Your product team is proud of your app's growth numbers. Millions of monthly actives, strong retention, a demographic that skews toward the 13–25 bracket. Last quarter, legal flagged that a meaningful share of your registered users appear to be under 13. Your parental consent workflow is minimal, your third-party SDK list hasn't been audited in eighteen months, and your data retention policy says nothing specific about children. The FTC just settled with Disney for $10 million over exactly this kind of gap. Your board wants to know your exposure.
This is no longer a niche compliance problem for dedicated children's apps. It is a systemic governance challenge for any digital platform that teenagers use, any gaming service that children access alongside adults, any EdTech product deployed in schools, and any streaming or social product that cannot affirmatively prove it has no users under 13. The regulatory machinery targeting youth data is accelerating at a pace unmatched anywhere else in privacy law — and the enforcement is real, recent, and expensive.
This guide is designed for the legal, product, engineering, and privacy teams who need to translate that regulatory pressure into operational decisions. It covers the legal landscape, the critical classification questions every organization must answer, the core compliance obligations now in force, and the governance architecture that makes ongoing compliance sustainable.
Why Youth Data Privacy Has Become a Major Enforcement Priority
The FTC finalized comprehensive amendments to the Children's Online Privacy Protection Act Rule on January 16, 2025, publishing them in the Federal Register on April 22, 2025. The rule became effective June 23, 2025, with a compliance deadline of April 22, 2026 — the first major update to COPPA since 2013. That twelve-year gap matters because the enforcement posture has shifted dramatically. The FTC is no longer primarily focused on disclosure failures and missing privacy policies. It is pursuing systemic governance failures: advertising tracking embedded in children's apps without consent, undisclosed third-party SDK data flows, indefinite data retention, and consent mechanisms that obscure rather than enable parental rights.
The enforcement record makes that clear. In January 2025, game developer Cognosphere paid $20 million to settle allegations that it collected personal data from children without notifying parents or obtaining consent — and continued doing so even after it became aware of specific underage users. In September 2025, Apitor Technology settled over a third-party SDK embedded in its app that was collecting children's personal information without parental notice. That same month, Disney agreed to pay $10 million after allowing children's data to be collected and shared with advertising partners through videos on YouTube. The pattern across these cases is not one bad actor with one broken policy. It is organizations that did not have adequate visibility into their own data flows, and could not demonstrate that children's data was handled differently from adult data.
The state-level picture compounds the federal pressure considerably. Since 2022, a bipartisan wave of state legislation has extended privacy protections to teens — the 13–17 cohort that COPPA has never covered. Maryland, Connecticut, Colorado, Oregon, Vermont, Nebraska, and Arkansas have all enacted laws in this space, each with slightly different age thresholds, different definitions of prohibited data uses, and different standards for what constitutes knowledge of a user's age. Oregon's amendments, effective January 1, 2026, prohibit the sale of personal data or behavioral advertising for users the controller knows or willfully disregards to be under 16. Connecticut goes further, prohibiting those same activities for minors under 18 regardless of whether consent is obtained — effective July 1, 2026. The patchwork is not converging quickly, which means navigating the evolving landscape of global privacy laws in 2026 is now a continuous operational function, not an annual legal review.
Beyond legislative activity, the FTC has signaled that behavioral advertising to minors, dark pattern consent flows, and addictive design features are all active enforcement priorities. The Commission referred a complaint against Snap to the DOJ in January 2025, alleging that an AI chatbot in Snapchat created risk and harm to young users. State attorneys general are running their own parallel sweeps: California settled with Sling TV in late 2025 for failing to recognize that its streaming service had significant under-16 viewership and treating those users' data as general-audience data. The direction of enforcement is unmistakable — from technical violations toward structural accountability.
What Counts as a Child-Directed or Mixed-Audience Service
One of the most practically significant changes in the 2025 COPPA amendments is the formal introduction of a standalone definition for "mixed audience website or online service." Understanding where your platform sits within these categories is the foundational compliance question — and it is more complicated than most organizations assume.
