COPPA 2025 Update: How New AI Rules Change Children’s Data Consent

For years, parents clicked "I Agree" on digital terms of service without reading them. Now, that single click isn’t enough if your app or website uses Generative AI to process data from kids under 13.

The Federal Trade Commission (FTC) dropped a major update to the Children’s Online Privacy Protection Act (COPPA) in April 2025. The new rules took effect on June 23, 2025, and companies have until April 22, 2026, to fully comply. If you build or manage apps, games, or websites for children, this is no longer just a legal footnote-it’s a structural overhaul of how you handle data.

The core change? You can’t use a child’s personal information to train AI models-whether internally or via third parties-without getting separate, explicit parental consent. And you can’t keep that data forever just to "improve algorithms." Here is what you need to know to stay compliant and protect your users.

The End of "Catch-All" Consent for AI Training

Under the old COPPA framework, many companies bundled everything into one privacy policy. Parents gave general permission for data collection, and companies used that data for analytics, advertising, and yes, training machine learning models. The updated rule shatters that model.

The FTC explicitly states that disclosing a child’s personal information to train or develop artificial intelligence technologies is not integral to the website’s functionality. This means it requires separate, verifiable parental consent. You cannot hide this requirement in a long privacy notice. You must ask for it distinctly.

Think about a voice-enabled educational game. In the past, recording a child’s voice to improve speech recognition might have been covered under general service usage. Now, that audio data counts as a biometric identifier. To use those recordings to train your AI assistant, you need a specific opt-in from the parent, separate from the initial sign-up consent.

• Integral Disclosure: Sharing data necessary for the core service (e.g., sending a quiz score to a teacher’s dashboard). Requires standard COPPA consent.
• Non-Integral Disclosure: Sharing data to train AI models, target ads, or sell to third parties. Requires separate, distinct parental consent.

This distinction forces developers to decouple their data pipelines. You can no longer route all user interaction logs directly into your training dataset by default. You need a technical switch that only activates when parental consent for AI training is explicitly granted.

New Definitions: What Counts as Personal Information?

The definition of "personal information" has expanded significantly to cover modern AI capabilities. It now includes Biometric Identifiers, such as facial recognition templates and voiceprints. This is critical for any application using cameras or microphones.

If your app uses computer vision to track eye movement for engagement metrics, or audio processing to personalize content, you are collecting biometric data. Under 16 C.F.R. § 312.2, these are treated with the same strictness as a name or home address.

Furthermore, the FTC issued supplemental guidance in January 2026 clarifying that "de-identified" data still counts as personal information if there is any reasonable possibility of re-identification. For AI researchers, this is a heavy constraint. Many anonymization techniques fail against sophisticated re-identification attacks. If your AI model could theoretically be reverse-engineered to identify a child, the data remains protected under COPPA.

Data Retention: No More Infinite Storage

One of the most controversial practices in tech was indefinite data retention. Companies argued they needed historical data to continuously improve algorithm accuracy. The FTC shut this down.

The new rule mandates written data retention policies specifying exact timeframes for deletion. Commissioner Alvaro Bedoya emphasized that claims of needing data indefinitely for algorithm improvement do not override legal bans on indefinite retention. You must delete children’s data once it is no longer reasonably necessary to fulfill the purpose for which it was collected.

This creates a massive technical challenge for AI teams. Machine learning models are trained on static datasets. If you receive a deletion request for a child’s data, you can’t just delete the row in your database. That data may already be baked into the weights of a neural network. The FTC acknowledges this difficulty but holds companies responsible for compliance. Solutions like differential privacy or synthetic data generation are becoming essential strategies to mitigate this risk.

The Internal AI Loophole and Ambiguity

While the rule is clear on third-party disclosures, it leaves a gray area regarding internal AI development. The FTC requires secondary consent for sharing data with external partners for training. However, it does not explicitly state whether companies need additional consent to use children’s data to improve their own proprietary AI tools.

Privacy advocates argue this is a dangerous loophole. If a company collects voice data for a chatbot, they could technically use that data to refine their internal language model without asking parents again, claiming it’s part of "internal operations" to fix bugs or add features. The Electronic Frontier Foundation warned that companies will exploit this ambiguity.

Until further rulemaking occurs, the safest approach is to treat all AI training as non-integral. Get explicit consent. The cost of compliance is far lower than the risk of an FTC investigation. Remember the $10 million settlement Disney paid in September 2025 for failing to label YouTube videos correctly? The FTC is actively enforcing these standards. They don’t care about your architectural challenges; they care about parental oversight.

Global Context: Beyond US Borders

While COPPA is a US law, its influence is global. Many international companies adopt COPPA standards as a baseline because it is stricter than many other regional laws. However, you must also consider the European Union’s AI Act and GDPR.

The European Data Protection Board issued guidelines in November 2025 stating that obtaining lawful consent for AI training of children’s data is "virtually impossible" under GDPR due to power imbalances between corporations and minors. Canada’s proposed Online Harms Act also restricts using children’s data for AI training without explicit, purpose-specific consent.

If you operate globally, you face a patchwork of regulations. The trend is clear: regulators worldwide are moving away from implied consent for AI training involving minors. Building a "privacy by design" framework that minimizes data collection at the source is the only sustainable strategy.

Action Plan for Compliance by April 2026

You have roughly ten months to achieve full compliance. Here is a practical checklist to start your remediation efforts:

1. Audit Data Flows: Map every instance where children’s data enters your system. Identify where it goes for AI training, analytics, or third-party sharing.
2. Decouple Consent Mechanisms: Build a UI flow that asks for general service consent separately from AI training consent. Use clear, plain language. Avoid legalese.
3. Update Biometric Handling: Ensure any voice or image processing is flagged as biometric data collection. Implement encryption and strict access controls.
4. Establish Retention Policies: Define exact timeframes for data deletion. Automate deletion processes. Document these policies internally.
5. Enhance Verification: Move beyond simple email checks. Implement knowledge-based authentication or credit card verification methods to ensure the person consenting is actually the parent.
6. Train Your Team: Developers, product managers, and marketers need to understand the new definitions. A marketing campaign targeting kids based on AI insights derived from unauthorized data is a fast track to a fine.

The market is shifting. Gartner projects the global children’s digital privacy market to grow to $3.8 billion by 2028. Companies that respect these boundaries will build trust with parents-a valuable asset in the family-tech space. Those that ignore them will face regulatory action and reputational damage.

The era of harvesting children’s data for AI fuel is ending. Adapt your architecture, respect parental rights, and focus on creating value without compromising privacy.