Sunday, January 4, 2026

Looking Back at Privacy and Cybersecurity Law Changes in 2025 and Looking Ahead to 2026: Children’s Privacy

Looking Back at Privacy and Cybersecurity Law Changes in 2025 and Looking Ahead to 2026: Children’s Privacy

The privacy of children's data was in the spotlight in 2025 and will be in 2026 as well.  What for years was treated as a narrow compliance issue—often handled with a single sentence in a privacy policy—has evolved into a complex and fast-moving legal landscape that now spans federal requirements and an expanding patchwork of state laws.

As we look back at developments in 2025 and ahead to 2026, one thing is clear: organizations that collect data about anyone under 18 need to revisit their policies and practices.

Federal COPPA Changes 

The federal Children’s Online Privacy Protection Act (COPPA) has been in effect since 2000. For a quarter of a century, it has shaped how websites and apps think about children’s data, particularly information about kids under the age of 13. That history explains why so many privacy policies still include a familiar statement along the lines of: “Our website is not directed to children under 13, and we do not knowingly collect personal information from children under 13.”

In 2025, however, COPPA entered a new phase. The Federal Trade Commission amended the COPPA regulations, effective in June 2025. These amendments raise compliance expectations in several important ways. The most significant changes include:

  • New information security program requirements
    Organizations must implement and maintain a written information security program appropriate to the sensitivity of children’s personal information. Organizations must designate personnel to manage the program, assess internal and external risks to children's data, implement and maintain safeguards, regularly test the effectiveness of these safeguards, and review and revise the program at least annually. This could be either a separate children-only program or (preferably) a comprehensive program. This brings COPPA closer to modern data security regimes and raises the bar well beyond basic safeguards.

  • Expanded definitions of “personal information”
    The definition now includes (i) biometric identifiers that can be used for the automated or semi-automated recognition of an individual, such as fingerprints, handprints, retina patterns, iris patterns, genetic data, including DNA sequences, voiceprints, gait patterns, facial templates, or faceprints, and (ii) government-issued identifiers, such as social security numbers, state identification card numbers, birth certificate numbers, or passport numbers.

  • Notice and parental consent
    The Amendments require notice to parents that identifies the categories of third parties who will receive the child's personal information and the purposes for such sharing. The parental notice must explain that parents can consent to the collection and use of kid's data without agreeing to the disclosure to third parties (unless integral to the operation of the website or online service).
    It must also describe how they use persistent identifiers, and (iii) disclosures about the use of audio files.

  • Perhaps the most impactful change: operators must obtain separate, verifiable parental consent before sharing children’s personal information with third parties, even if parental consent was already obtained for collection and internal use. The amendments also expand the acceptable methods for obtaining verifiable parental consent. Operators are now allowed to use the following methods (among others to be approved by the FTC): (i) knowledge-based authentication through multiple-choice questions, (ii) government-issued photo ID, or (iii) text messaging coupled with additional steps, such as a follow-up text, letter, or phone call.

Data Retention

The new regulations only allow organizations to retain children’s information for as long as reasonably necessary to fulfill the specific purposes for which it was collected.

Taken together, these changes mean that COPPA compliance is no longer just about age gates and privacy policy disclosures. It now directly implicates vendor management, advertising technologies, analytics tools, and security governance.

Why Just Claiming “We Don’t Collect Data from Children Under 13” May No Longer Be Enough

Historically, many organizations may have assumed that a disclaimer was all it took to avoid COPPA. That approach is increasingly risky.

First, the FTC has long taken the position that “actual knowledge” of children’s use—not just intent to target them—can trigger COPPA obligations. The new amendments add that the FTC may consider marketing or promotional materials, statements to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services.

Second, state laws are now expanding protections well beyond age 13, often up to age 18. As a result, organizations must think more carefully about who is actually using their products, not just who they are intended to serve.

State Laws: Expanding Protection for Minors

In parallel with the updated COPPA Rule, states have been actively passing laws that address minors’ privacy. Unlike COPPA, these laws do not all use the same age threshold, which significantly complicates compliance.

Some states focus on children under 13, while others extend protections to all minors under 18, and still others draw a line somewhere between. 

A Closer Look at Maryland

Maryland’s law, described earlier in this series as the most important new privacy law of the year, is a good example of how nuanced these statutes can be. Effective in late 2025, Maryland’s Online Data Privacy Act goes further than other states by prohibiting organizations from selling personal data or engaging in targeted advertising if they know or should have known a consumer is under 18. Maryland defines targeted advertising as advertising directed to a person or a device using a unique identifier. This might create a practical challenge if an organization knows or should know that a minor is using the device.

New State Laws Protecting Minors

Recent and upcoming state laws with new protections for minors include the following:

  • Arkansas HB 1717 (effective 7/1/2026) – protects children under 18

  • Colorado SB 24-041 (effective 10/1/2025) – under 18

  • Delaware HB 154 (effective 1/1/2025) – under 18

  • Maryland SB 541 (effective 10/1/2025) – under 18 (data sales and targeted advertising)

  • Montana SB 297 (effective 10/1/2025) – under 18

  • New Hampshire RSA 507-H (effective 1/1/2025) – under 13

  • Nebraska LB 504 (Age-Appropriate Design Code Act) (effective 1/1/2026) – under 13

  • Vermont SB 69 (Age-Appropriate Design Code Act) (effective 1/1/2027) – under 18

Notably, the Age-Appropriate Design Code Acts (AADCs) are not traditional privacy laws, but they operate much like them. They impose affirmative design requirements on websites and apps likely to be accessed by children or teens, including data minimization, high-privacy default settings, and restrictions on certain design features.

Practical Pointers: What Organizations Should Be Doing Now

For organizations operating websites or mobile apps, it’s time for a comprehensive review.

Key steps include:

  1. Revisit terms of use and privacy policies
     Many companies still rely on outdated COPPA-only language stating that their services are intended for users 13 and older. If the organization does not intend to target teens, that language may need to be clarified or tightened. If it does intend to target teens, the policy should reflect that reality and address applicable state laws.

  2. Align internal data and privacy processes with public disclosures
     External statements should match internal practices, particularly around data sharing, advertising, analytics, and security safeguards.

  3. Assess age thresholds and compliance strategy
     Decide deliberately which age groups the organization intends to serve, what age thresholds it will use, and how it will comply with the relevant federal and state requirements.

  4. Evaluate security and vendor practices
     The updated COPPA security requirements and state law obligations make information security programs and third-party risk management more important than ever.

Looking Ahead

Children’s privacy law is no longer a narrow niche. Between the amended COPPA Rule, expanding state protections for minors, and the rise of age-appropriate design requirements, 2025 and 2026 mark a turning point. Organizations need to re-evaluate their approach in light of the changing legal landscape in order to best manage legal risk in the future.


image showing the silhouette of two children holding devices with images in the background indicating technology

Posted by at
Labels: , , , , ,
Location: 1101 US-29, Washington, DC 20005, USA
Subscribe to: Comments (Atom)