A child-directed service is one where children under 13 are the primary intended audience. The FTC uses a multi-factor test that considers subject matter, visual content, use of animated characters, the presence of child-oriented activities, and the actual demographic composition of the user base. This last factor now carries more weight: the amended rule explicitly states that app store categories, user reviews referencing young users, and evidence of age on similar services are all signals the FTC will consider. A service cannot disclaim child-directed status simply because its terms of service set a 13-plus age requirement, if the product's design, marketing, and actual user demographics tell a different story.
Mixed audience platforms occupy a legally distinct middle ground. Under the 2025 amendments, a mixed audience service is one that meets the child-directed criteria but does not target children as its primary audience — and which verifies user age before collecting personal information. The operational significance is real: mixed audience operators can collect minimal personal information for age-screening purposes without first obtaining parental consent, provided that data is used only to determine whether the user is a child. If the user is confirmed to be under 13, full COPPA obligations apply before any further data collection proceeds.
Your gaming platform, your creator community, your sports streaming service — any of these could be mixed audience if children use them alongside adults and the design contains any of the FTC's listed signals. Think animated characters, content themes that appeal to minors, influencer marketing featuring teen audiences, integration with school curricula, or in-app purchase models that regulators have previously associated with child-directed services. The FTC has also clarified that if a portion of a general-audience website is directed toward children, then all visitors to that portion must be treated as children under COPPA regardless of the rest of the site's classification.
The risk of misclassification is not theoretical. It is the fact pattern in nearly every major enforcement case. Operators who assumed they were general-audience services because they had age gates or terms of service age restrictions — without verifying those gates actually worked, or auditing their SDK integrations for separate child-specific data flows — have repeatedly found themselves liable under COPPA's actual knowledge standard. Under the amended rule, willful disregard of user age is treated as equivalent to actual knowledge. That closes the deliberate ignorance strategy that some organizations have relied on.
Core Compliance Obligations Under the Amended COPPA Rule
Once an operator determines that COPPA applies — either because they are child-directed or because they have identified verified child users through an age-screening process — a specific set of obligations attaches. Understanding each in operational terms is essential before designing any compliance architecture.
Notice and Transparency
The direct notice to parents must now include substantially more than it did under the 2013 rule. Operators must identify the specific categories of third parties to whom children's personal information is disclosed, the purposes for each disclosure, and a statement that parents can consent to collection and use without consenting to third-party disclosure where that disclosure is not integral to the service. This last requirement is particularly significant for ad-supported platforms: it means that advertising-related data sharing requires separate parental consent, independent of the consent obtained for basic service operation. The FTC's 2025 press release explicitly describes this as preventing the routine monetization of children's data through advertising ecosystems without affirmative opt-in.
The definition of personal information has also been expanded. Biometric identifiers — fingerprints, facial templates, retina patterns, voiceprints — and government-issued identifiers such as state ID cards and passport numbers are now explicitly covered. For any platform that has deployed facial recognition, voice interaction, or identity-verification features, this expansion requires an immediate audit of what is being collected, how it is classified, and whether existing parental consent workflows cover these new categories.
Verifiable Parental Consent
The 2025 amendments add two new approved methods for obtaining verifiable parental consent alongside the existing options. Text-plus allows operators to send a text message to a parent's mobile number to initiate the consent process, provided the operator does not disclose children's data to third parties in the interim. Knowledge-based authentication — using challenge questions drawn from public records — has been codified as an approved method. Existing methods remain valid: credit card transactions, government ID verification, video calls with staff, and facial recognition matching a parent's selfie to a photo ID. The critical operational point is that consent for third-party disclosure is now a separate requirement from consent for collection and use. A consent workflow that bundles these together no longer satisfies the rule. Operators must architect two distinct consent tracks for any service that both collects children's data and shares it with external parties.
Parental consent also has an ongoing dimension that compliance teams frequently underestimate. The right to revoke consent is meaningful only if the revocation propagates downstream. If a parent withdraws consent from your platform but you have already shared the child's data with three analytics vendors and two advertising partners, and those vendors have their own retention schedules, the theoretical right of revocation is not actually honored. The 2025 rule requires that operators ensure third parties receiving children's information can maintain its confidentiality, security, and integrity — which in practice means your vendor contracts must include enforceable deletion and revocation propagation obligations.
