A two-pronged push by states and the Federal Trade Commission is forcing companies to reassess their children’s privacy compliance. As states including Texas and Utah roll out new laws, the FTC has signaled it will use its full power to protect children.
There are “inadequacies” in the Children’s Online Privacy Protection Act, which protects the data of users 13 and under., FTC Chairman Andrew Ferguson said in a public appearance last month. “But we ought to push this thing to its absolute limit and protect as many children in as many ways as we can,” he said.
The federal and state regulatory push is forcing companies to reconsider compliance as the the age limit for who is covered rises and companies can no longer rely on traditional means of verifying user ages — potentially leading to a massive widening of which companies will be subject to children’s privacy laws in 2026.
After Ferguson took over as agency head in January, the FTC rolled out three COPPA enforcement actions including a $10 million settlement with
As a result, attorneys are advising companies to rethink if their products might fall in enforcers’ cross hairs.
“In the past, we’ve seen a lot of companies that are kind of on the fringe,” said Shelby Dolen, associate at Troutman Pepper Locke. “But I’m really encouraging our clients to reevaluate whether they do meet any of those knowledge standards and have children visiting their websites or services.”
New Scope
One of the biggest questions troubling companies at both the state and federal level is a narrowing divide between compliance for companies that explicitly target children and those that don’t.
“With the amount of activity coming out of the FTC, companies have gone back to evaluate to what extent they might potentially be in scope,” said Idara Udofia, partner at Reed Smith LLP.
Changes to the COPPA rule, which took effect in June, expanded its definition of personal information to include biometrics, stricter data retention requirements, and the requirement of separate parental consent for disclosing children’s data to advertisers.
As some states expand protections to all minors, companies have to rethink their design processes, said Alexandra Sumner, chief privacy officer and corporate counsel for Microhealth and privacy consultant. “Companies have to decide whether they want to just treat someone like a child until they turn 18 or if they want to create some sort of intermediary version,” she said.
Among new compliance challenges are age verification laws from Texas and Utah going into effect in 2026 that require app stores to send age signals to developers, potentially subjecting new companies to state and FTC enforcement.
“I think that there is much greater attention being paid to what’s happening in Texas and Utah and California than there is at the FTC,” said Amy Lawrence, chief privacy officer and head of legal at marketing technology company SuperAwesome.
FTC Reach
That doesn’t mean companies don’t have to worry about the nation’s top consumer watchdog.
To the contrary, FTC Chairman Ferguson directed staff at the start of his term to bring him “as many” COPPA cases as they could find. Cases against Disney, robot company Appitor, and messaging app SendIt for unlawfully collecting the data of children under 13 followed.
“From a company perspective, they’re interested in what the commission is prioritizing, interested in how they might prioritize the new COPPA rule,” said Sara Kloek, vice president of education and youth policy at the Software & Information Industry Association.
Failures to comply with COPPA rule changes, including requirements to only retain data as long as “reasonably necessary,” will be “low-hanging fruit” for the FTC, said Dona Fraser, senior vice president of privacy initiatives at BBB National Programs.
“That is where so many companies get tripped up,” she said. “Only collect the data that’s absolutely necessary.”
The FTC hasn’t neglected teens either, turning to its authority over unfair and deceptive practices when COPPA does not apply. In the SendIt case, the agency alleged the app had deceived teens by sending them fake provocative messages to get them to subscribe. This month, it reached a settlement with an education technology provider over data breach allegations.
Compliance in 2026
Looking ahead, companies will need to balance both state and FTC trends.
“Companies are really forced to try and figure out what those broader trends are, where these things are heading, as opposed to interacting or only dealing with one particular law,” said Brian McGinnis, partner at Barnes & Thornburg LLP.
Ferguson said at a November public appearance the agency was considering further amendments to the COPPA rule. At the time of final passage in January, then-commissioner Ferguson objected that the rule didn’t clarify if children’s data could be used for age verification and that it limited data retention in a way that could harm users.
Bigger enforcement actions could be coming in 2026, especially as the agency exploresthe impact of AI chatbots on teens through an informational study that could inform future actions.
At the state level, companies are watching closely how new teen data privacy laws will be enforced—and how they will hold up in court. More than a half dozen states putting guardrails around the privacy of older kids have seen legal challenges from tech industry groups including NetChoice and Computer & Communications Industry Association.
The outcomes of those challenges, especially to the Texas law, could have implications for how companies handle consent flows and parental permissions.
“The days of relying on things like some form of parental consent, relying on privacy policies that state that children aren’t supposed to be using this even when you have knowledge that they probably are, are kind of gone,” said McGinnis.
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.