Imagine your child talking to a voice assistant. The app listens, learns their voice patterns, and uses that audio to make the AI smarter for everyone else. Under old rules, this might have slipped through the cracks. Not anymore. As of mid-2026, the landscape for children's data privacy has shifted dramatically, especially regarding how artificial intelligence is trained on information from kids under 13.
The Federal Trade Commission (FTC) finalized major updates to the Children's Online Privacy Protection Act (COPPA), a U.S. law enacted in 1998 that regulates online collection of personal information from children under 13 back in June 2025. With the compliance deadline hitting April 2026, companies are scrambling to adapt. These aren't just minor tweaks; they are structural changes designed to stop companies from using kids' voices, faces, and behaviors to fuel generative AI models without explicit parental permission.
What Changed in the 2025 COPPA Rule?
The core problem the FTC identified was simple but dangerous: companies were collecting data for one purpose-like playing a game-and then secretly using it for another, like training an algorithm. The new rule draws a hard line between what is "integral" to a service and what is not.
If you build an app for kids, providing the game is integral. Using the child’s voice recordings to improve your global speech-recognition AI is not. The updated rule explicitly states that disclosing a child's personal information to train or develop artificial intelligence technologies requires separate, verifiable parental consent. You can no longer bundle this into a generic terms-of-service agreement that parents skim past.
Furthermore, the definition of personal information, data that can identify an individual, now expanded under COPPA to include biometric identifiers has grown. It now explicitly includes biometric identifiers such as voiceprints and facial recognition templates. This means if your AI analyzes a child's face or voice, that data is protected with the highest level of scrutiny under the law.
The Biometric and Retention Trap
Two specific technical requirements are causing the most headaches for developers right now: biometric data handling and indefinite retention bans.
Previously, some companies argued they needed to keep children's data forever to "improve algorithms." Commissioner Alvaro Bedoya shut that down hard. The new rule prohibits indefinite retention. Operators must establish written data retention policies specifying exact timeframes for deletion. If you collected data to provide a service, you must delete it once that service is no longer needed or when the parent requests it. There is no loophole for "algorithmic improvement" that overrides this ban.
This creates a massive technical challenge. Once data is fed into a machine learning model, it becomes part of the model's weights. Removing it later-often called the "right to be forgotten" in AI-is incredibly difficult. The FTC acknowledges this but maintains that companies must find ways to comply, whether through retraining models without the specific data or other technical solutions.
| Feature | Pre-2025 Rule | 2025 Updated Rule |
|---|---|---|
| AI Training Consent | Ambiguous; often bundled with general consent | Separate, verifiable parental consent required |
| Biometric Data | Not explicitly defined as personal info | Explicitly included (voiceprints, facial templates) |
| Data Retention | No strict limits; "business necessity" often cited | Strict written policies; no indefinite retention for AI improvement |
| Mixed Audience Sites | Limited guidance on age-gating | New definition allows limited data collection for age verification only |
The Internal AI Loophole
Here is where it gets tricky. The rule is crystal clear about third-party sharing: if you send a child's data to a vendor to train their AI, you need consent. But what if you train your own internal AI?
The current language is ambiguous. Public Interest Privacy pointed out that while secondary consent is required for third-party disclosures, the rule doesn't explicitly say companies need additional consent to use children's data to improve their *own* AI tools. Companies can still use data for "internal operations" like fixing bugs. However, the line between "fixing a bug" and "training a generative model" is blurry.
This ambiguity has sparked concern among privacy advocates. The Electronic Frontier Foundation warned that this distinction could become a dangerous loophole. Meanwhile, Senator Ed Markey introduced the Kids PRIVCY Act in late 2025, which aims to close this gap by prohibiting the use of children's data for AI training entirely without explicit consent, regardless of whether the AI is internal or external. Until that passes, companies are operating in a gray zone, leading many to adopt stricter internal policies just to stay safe.