For teams managing consent across complex environments — multiple apps, web and mobile surfaces, authenticated and unauthenticated states — a consent management platform built for multi-jurisdiction compliance is no longer optional infrastructure. The audit trail requirements alone — demonstrating to the FTC that consent was obtained, when, by what method, and for which specific uses — require systematic logging that manual processes cannot reliably produce.
Data Minimization and Purpose Limitation
The core minimization obligation under COPPA has not changed: operators may not condition a child's participation in an activity on the disclosure of more personal information than is reasonably necessary. What has changed is the enforcement context. The FTC has consistently treated analytics SDKs, session replay tools, and advertising trackers embedded in children's apps as collectors of personal information even when the operator did not directly configure them for that purpose. The Apitor and Cognosphere cases both involved third-party SDKs operating as independent collectors of children's data — and the operator bore responsibility.
Practical minimization for a children's or mixed-audience platform means auditing every SDK in your mobile and web applications for what data it collects, to whom it transmits it, and whether its data practices are reflected in your parental notice and consent flow. It means disabling behavioral profiling features — recommendation engines, behavioral advertising segments, persistent cross-device identifiers — for authenticated child users. It means reviewing your telemetry and crash reporting configuration to ensure children's device data is not flowing to analytics platforms that aggregate it for advertising purposes.
Retention Requirements and Deletion Obligations
The 2025 amendments introduce, for the first time in COPPA's history, an explicit prohibition on indefinite data retention for children's personal information. Operators are prohibited from retaining children's data indefinitely. They are required to establish and maintain a written data retention policy that specifically addresses children's personal information — including the purpose for which it was collected, the business need, and the specific timeframe for deletion. That policy must be publicly available on the operator's website. A general corporate data retention policy that does not address children's data as a distinct category no longer satisfies this requirement.
Operationally, this is one of the most technically challenging aspects of the amended rule, and one of the most common audit failure points. Organizations that have been operating for several years often have children's data distributed across production databases, backup systems, analytics data warehouses, third-party analytics platforms, email marketing systems, and archived event logs. Deletion from the primary production database does not satisfy the obligation if backup restoration would reconstitute the data. Purpose-limited retention means that a child's account creation email, collected for authentication purposes, cannot be retained indefinitely in a marketing email list just because the organization's general retention schedule allows it. The retention schedule for children's data must be anchored to the specific purpose for which each data element was collected, not the organization's broadest permissible retention window.
The Mixed-Audience Governance Problem
Most of the organizations facing the greatest compliance exposure are not dedicated children's app developers. They are platforms with general or teen audiences where children are a known but imprecisely measured minority of actual users. This creates a governance problem that is architecturally different from a pure COPPA compliance problem.
A pure COPPA operator knows their entire user base is under 13. Every data flow, every vendor contract, every consent workflow applies uniformly. A mixed-audience operator must maintain two parallel compliance regimes within the same product: general-audience data practices for verified adults, and COPPA-compliant practices for identified children. The age-screening gate between those two regimes must actually function — not just exist. The FTC's mixed-audience definition specifically prohibits incentivizing users aged 13 and older with additional benefits or a better experience for providing age information, which means you cannot use access to premium features as an incentive to get users to claim they are adults.
This bifurcated architecture has implications throughout the product and data stack. Consent management must fork based on verified user age. SDK integrations must be conditionally suppressed for child-classified users. Behavioral advertising and recommendation personalization features must be disabled for identified minors. Analytics data pipelines must route children's data to COPPA-compliant retention schedules rather than standard data warehouse retention policies. User interface flows — including notification preferences, profile creation steps, and in-app purchase flows — must meet children's design standards for transparency and must not deploy dark patterns that obscure the nature of data collection.
The governance infrastructure required to maintain this bifurcation reliably, at scale, across product updates and vendor changes, is what separates organizations with sustainable compliance programs from those managing legal risk reactively. Building a thorough data protection impact assessment process into your product development lifecycle — not just for new features, but as a review gate when vendors change, SDKs are updated, or new advertising integrations are added — is the structural mechanism by which this governance stays current.
US, UK, and EU: A Cross-Jurisdictional Picture
For any platform operating internationally, the US COPPA framework represents only one layer of a multi-jurisdictional compliance obligation. The UK and EU operate distinct frameworks that differ from COPPA in material ways — and in some respects are more demanding.
