COPPA
is
the Children's Online Privacy Protection Act, a U.S. federal law that governs how websites and online services collect, use, and disclose personal information from children under 13.
Implemented by the Federal Trade Commission (FTC), it has recently undergone its most significant overhaul in two decades to tackle the specific challenges posed by generative AI.
The New AI Standard for Parental Consent
One of the biggest shocks for AI companies is the FTC's new stance on what counts as "integral" to a service. In the past, a company might argue that using a child's data to improve their AI was necessary for the app to work. Not anymore. As of the June 2025 Final Rule, the FTC explicitly states that sharing a child's data with third parties to train or develop AI is not integral to a service's functionality. What does this mean in plain English? It means you can't bundle consent. You can't say, "By signing up for this game, you agree to let us collect data and use it to train our AI." You now need a separate, distinct, and verifiable parental consent (VPC) mechanism specifically for AI training. If a parent says yes to the app but no to the AI training, you have to respect that. If you don't, you're looking at the kind of settlements we saw in late 2025, like Disney's $10 million payout for failing to properly label kid-directed content.Biometrics and the Expanded Definition of Personal Info
AI doesn't just read text; it listens to voices and looks at faces. To address this, the updated COPPA Rule expanded the definition of "personal information" to include biometric identifiers. This includes things like voiceprints and facial recognition templates-the very building blocks of many generative AI tools. If your AI assistant analyzes a child's tone of voice or uses a camera to track their expressions, you are now handling sensitive biometric data. This isn't just a technicality; it changes how you store and protect data. The FTC is no longer accepting the excuse that "de-identified" data is safe. In a January 2026 update, they clarified that if there's any reasonable way to re-identify a child from that data, it's still personal information and subject to full COPPA protections.| Feature | Old COPPA Approach | New AI-Era Requirements |
|---|---|---|
| AI Training Consent | Often bundled with general terms | Separate, non-bundled VPC required |
| Biometric Data | Vague or loosely defined | Explicitly includes voiceprints and facial templates |
| Data Retention | Often indefinite for "improvement" | Strict, written timeframes for deletion |
| Third-Party Sharing | Broadly permitted if "integral" | AI training is explicitly non-integral |
The "Internal Development" Loophole
Here is where it gets messy. While the law is crystal clear about sharing data with *third parties* for AI training, there is a gray area regarding *internal* training. If a company uses children's data to train its own proprietary AI model, is a second layer of consent required? Currently, the Rule allows data use for "internal operations" like fixing bugs. However, groups like the Electronic Frontier Foundation (EFF) are warning that this is a dangerous loophole. Companies might try to claim that improving their own AI is just a "feature update" to avoid asking parents for more permission. If you're a business owner, relying on this loophole is a gamble. Proposed legislation like the Kids PRIVCY Act aims to close this gap, and the FTC's AI Chatbot Inquiry is already looking into how these internal processes actually work.
Strict Limits on Data Retention
For a long time, the AI industry's mantra was "more data is better." Companies hoarded everything, claiming they needed it indefinitely to refine their algorithms. The FTC has officially shut that down. You are now required to have a written data retention policy that specifies exactly when data will be deleted. Data cannot be kept longer than is reasonably necessary for the purpose it was collected. This creates a massive technical headache for AI developers. Why? Because it's incredibly hard to "unlearn" specific data from a trained neural network. If a parent requests that their child's data be deleted, simply deleting the row in a database might not be enough if that data has already been baked into the weights of an AI model. This is why many analysts believe nearly 80% of child-directed apps will need to change their basic technical architecture to stay compliant.Beyond the US: A Global Privacy Shift
If you think COPPA is strict, look at Europe. The EU AI Act and the GDPR (General Data Protection Regulation) take an even harder line. The European Data Protection Board has suggested that getting lawful consent for AI training from children is nearly impossible due to the power imbalance between a giant tech firm and a child. Canada is following suit with the Online Harms Act, which emphasizes purpose-specific consent. We are seeing a global trend where "Privacy by Design" is no longer a suggestion-it's a requirement for survival. By 2027, it's predicted that the vast majority of kids' digital services will have to build privacy directly into their code from day one, rather than trying to patch it in later.
Compliance Checklist for AI Operators
If you are managing a product that children use, don't wait until the last minute. Use this checklist to ensure you aren't an easy target for an FTC audit:- Audit Data Flows: Map exactly where children's data goes. Is it hitting a third-party API for training? If so, stop until you have separate VPC.
- Update Your Notices: Rewrite your privacy policy. Get rid of the legalese. Tell parents exactly how AI uses their child's data in simple words.
- Implement Specific Consent: Create a separate toggle or checkbox for AI training. Do not pre-check this box.
- Set Expiration Dates: Establish a hard deletion date for children's data. Document this in a written policy.
- Verify Parents Properly: Use modern methods like knowledge-based authentication or "Text Plus" to ensure the person giving consent is actually the parent.
Does COPPA apply if my app isn't specifically "for kids"?
Yes. If your service is "directed to children" or if you have "actual knowledge" that you are collecting data from a child under 13, COPPA applies. This is why the FTC penalized Disney for YouTube videos that were clearly kid-centric even if the channel wasn't exclusively for children.
What counts as "Verifiable Parental Consent" (VPC)?
VPC requires a method that provides a high degree of certainty that the person is the parent. This can include checking a credit card, verifying a government ID, or using specialized knowledge-based authentication. A simple "I am a parent" checkbox is not sufficient.
Can I use "de-identified" data for AI training without consent?
It is risky. The FTC clarified in January 2026 that if there is any reasonable possibility of re-identification, the data is still considered personal information. Because AI can often reverse-engineer patterns, truly "de-identifying" children's data is technically difficult and often legally insufficient.
What is a "mixed audience" service?
A mixed audience service is one that appeals to both children and adults. Under the new rules, these services can collect limited information without initial consent only to determine the user's age or to provide a notice to parents.
What happens if I fail to comply with the new AI rules?
The FTC can impose significant civil penalties. Recent cases show settlements ranging from $500,000 to over $10 million. Beyond the money, the FTC often mandates strict, long-term auditing and monitoring of your data practices.
