The landscape of child online privacy is rapidly evolving, with significant new federal and state requirements coming into effect this month. Companies operating online products and services accessed by children must prepare to comply with additional obligations imposed by the Federal Trade Commission’s (FTC) updated Children's Online Privacy Protection Rule (COPPA Rule) and the Maryland Age-Appropriate Design Code Act (Maryland Kids Code).
FTC’s Updated COPPA Rule
Although the amended COPPA Rule officially took effect on June 23, 2025, most new obligations have a compliance deadline of April 22, 2026.
Key amendments include:
- A broader definition of personal information. The rule now covers biometric data (like fingerprints or facial scans) and government-issued identifiers, in addition to the usual names, emails, and locations.
- Enhanced parental consent rules. In the past, getting a parent’s permission to collect a child’s data was often treated as a blanket green light. Companies must now get separate consent before sharing a child’s data with outside parties. Agreeing to let an app collect data does not mean agreeing to let that app sell or share it with advertisers or other third parties.
- Clearer notice to parents. Any notice sent to parents must plainly explain what data is being collected, how it’s used, and – critically – which specific third parties will receive it and why.
- Standardized data security and deletion requirements. Companies must put a written security program and a data-retention framework in place and set defined limits on how long they keep children’s data. Holding onto it indefinitely is now explicitly prohibited.
The practical takeaway of these changes is that behavioral advertising and third-party tracking of children are effectively off by default. Parents must affirmatively opt in.
Maryland Kids Code: Acting in the Best Interests of Children
Maryland's Age-Appropriate Design Code Act, often referred to as the Maryland Kids Code, has been in effect since October 1, 2024, but April 1, 2026 is the deadline for companies to complete a formal review called a Data Protection Impact Assessment (DPIA) for any existing online products children are likely to use.
The DPIA is structured as a self-audit. It requires companies to document:
- What the product does and how it uses children’s data;
- Whether the online product is actually designed in a manner that is consistent with the best interests of children; and
- What steps have been or will be taken to comply with the duty to act in the best interests of children.
“Harm” is defined broadly. It includes not only physical harm, but financial, psychological, and emotional harm, as well as violations of children’s reasonable privacy expectations and discriminatory treatment.
The practical takeaway is that the law asks companies to go beyond compliance checkboxes and genuinely asks whether their design choices could hurt kids.
What Companies Should Do Now
Regardless of company size, any business with child users should consider taking or evaluating some or all of these steps:
- Know whether COPPA applies to you. Don’t assume COPPA only applies to companies that explicitly target children. Any website operator that knowingly collects information from children under 13, or operates a mixed-audience site with child-friendly areas, must comply or block data collection from children entirely. If there’s any chance children use your product, get legal guidance on whether you’re a covered operator before assuming you’re not. Note that the FTC’s February 2026 policy statement specifically encourages companies to adopt age-verification technologies to resolve ambiguity. Implementing these tools can serve as a 'good faith' indicator of your commitment to preventing the unauthorized collection of children's data.
- Map your data. Look closely at what information you collect, how you collect it, how you use it, whether it is necessary for the activities on your site or service, and whether you have adequate methods for parents to review and delete their children’s information. Don’t overlook obvious collection points, this includes registration forms, in-app purchases, chat features, analytics tracking, third-party SOKs, advertising networks, and social login integrations.
- Practice data minimization. Consider collecting only the personal information necessary to deliver the activity or service, without collecting more data than needed to condition a child’s participation. The less data you collect, the lower your compliance burden and legal risk.
- Rewrite your privacy notices. Update both your online privacy policy and your direct parental notices so they clearly identify what data is collected, how it’s used, and which specific third parties receive it. The FTC has historically taken the stance that companies must “do what you say and say what you do” – this applies to retention policies and privacy policies alike. Vague or boilerplate language is likely no longer acceptable.
- Fix your consent flows. Implement separate consent mechanisms for data collection and third-party sharing. The updated COPPA Rule gives companies more options to obtain parental consent. Use plain language as consent forms should be understandable by a non-lawyer parent, not just a compliance team.
- Watch the horizon. COPPA sets a federal baseline, but states are increasingly layering their own children’s privacy requirements on top of it. The Maryland Kids Code is one example. Others, including laws in California, Utah, Texas, and Florida, impose additional restrictions. Companies operating nationally need a compliance strategy that accounts for the patchwork of state laws, not just federal minimums. Additionally, the FTC commences enforcing the TAKE IT DOWN Act on May 19, 2026, which imposes civil liability on companies that violate requirements around non-consensual intimate imagery, including imagery of minors