Under GDPR Article 8, the lawful basis for processing a child's personal data where consent is the chosen basis requires parental authorization for children under the relevant national age threshold, which varies between 13 and 16 depending on the member state — Germany sets it at 16, Ireland and France at 16, Sweden and Denmark at 13. Unlike COPPA, GDPR does not provide a prescriptive list of approved consent verification methods; the obligation is to make "reasonable efforts" to verify parental responsibility in a manner proportionate to the data processing involved. GDPR also imposes broader obligations that apply to children as a subset of data subjects — the right of erasure, portability, and objection — alongside specific protections for automated decision-making and profiling. Recital 38 explicitly identifies marketing to children and the creation of user profiles about children as processing that merits heightened protection.
The UK's Age Appropriate Design Code — the Children's Code — applies to any online service "likely to be accessed" by children under 18, including services that do not primarily target children. That "likely to be accessed" standard is broader than both COPPA's "directed to children" test and the GDPR Article 8 consent mechanism. The ICO's position is that if children could realistically use your service, the Code's 15 standards apply by default, including: privacy settings must default to the highest level of protection; geolocation must be off by default; profiling must be off by default unless the operator can demonstrate a compelling reason; nudge techniques and dark patterns designed to encourage children to provide more data than necessary or weaken privacy protections are prohibited. The UK Code applies to children and teens alike — its age threshold is 18, not 13.
At the state level in the US, the key distinction is the age threshold above COPPA's under-13 floor. Maryland, Vermont, Connecticut, and California (under its Age-Appropriate Design Code framework, which remains partially enjoined) all define "child" or "minor" as under 18 for purpose of the heightened protections. Colorado's children's privacy amendments, effective October 1, 2025, require businesses to conduct Data Protection Impact Assessments and apply a "heightened risk of harm" standard to minors without mandating age verification. Oregon and Connecticut, as noted above, prohibit targeted advertising to teens under specific age thresholds regardless of consent. The compliance implication for any US platform operating nationally is that COPPA compliance does not constitute compliance with the state-level teen privacy framework — the two regimes require parallel governance.
The penalties anchor this discussion in reality. COPPA violations can result in civil penalties of more than $53,000 per violation — and in multi-year enforcement patterns involving millions of children's records, that per-violation arithmetic becomes severe quickly. The Disney settlement at $10 million was not the upper bound; it was a negotiated figure. GDPR violations involving children's data can reach €20 million or 4% of global annual turnover under Article 83. The UK ICO uses equivalent GDPR-derived powers. State AG enforcement — illustrated by the California settlement with Sling TV and the March 2026 $1.1 million CalPrivacy fine against PlayOn Sports for sharing student data with advertising partners — adds further enforcement surface.
Building a Youth Data Governance Program
The consistent theme across both regulatory guidance and enforcement precedent is that children's privacy is not satisfied by a privacy policy and a checkbox. It requires an operational governance program — one with defined ownership, documented data flows, auditable consent records, tested deletion mechanisms, and ongoing vendor oversight. What follows is the structural architecture of such a program.
Data Inventory and Flow Mapping
The starting point for any youth data governance program is an accurate inventory of what data you collect from or about users who are, or may be, minors — and where that data goes. This means mapping every SDK integrated into your mobile applications, every analytics and advertising script loaded on your web properties, every third-party vendor that receives user data through API integrations, and every internal data pipeline that touches user records. The goal is not just to document what your privacy policy says happens to data; it is to verify that the actual data flows match that description.
For mixed-audience platforms, the flow map must answer a specific question: can you demonstrate that data from identified child users follows a different path than data from adult users? If your analytics platform receives the same event data regardless of user age, and that platform uses data for modeling and advertising purposes, you have an exposure. If your crash reporting tool collects device identifiers and sends them to a third-party aggregator, and that tool is active for all users including children, you have an exposure. The school data governance model — which requires explicit documentation of every EdTech vendor and what data each receives — is a useful operational template for any platform managing youth user populations.