Global Context: It’s Not Just the US
While COPPA is the gold standard in the U.S., the rest of the world is moving fast too. If you operate globally, you can't just focus on Washington.
- European Union: The proposed AI Act includes strict provisions on children's biometric data. The European Data Protection Board clarified in November 2025 that obtaining lawful consent for AI training of children's data under GDPR is virtually impossible due to power imbalances between tech giants and families.
- Canada: The proposed Online Harms Act, introduced in March 2025, mirrors the U.S. approach by requiring explicit, purpose-specific consent for using children's data in AI training.
This global alignment suggests a future where using children's data for broad AI training is effectively dead in regulated markets. Stanford University's Center for Internet and Society concluded in December 2025 that the ethical and technological challenges make this practice unsustainable.
How to Comply: A Practical Checklist
If you run a service that interacts with children, here is what you need to do before the dust settles:
- Audit Your Data Flows: Map every instance where a child's data leaves your immediate control. Identify any third-party AI vendors.
- Update Consent Mechanisms: Replace catch-all checkboxes. Create distinct, separate consent flows for AI training purposes. Use methods like Text Plus or knowledge-based authentication to verify parents.
- Rewrite Retention Policies: Delete any policy that says "we retain data indefinitely for product improvement." Set specific dates for deletion.
- Label Content Correctly: Remember the Disney case? Posting kid-directed content on platforms like YouTube without labeling it "Made for Kids" led to a $10 million fine. Ensure all content is properly tagged to trigger platform-level protections.
- Train Your Staff: Engineers and product managers need to understand that "improving the model" is no longer a valid excuse for keeping data.
The cost of non-compliance is steep. Beyond fines-which can reach millions-the reputational damage is severe. Parents are waking up to these issues. A July 2025 survey by Common Sense Media found that 89% of parents are concerned about their children's data being used to train AI systems. Trust is your most valuable asset, and transparency is how you protect it.
What Comes Next?
We are likely to see more enforcement actions in 2026 and beyond. The FTC launched an AI Chatbot Inquiry in September 2025 specifically targeting how chatbots collect and share personal information from children. Expect targeted audits and settlements similar to the recent actions against Disney and Apitor.
For developers, the path forward is "privacy by design." IDC predicts that by 2027, 92% of child-directed digital services will implement frameworks specifically addressing AI data usage. Start building those frameworks now. Don't wait for the fine to motivate you. The era of hidden data harvesting from children is over.
Does COPPA apply to AI chatbots?
Yes. If an AI chatbot collects personal information from children under 13, it falls under COPPA. The FTC has specifically launched inquiries into AI chatbots directed at children to examine how they collect, use, and share personal information. Separate parental consent is required if the data is used to train the AI.
Can I use children's data to train my own internal AI models?
The current rule is ambiguous on this point. While separate consent is explicitly required for third-party AI training, the rule does not clearly prohibit using data for internal AI development if it is deemed part of "internal operations." However, this is a high-risk area, and many experts recommend obtaining explicit consent anyway to avoid future regulatory crackdowns or potential legislation like the Kids PRIVCY Act.
What counts as biometric data under the new COPPA rule?
The updated rule explicitly includes voiceprints and facial recognition templates. Any identifier derived from physiological, biological, or behavioral characteristics that can uniquely identify a child is considered personal information and requires strict protection and parental consent for processing.
When is the deadline for compliance with the 2025 COPPA updates?
Regulated entities generally have until April 22, 2026, to achieve full compliance with the new requirements. This date marks the end of the grace period following the Final Rule's effective date in June 2025.
How does the EU AI Act compare to COPPA regarding children's data?
Both regulations are tough, but the EU approach is arguably stricter on consent. The European Data Protection Board has stated that obtaining lawful consent for AI training of children's data under GDPR is virtually impossible due to power imbalances. COPPA allows for consent if it is verifiable and separate, whereas the EU focuses heavily on the inability of children to give truly free consent in these contexts.