COPPA Amendments – New Features to Aid Compliance

Important changes are coming to The Children’s Online Privacy Protection Act (COPPA) with new amendments taking effect on April 22, 2026. These changes, which we wrote about previously here, represent the first significant update to the law since 2013, and strengthen requirements around parental choice, transparency, and accountable data practices. Most importantly for businesses are the changes to how children’s data can be disclosed: opt-in, granular parental consents are no longer simply best practices; they are now hard legal requirements. The major change will affect how products and services are being offered to users  in the United States, how the operators of these products and services handle children’s data, especially where targeted advertising, profiling, and other third-party data sharing are involved.

k-ID is purpose-built to help companies comply with these new requirements, and we’ve updated our product recently to make compliance easier, as detailed in this blog.

A Recap of the Amendments and What They Require

Who the Law Applies to

The new amendments apply to all companies that process children’s data subject to COPPA. Companies that fall under the new definition of “mixed audience” services or who share children’s data with third parties (especially for targeted advertising or AI model training) are especially impacted.

The Amendments broaden COPPA’s scope to encompass more modern digital products and data types. This includes:

• Mixed-audience services: The Amendments explicitly define “mixed-audience” services as services that appeal to both children and adults, and clarify that these services are subject to VPC (Verifiable Parental Consent) requirements. Past FTC enforcements have implied that the Commission will aggressively enforce COPPA even when kids are not the primary audience of a service: the Amendments make this explicit. 
• Expanded definition of “personal information”: The Amendments expand the scope of “personal information” to include biometrics and government identifiers. Note however that despite the expanded scope, the FTC has also clarified in a separate Enforcement Policy Statement that the processing of personal information for the limited purpose of age verification does not violate COPPA, so long as specific safeguards are followed.

‍

What is Now Required

The new amendments mandate higher standards for data governance and security. Explicit rules are established regarding data security, retention, and minimization, along with stricter accountability and transparency requirements for Safe Harbors. However, arguably the most critical changes for companies today are the new requirements around third-party data sharing: 

1. Granular consents: Companies can no longer rely on a single, general parental consent form to cover all personal data processing. Except when the sharing is “integral” to the service, any sharing of a child’s personal data with third parties now requires affirmative, opt-in parental consent. This means separate consent is required before sharing a child’s information for the purposes of targeted advertising, direct monetization or AI training, as well as for non-integral features, which might include features like user-to-user chat. Parents must have controls to either approve or reject this sharing, and approval cannot be a condition for a child to access the service. 
2. Expanded disclosures: Similarly, parents must be informed when giving consent which data elements are required to use the service, versus which data elements are subject to the parent’s consent.  Companies must also provide as part of their direct notice to parents a complete, accurate list of all third-party data recipients. 

How k-ID Helps

To meet the April 22, 2026, deadline, immediate priority must be placed on implementing robust parental control systems that allow for granular choice, particularly around third-party disclosures and targeted advertising. k-ID enables this transition with features that directly address the new mandate.

Granular Consents 

k-ID’s existing Family Connect flow provides parents with an explicit choice over data sharing, and streamlines the creation of the mandatory separate toggle for non-integral disclosures such as third-party targeted advertising. This turns a significant compliance challenge into an efficient process.

‍

Above: an example of granular permissions provided to parents within k-ID Family Connect. Note how targeted ads are disabled by default until the parent consents.

‍NEW: Expanded Disclosures 

In order to help our customers meet the new disclosure requirements, we’ve made two key changes to our Compliance Studio:

First, you can now designate in the Data Notices section of your product configurations which data elements are subject to a parent’s consent, versus those that are required to use the service:

‍

If the “May Require Approval” box is checked, the selected data elements appear in a separate category within the parent-facing approval flow:

‍

The COPPA Rule also requires companies to include in their direct notice a hyperlink to a list of other companies that may receive the child’s personal information. To add this hyperlink, simply click the “+ Additional Legal Links” text found within the Compliance Studio under “Developer Details,” provide the title of the hyperlink and URL, and it will appear alongside your Privacy Policy and Terms of Service links in the parent-facing flow.

Top: The Compliance Studio Interface, where you can add a link to your additional disclosures. Bottom: how that hyperlink appears to parents.

Conclusion

k-ID is here to help all online providers of products and services meet their obligations under these new laws. Contact us today if you’d like to learn more.

‍