Vendor and SDK Risk Management
Vendor management is where many organizations have their most significant unaddressed exposure. The embedded SDK risk is particularly acute: advertising SDKs, attribution tracking libraries, session replay tools, and analytics frameworks are often integrated at the project level without privacy team review, and they frequently collect more data than the integrating operator realizes. The Apitor enforcement case is a direct illustration — the operator was found liable for a third-party SDK's data collection practices even though the operator had not itself configured the SDK to target children.
Practical vendor governance for youth data means maintaining a current register of every third-party library and SDK in your applications, with documented answers to: what data does this vendor collect, does that collection happen before age verification, does the vendor's contract include COPPA-specific deletion and retention obligations, and can the vendor honor downstream revocation requests if a parent withdraws consent? Advertising and ad tech vendors deserve particular scrutiny. The 2025 COPPA amendments require separate parental consent for third-party disclosure for advertising purposes — which means any advertising SDK running for child-classified users without separate consent is a per-impression violation risk.
Cross-Functional Governance and Ownership
Youth data governance fails in organizations where it is treated as a legal team function rather than a cross-functional operational discipline. Legal can define the obligations. Product must build the consent flows, age-screening mechanisms, and feature flags that enforce child-specific data handling. Engineering must implement the data routing and SDK suppression logic. Marketing must understand which customer segments cannot receive behavioral advertising. Security must include children's data in their classification scheme and apply appropriate access controls. Vendor management must include youth data obligations in supplier assessments and contract terms.
Assigning explicit ownership for each of these governance domains — documented in writing, with clear escalation paths for new product decisions that affect youth users — is the organizational structure that makes the program durable across personnel changes and product evolution. Conducting a structured youth privacy impact assessment for any new feature, vendor integration, or advertising model change before deployment is the process-level mechanism by which that ownership is operationalized.
Common Enforcement Triggers and Operational Gaps
Enforcement patterns across FTC actions and state-level proceedings reveal a consistent set of operational failures. Understanding them in concrete terms is more useful than a generic compliance checklist.
The highest-risk single activity in children's data governance is behavioral advertising through third-party networks. The Disney, Cognosphere, and PlayOn Sports cases all involved advertising-related data flows as a central element of the alleged violations. The amended COPPA rule now requires separate opt-in parental consent before children's personal information is shared with advertising partners. Any platform that serves behavioral advertising to users and cannot demonstrate that child-classified users are categorically excluded from those campaigns — or that separate parental consent was obtained — is operating with material enforcement exposure.
The second most common trigger is inadequate age verification that allows COPPA obligations to be circumvented in practice. A simple self-declaration age gate — "I confirm I am 13 or older" — has been consistently treated by regulators as insufficient. The UK ICO's guidance explicitly states that simple self-declaration is "unlikely" to be an effective age gate under the Children's Code. Mixed-audience operators must implement age screening that genuinely gates access for child users, not just a UI element that sophisticated users can bypass. Age assurance techniques — which include statistical age estimation based on behavioral signals, third-party identity verification, and device-based signals from platforms like Apple and Google — offer varying levels of friction and privacy risk in themselves. The appropriate approach depends on the sensitivity of the data being protected and the scale of the child user population.
Indefinite or undifferentiated data retention is the third consistent failure mode. Before the 2025 amendments, many operators did not have children's data addressed as a distinct category in their retention schedules at all. Some had general enterprise retention policies driven by legal hold requirements — seven-year financial record retention, five-year employment record retention — that were applied uniformly to all user data including children's records, with no purpose-limitation logic. The amended rule's explicit prohibition on indefinite retention, combined with the requirement for a publicly available written policy specifically addressing children's data, closes this gap as a matter of law. Organizations that have not audited their retention architecture against a children's-data-specific framework are likely non-compliant as of April 22, 2026.
Stale or undocumented vendor relationships are a fourth structural gap. Privacy policies that refer generically to "service providers" without identifying the specific categories of third parties receiving children's data no longer satisfy the amended notice requirements. The direct notice to parents must now identify the identities or specific categories of third parties receiving children's information and the purposes for each disclosure. That obligation requires knowing, precisely and currently, which vendors receive children's data through your systems. Organizations that have never conducted an SDK audit or a third-party data flow review are unable to make that disclosure accurately — which means their parental notice is materially deficient on its face.
