As of April 22, 2026, organizations subject to the Children’s Online Privacy Protection Act (COPPA) must comply with the FTC’s 2025 amendments to the COPPA Rule — the first update since 2013. The amended rule requires operators to obtain separate verifiable parental consent before disclosing children’s personal information to third parties for targeted advertising or other purposes. The definition of “personal information” has been expanded to include biometric identifiers (such as fingerprints, retina patterns, facial data, and voice data) and government-issued identifiers. Operators must now establish, implement, and maintain a written information security program for children’s personal data, including designating a coordinator, performing annual risk assessments, and testing safeguards. The rule also requires operators to establish and publicly publish a written data retention policy. Approved COPPA Safe Harbor programs must now publicly disclose their membership lists and submit periodic reports to the FTC. The FTC did not finalize proposed amendments related to educational technology or push notifications, but noted ongoing concerns about engagement techniques that keep children online.
In Australia, the Office of the Australian Information Commissioner (OAIC) published the exposure draft of the Privacy (Children’s Online Privacy) Code 2026, opening public consultation until June 5, 2026. The Code would apply to providers of social media services, relevant electronic services, and designated internet services that are likely to be accessed by children or primarily concerned with children’s activities. Key provisions include a requirement to consider children’s best interests before collecting, using, or disclosing their personal information; an obligation to obtain consent before using children’s personal information for targeted advertising; a right for children to request deletion of their personal information; requirements for age assurance mechanisms extending to both registered and unregistered users; and obligations to notify children when parents consent to data collection on their behalf and when other users are tracking their geolocation. The Code draws from the UK’s Age-Appropriate Design Code but also introduces novel protections developed for the Australian context.
In the United Kingdom, on March 25, 2026, Ofcom and the Information Commissioner’s Office published a joint statement setting out their common expectations for age assurance on online services — aimed at services likely to be accessed by children that fall within the scope of the Online Safety Act 2023 and UK data protection legislation. The regulators confirmed that self-declaration alone — such as a tick-box age confirmation — is not an effective means of determining user age or preventing underage access. All age assurance methods involve the processing of personal data, and such processing must be necessary, proportionate to the risks, and compliant with data protection legislation. The statement outlines which methods Ofcom considers capable of being “highly effective,” including facial age estimation, digital identity verification, and one-time photo matching, while expressly excluding self-declaration in isolation, debit card verification, and generic contractual restrictions. Services that do not use highly effective age assurance to enforce their minimum age must assume that underage children are present and must reflect this in their children’s risk assessments and corresponding mitigations.
Click here to read the FTC’s amended COPPA Rule.
Click here to read Australia’s Exposure Draft of the Children’s Online Privacy Code.
Click here to read the accompanying Explanatory Statement.
Click here to read the Ofcom-ICO Joint Statement on Age Assurance.
