If you run marketing for a brand that touches kids, or if you work in compliance at a tech company, app platform, or digital agency, that date matters. A lot.

The FTC's amended COPPA rule has been sitting on the books since June 2025. But the compliance date arrives on April 22, and enforcement risk increases immediately after. The clock is nearly out.

Here's what changed, why it matters, and what happens if you ignore it.

First, A Quick Backstory

COPPA (the Children's Online Privacy Protection Act) has been around since 1998. Its whole job is to stop companies from collecting data on kids under 13 without telling their parents and getting consent.

The rules were last updated in 2013, when smartphones were still new and TikTok didn't exist. A lot has changed since then: biometrics, geolocation tracking, AI chatbots, and a data economy built on profiling users from the moment they first touch a screen.

After six years of rulemaking, the FTC finally pushed through significant amendments in April 2025. Companies were given a year to get compliant. That year ends in two weeks.

What Actually Changed

"Personal information" is a much bigger bucket now. The definition has been expanded to include:

• Biometric identifiers (face templates, fingerprints, retina scans, voiceprints)

• Audio recordings containing a child's voice

• Phone numbers (when used for parental contact)

• Precise geolocation data

• Government-issued identifiers

For marketing teams: if your platform collects voice clips from users, uses facial recognition, or pulls location data, and children under 13 could be using it, you're now in scope in ways you may not have been before.

Your Privacy Policy Needs More Detail

You now have to name the third parties you share children's data with, and explain what categories of data are going to which partners. A vague "we may share with trusted partners" line won't cut it anymore.

This includes your ad tech vendors, analytics tools, and any SDK you've embedded in a children's app or mixed-audience platform.

Data Retention Requirements Just Tightened

Gone are the days of keeping children's data indefinitely "just in case." The new rule requires:

• A written data retention policy describing why you collect each type of data and how long you'll keep it

• Deletion once the data is no longer needed for its original purpose

• No indefinite storage, full stop

Compliance teams: if you don't have a documented retention policy that explicitly covers children's data, this is the most urgent gap to close before April 22.

New Consent Methods, New Consent Obligations

The rule now allows text message and knowledge-based authentication as valid methods for obtaining parental consent, which is a practical upgrade from older, friction-heavy mechanisms.

But here's the catch for marketers: you need fresh parental consent whenever you share children's data with a new third party. The updated rule makes clear that adding a new third-party recipient is a material change that triggers re-consent requirements.

That means your customer data platform connections, your new attribution partner, your A/B testing tool: if they're receiving children's personal data and weren't previously disclosed, you need to go back to parents.

What's At Stake If You Don't Comply

The FTC has been consistent: COPPA violations are treated as unfair and deceptive trade practices, and they pursue them.

The precedent record is not encouraging for the casual non-complier:

• YouTube/Google (2019): $170 million for tracking children's viewing history to serve targeted ads. The largest COPPA fine on record at the time.

• TikTok/ByteDance (2019): $5.7 million for failing to verify the ages of users on Musical.ly.

• Disney (2025): $10 million for allowing third-party data collection from children watching kid-directed content on YouTube, without notifying parents or obtaining consent.

• Genshin Impact/Cognosphere (2025): $20 million for collecting data from children without parental consent and deceiving users about in-game purchase costs.

Civil penalties can exceed $50,000 per violation. In cases involving many children, that math compounds fast. The FTC also factors in prior compliance history, the number of children affected, and the sensitivity of the data collected.

And it's not just the FTC anymore. State attorneys general in New York, Texas, California, and dozens of other states have been actively pursuing children's privacy cases. Companies violating Florida's child online safety laws, for example, face fines of up to $50,000 per violation.

What Marketers Need To Do Right Now

1. Audit your data flows. Map out every piece of data collected from or about children on your platforms, including through third-party SDKs, ad networks, and analytics tools.

2. Review your vendor contracts. You're responsible for what your third-party partners do with children's data you share. Get written confirmation that key vendors meet COPPA standards.

3. Update your privacy notice. It must now include the identities and data categories shared with each third party, biometric data disclosures, and your retention policy.

4. Check your consent mechanisms. If you're on a mixed-audience platform, ensure parental consent workflows are current, clearly written, and triggered appropriately.

5. Train the team. Anyone who touches children's data (engineers, marketers, product managers) needs to understand what the new requirements mean for their work.

The FTC Is Not Done Turning Up The Heat

COPPA enforcement is getting more aggressive at the same time that the FTC's 2026-2030 strategic plan singles out children's data privacy as a top enforcement priority. The FTC has also been running "Operation AI Comply," cracking down on AI products making exaggerated claims, and children's AI products are squarely in the crosshairs.

Two weeks isn't a lot of time. But it's enough to close the most critical gaps, especially on data retention policies and privacy notice updates, if you move now.

The companies that treat this as a box-ticking exercise tend to be the ones that end up in enforcement headlines. The ones that treat it as a genuine privacy obligation tend to build consumer trust that pays off long-term.

April 22. Mark it.