Building Sustainable Compliance: What This Actually Requires
The governance model that regulators are converging on — across COPPA, GDPR, the UK Children's Code, and the state-level design code frameworks — treats youth privacy compliance as an ongoing operational discipline rather than a one-time legal exercise. The practical implication is that sustainable compliance requires infrastructure, not just documentation.
Privacy by design for youth-facing products means that child-specific data handling rules are encoded in the product and data architecture, not maintained as a manual process. Age-based feature flags that suppress advertising SDKs, behavioral personalization, and non-essential telemetry for verified child users must be implemented at the infrastructure level, not enforced through individual engineering decisions on each feature release. Consent logging must be automatic, structured, and queryable — able to produce, on demand, a record of when specific parental consent was obtained, for which specific data uses, and through which verified method. Deletion must be triggerable programmatically, propagating to backup systems, analytics platforms, and vendor integrations, not just the production database.
Continuous monitoring matters because the regulatory environment is moving faster than annual compliance review cycles can track. The state privacy law changes from 2025 alone — Oregon, Connecticut, Colorado, Vermont, Nebraska, Arkansas — all have active enforcement dates in 2026 or 2027. Utah's App Store Accountability Act takes effect May 6, 2026. California's Digital Age Assurance Act, requiring operating system providers to generate age signals for app developers, takes effect January 1, 2027. The FTC has signaled through its February 2026 policy statement on age verification technology that enforcement around age assurance will intensify. Keeping pace with these changes through manual regulatory tracking is not feasible for most compliance teams. Automated privacy governance platforms that monitor regulatory change, surface impacted workflows, and maintain audit-ready documentation are the operational infrastructure through which organizations maintain compliance posture across a continuously shifting regulatory landscape.
Youth Data Privacy Compliance Checklist
Before treating your youth data compliance program as current, work through each of the following:
Classification and Scope: Have you assessed whether your platform is child-directed, mixed-audience, or general audience under COPPA's multi-factor test? Have you reviewed the FTC's new evidentiary factors — app store categories, user reviews, audience demographics on similar services? If you operate internationally, have you assessed whether your platform is "likely to be accessed" by children under the UK Children's Code?
Consent Architecture: Is your verifiable parental consent workflow updated to use an FTC-approved method? Do you have a separate consent track for third-party disclosure for advertising purposes, distinct from consent for collection and use? Is your consent logging system producing auditable records with timestamps, methods, and specific consent scope? Can you honor revocation requests in a way that propagates to downstream vendors?
Retention Governance: Does your data retention policy specifically address children's personal information as a distinct category, including purpose and deletion timeframe? Is that policy publicly available? Have you tested whether deletion requests actually delete data from backup systems, analytics platforms, and vendor databases — not just your primary production database?
Vendor and SDK Audit: Do you have a current register of every SDK and third-party vendor that receives data from your platform? Have you assessed each for children's-data-specific contractual obligations? For advertising vendors specifically — can you demonstrate that child-classified users are categorically excluded from behavioral advertising segments, or that separate parental consent was obtained?
Notice and Transparency: Does your direct parental notice now identify specific categories of third parties receiving children's data and the purpose of each disclosure? Does it include the new required statements about the parent's ability to consent to collection without consenting to third-party sharing?
State-Level Teen Privacy: If you operate a US-facing platform, have you mapped your compliance obligations against the Oregon, Connecticut, Colorado, Vermont, Nebraska, and Arkansas teen privacy frameworks in addition to federal COPPA? Do you know the specific age thresholds, prohibited data uses, and enforcement dates for each?
Impact Assessment Process: Do you conduct a youth privacy impact assessment for new features, new vendor integrations, and advertising model changes before deployment? Is that process documented and cross-functional?
Frequently Asked Questions
What is considered a mixed-audience app under COPPA?
A mixed-audience app is one that meets the criteria for being directed to children — based on subject matter, visual content, intended audience, and actual demographics — but where children are not the primary target audience. Under the 2025 COPPA amendments, mixed-audience operators may collect limited personal information for the purpose of age screening before applying COPPA protections, provided that data is not used for any other purpose. Once a user is identified as under 13, full COPPA requirements apply before any further collection.
Does COPPA apply to teen users aged 13 to 17?
