COPPA 2025 Update: How New Rules Change Consent for Children's Data in AI

The landscape of digital privacy for kids has shifted dramatically. If you run a service that interacts with children under 13, the days of vague privacy policies are over. The Federal Trade Commission (FTC) finalized sweeping updates to the Children's Online Privacy Protection Act (COPPA) in April 2025, specifically targeting how companies handle data in the age of artificial intelligence. These aren't just minor tweaks; they represent the most significant overhaul of the law since its inception in 1998. With full compliance required by April 2026, businesses face a critical deadline to restructure their data collection, retention, and consent mechanisms or risk severe penalties.

The Core Shift: AI Training Requires Separate Consent

The biggest change in the updated COPPA rule is the explicit prohibition on using children's data to train AI models without specific parental permission. Previously, many companies bundled this usage into general terms of service. Now, the FTC states clearly that disclosing a child’s personal information to third parties for the purpose of training or developing artificial intelligence technologies is not integral to the website or online service's functionality.

This means you cannot simply ask parents for consent to provide a game or educational app and assume that covers feeding their child’s voice recordings, gameplay patterns, or biometric data into a machine learning algorithm. You must obtain separate, verifiable parental consent (VPC) specifically for AI training purposes. This applies whether you are sharing data with a third-party analytics provider or even if you are building internal models, though the rules for internal use remain slightly ambiguous (more on that later).

Why does this matter? Because generative AI thrives on vast datasets. Without clear consent, your model might be built on legally questionable foundations. The FTC wants to ensure parents know exactly what their child's data is doing-especially when it comes to powering personalized content, targeted advertising, or smart assistants.

Expanded Definition of Personal Information

The updated rule broadens what counts as "personal information" under COPPA. It now explicitly includes biometric identifiers such as voiceprints and facial recognition templates. This is crucial for AI systems that process audio or visual inputs. If your app uses speech-to-text technology that captures unique vocal characteristics, or if it uses camera input for filters that map facial features, you are collecting regulated data.

Additionally, the FTC has clarified that de-identified data still constitutes personal information if there is any reasonable possibility of re-identification. In the world of AI, where algorithms can sometimes reverse-engineer anonymized datasets, this creates a high bar for privacy. You can no longer rely on simple masking techniques to bypass COPPA requirements if the underlying data could theoretically be linked back to a specific child.

No More Indefinite Data Retention

One of the most contentious issues addressed by the new rule is indefinite data retention. Companies often argued that keeping children's data forever was necessary to improve algorithms over time. Commissioner Alvaro Bedoya shut this down, stating that business claims about improving algorithms do not override legal bans on indefinite retention.

Operators must now establish written data retention policies that specify exact timeframes for deletion. The data must be kept only as long as reasonably necessary to fulfill the purpose for which it was collected. Once that purpose is served, the data must go. This creates a technical challenge for AI developers who need historical data to maintain model accuracy. You will need to build systems that can track data lineage and automate deletion processes, ensuring that when a parent revokes consent or the retention period expires, the data is purged from both active databases and training sets.

The Internal AI Loophole and Compliance Risks

While the rule is strict about third-party disclosures, it leaves some ambiguity regarding internally developed AI systems. The FTC requires secondary consent for sharing data with third parties for algorithm training, but it does not explicitly state that companies need additional consent to use children's data to improve their own internal tools. This gap has drawn criticism from privacy advocates like the Electronic Frontier Foundation, who warn that companies could exploit this loophole to continue training AI on children's data without proper oversight.

However, relying on this ambiguity is risky. The FTC has shown a willingness to interpret "internal operations" narrowly. If your internal AI tool provides personalized recommendations or targeted ads, it likely falls outside the scope of basic bug-fixing or feature addition. Furthermore, Senator Ed Markey introduced the Kids PRIVCY Act in late 2025, which aims to close this loophole entirely by prohibiting all AI training on children's data without explicit consent, regardless of whether the AI is internal or external. Prudent operators should assume stricter standards will apply and seek explicit consent for any AI-related processing.

Global Context: COPPA Meets International Standards

COPPA is not operating in a vacuum. Globally, regulations are tightening around children's data and AI. The European Union’s proposed AI Act restricts the processing of children's biometric data for AI training, with the European Data Protection Board noting that obtaining lawful consent for such training is nearly impossible due to power imbalances. Similarly, Canada’s proposed Online Harms Act includes restrictions on using children's data for AI training without explicit, purpose-specific consent.

If you operate globally, you must navigate these overlapping frameworks. While COPPA focuses on parental consent, GDPR emphasizes data minimization and the right to be forgotten. Aligning your practices with the strictest standard-often the EU’s approach-is a safe strategy. The global children's digital privacy market is projected to grow significantly, indicating that regulators worldwide are prioritizing this issue. Ignoring international trends could leave you vulnerable to future cross-border enforcement actions.

Enforcement Actions: Real-World Consequences

The FTC is actively enforcing these new rules. In September 2025, Disney faced a $10 million settlement for unlawfully collecting children's data through YouTube videos that were not labeled as "Made for Kids." This allowed the collection of personal data for targeted advertising without proper consent. On the same day, the Department of Justice filed a $500,000 penalty against Apitor, a Chinese robotic toy maker, for allowing a third-party analytics provider to gather geolocation data from children under 13 without parental consent.

These cases send a clear message: verifiable parental consent is required even when third parties collect data on your behalf. If your vendor violates COPPA, you are liable. This necessitates robust vendor diligence processes. You must audit your supply chain to ensure that every partner handling children's data adheres to the new retention and consent requirements.

Steps to Achieve Compliance by April 2026

To meet the April 2026 deadline, you need a structured approach. Here is a checklist to guide your compliance efforts:

• Audit Current Data Flows: Map every instance where children's data is collected, processed, or shared. Identify any points where data is used for AI training, either internally or externally.
• Update Privacy Notices: Rewrite your direct and online notices to specifically address AI data usage. Avoid generic language. Clearly explain how data is used, retained, and deleted.
• Implement Separate Consent Mechanisms: Create distinct consent flows for AI training. Do not bundle this with general service agreements. Use methods like Text Plus or knowledge-based authentication to verify parental identity.
• Establish Data Retention Policies: Define exact timeframes for deleting children's data. Build automated systems to enforce these limits and purge data from AI training sets when necessary.
• Enhance Security Programs: Strengthen safeguards to protect against unauthorized access or re-identification of de-identified data. Regular security audits are essential.
• Train Staff and Vendors: Ensure your team understands the new requirements. Conduct due diligence on all vendors to confirm they comply with COPPA’s updated standards.

Remember, the goal is not just to avoid fines but to build trust with parents. Transparency about how you handle children's data can become a competitive advantage in an increasingly privacy-conscious market.