their compliance programs and can seek guidance from Finnegan on obligations specific to their operations.