Federal COPPA applies only to children under 13. However, a growing number of states have enacted laws that extend heightened privacy protections to teens between 13 and 17, including prohibitions on behavioral advertising, targeted content, and the sale of teen data without affirmative consent. Connecticut, Oregon, Maryland, and Colorado all have active or forthcoming obligations in this space. Compliance with COPPA does not constitute compliance with these state frameworks.
What are the COPPA retention requirements under the 2025 amendments?
Operators are explicitly prohibited from retaining children's personal information indefinitely. They must maintain a written retention policy specifically addressing children's data, stating the purpose of collection, the business need, and the specific deletion timeframe. That policy must be publicly available on the relevant website. Operators must also implement written information security programs with annual risk assessments, ongoing monitoring, and regular evaluation.
Can analytics tools collect children's data?
Analytics tools may collect children's data only to the extent that collection falls within an approved exception — such as support for internal operations — or where verifiable parental consent has been obtained. Many third-party analytics platforms collect data that goes beyond internal operational use, including data used for behavioral modeling and advertising. Operators are responsible for the data collection practices of third-party SDKs they embed in their applications, regardless of whether they explicitly configured the tool to target children.
Do schools provide parental consent under COPPA?
Schools may provide consent on behalf of parents for the collection of student data by EdTech operators for educational purposes — this is the school authorization exception. The FTC has confirmed it will continue to enforce this exception under existing guidance even though it was not codified in the 2025 amendments. The exception is narrow: it applies to educational context only and does not extend to advertising, behavioral profiling, or data uses not integral to the educational service.
What happens if a platform accidentally collects child data?
Under the amended COPPA rule, "accidental" collection is not a complete defense where the operator had risk signals suggesting minor users and failed to act on them. Willful disregard of user age is treated as equivalent to actual knowledge. An operator who receives complaint signals about underage users, or whose demographic data suggests significant minor usage, and who takes no corrective action, faces the same enforcement exposure as an operator with explicit knowledge. The obligation upon discovering children's data in your systems is to cease collection pending parental consent, notify parents of data already collected, and provide the opportunity for deletion.
What are the penalties for COPPA violations?
Courts may impose civil penalties of more than $53,000 per violation. In cases involving millions of child user records with ongoing daily violations, aggregate penalties can reach tens of millions of dollars. The Disney settlement for $10 million and the Cognosphere settlement for $20 million are recent benchmarks. State-level enforcement adds further exposure: the March 2026 PlayOn Sports settlement was $1.1 million under California's privacy law. GDPR violations involving children's data are subject to penalties of up to €20 million or 4% of global annual turnover.
How does GDPR handle children's consent differently from COPPA?
GDPR Article 8 requires parental authorization for processing a child's data based on consent, with the applicable age threshold varying by member state between 13 and 16. Unlike COPPA, GDPR does not prescribe specific verification methods; operators must make "reasonable efforts" proportionate to the risk of the processing. GDPR's broader data subject rights — erasure, portability, objection to profiling — also apply to children. Recital 38 specifically identifies marketing to children and the creation of children's user profiles as processing warranting heightened protection.
Conclusion: Governance Is the Work
The enforcement posture around youth data has shifted from asking whether organizations have privacy policies to asking whether those policies reflect actual data practices — and whether the underlying practices are operationally governed. The FTC's recent enforcement record, the wave of state teen privacy legislation, and the global influence of the UK Children's Code all point in the same direction: youth privacy compliance is a continuous governance function, not a legal documentation exercise.
For organizations with meaningful exposure — mixed-audience platforms, gaming services, EdTech, streaming, social applications — the April 22, 2026 COPPA enforcement deadline was not the end of a compliance project. It was a forcing function for building the infrastructure that ongoing compliance requires: accurate data inventories, functioning consent architecture, purpose-limited and audited retention, vendor contracts with enforceable youth data obligations, and cross-functional ownership of the governance function. Organizations that treat this deadline as a one-time policy update rather than a sustained operational change are already accumulating the structural gaps that enforcement actions are built from.
Audit your youth data flows. Validate your consent and retention architecture. Bring your vendor register current. The risk is measurable, the obligations are specific, and the enforcement is active. Schedule a platform demo.
