COPPA 2.0, officially the Children and Teens' Online Privacy Protection Act, updates the original 1998 COPPA law. It raises the privacy protection age threshold from 13 to 17, restricts targeted advertising to minors, requires data minimization for minor users, and expands FTC enforcement authority.

How does COPPA 2.0 affect my website's consent banner?

If COPPA 2.0 becomes law, websites that could have users under 17 will need age-aware consent flows. This means different consent rules for minors vs. adults, the ability to block ad tracking scripts for minor users, and potentially parental consent mechanisms. A simple accept/reject banner won't be sufficient.

Does COPPA 2.0 preempt state privacy laws?

No. COPPA 2.0 creates a federal baseline but does not preempt stricter state laws. Businesses still need to comply with state-specific minor privacy provisions from California's AADC, Connecticut, Maryland, and other states.

COPPA 2.0 Passed the Senate. Your Consent Flow Needs to Change

Q: When does COPPA 2.0 take effect?

COPPA 2.0 passed the Senate unanimously on March 5, 2026 and now heads to the House. If signed into law, businesses will likely have 12-18 months to comply. Given strong bipartisan support, some version is expected to become law.

TL;DR

COPPA 2.0 passed the Senate unanimously on March 5, raising the privacy protection age from 13 to 17. This means websites need age-aware consent flows, must block targeted ads for minors without parental consent, and can only collect data that's 'reasonably necessary.' Combined with 20+ state privacy laws, the compliance matrix is getting complex. Start auditing your audience demographics and evaluating your CMP's age-gating capabilities now.

On March 5, the U.S. Senate unanimously passed the Children and Teens' Online Privacy Protection Act - better known as COPPA 2.0. The bill updates a 1998 law that was written before smartphones existed, before social media existed, and before "data-driven advertising" was a phrase anyone used.

The original COPPA set the age threshold at 13. COPPA 2.0 raises it to 17.

That single change has massive implications for every website that collects data - which is virtually every website.

What COPPA 2.0 actually does

The bill was introduced by Senators Bill Cassidy (R-La.) and Edward Markey (D-Mass.), with bipartisan cosponsorship. Key provisions:

Age threshold raised to 17: Privacy protections that previously only applied to children under 13 now extend to all minors under 17
Targeted advertising restrictions: Companies cannot serve targeted ads to users they know are under 17 without verifiable parental consent
Data minimization for minors: Businesses can only collect data from minors that is "reasonably necessary" for the service being provided
Ban on push notifications to minors: Notifications designed to encourage engagement are restricted for users under 17
Expanded FTC enforcement: The FTC gains broader authority to enforce violations, with penalties that scale with the severity of non-compliance
No private right of action: Enforcement remains with the FTC and state attorneys general

The bill now heads to the House, where similar legislation has had bipartisan support. If signed into law, businesses will likely have 12-18 months to comply.

Why this changes the consent game

Here's the reality most website operators haven't processed yet: if COPPA 2.0 becomes law, any site that could have users under 17 needs a consent mechanism that accounts for age.

That's not a niche problem. That's an everyone problem.

The age verification question

Under current COPPA, websites that aren't "directed at children" can largely sidestep the law. COPPA 2.0 tightens this. If a website has "actual knowledge" or "knowledge fairly implied on the basis of objective circumstances" that a user is under 17, the enhanced protections kick in.

What constitutes "knowledge fairly implied"? The FTC will define this through rulemaking, but the direction is clear: if your analytics show a meaningful percentage of users are teens, you'll be expected to know that.

This means consent management platforms need to evolve beyond simple "accept/reject" banners. They need to handle:

Age-gated consent flows: Different consent requirements for users under 17 vs. adults
Parental consent mechanisms: For users under 13 (existing COPPA) and potentially for users 13-16 (COPPA 2.0)
Data collection restrictions: Blocking certain tracking categories entirely for minor users, regardless of consent

The advertising stack impact

The targeted advertising restrictions are where the money is - and where the pain will be.

If you're running Google Ads, Meta Pixel, TikTok Pixel, or any retargeting tool on your website, COPPA 2.0 says you can't fire those scripts for users under 17 without verifiable parental consent. In practice, that means:

Your consent banner needs to know user age before deciding which scripts to load
Ad tracking scripts must be blocked by default for minor users
Third-party data sharing must be restricted for the under-17 cohort
Consent records must distinguish between adult consent and parental consent for minors

Important

Most consent management platforms don't do this today. They treat all users the same - one banner, one consent flow, one set of rules. That won't work under COPPA 2.0.

The intersection with state privacy laws

COPPA 2.0 doesn't exist in isolation. It layers on top of an already complex state privacy landscape where 20 states now have comprehensive privacy laws.

Several of these state laws already have minor-specific provisions:

California (CPRA + AADC): The Age-Appropriate Design Code Act requires businesses to estimate the age of child users and provide high privacy protections by default
Connecticut: Requires opt-in consent for processing data of users aged 13-15
Alabama (pending): HB351 requires consent for targeted advertising and data sales for consumers ages 13-15
Maryland: Prohibits the sale of minor data entirely

COPPA 2.0 would create a federal baseline, but it doesn't preempt stricter state laws. So businesses still need state-specific handling on top of the federal requirements.

Tip

The compliance matrix: Under 13 - COPPA + state laws, verifiable parental consent required. 13-16 - COPPA 2.0 + state-specific rules, parental consent or enhanced protections depending on jurisdiction. 17+ - State privacy laws + GDPR (for EU visitors), standard consent flows with geo-aware rules.

What you should be doing now

Even though COPPA 2.0 hasn't been signed into law yet, the direction is unmistakable. Children's privacy is one of the few genuinely bipartisan issues in Washington - this bill passed unanimously. Some version of it will become law.

1. Audit your audience demographics

Check your analytics. If any meaningful segment of your traffic is under 17, you're in scope. This includes sites for education, gaming, entertainment, sports, news, and social platforms - but also e-commerce, media, and SaaS products used by families.

2. Evaluate your consent platform's age-gating capabilities

Can your CMP apply different consent rules based on user age? Can it block specific tracking categories for minors while allowing them for adults? Can it handle parental consent flows? If the answer is no to any of these, start planning now.

3. Review your advertising stack

Identify every script on your site that serves targeted ads or enables retargeting. Map which ones would be restricted under COPPA 2.0 for minor users. Ensure your consent management system can selectively block these.

4. Prepare for age estimation requirements

The FTC's rulemaking will likely define how businesses should estimate user age. This could range from age gates (self-reported) to more technical approaches. Your consent flow should be architected to accommodate whatever standard emerges.

5. Document everything

When enforcement begins, regulators will look at process, not just outcomes. Having documented policies around minor data handling, consent flows, and advertising restrictions will be as important as the technical implementation.

The bigger picture

COPPA 2.0 is part of a broader global trend toward protecting minors online. The EU's Digital Services Act already requires platforms to take measures to ensure a high level of privacy and safety for minors. The UK's Age Appropriate Design Code has been in effect since 2021.

The U.S. is catching up - and doing it through a combination of federal legislation (COPPA 2.0) and state-level innovation (California's AADC, state privacy laws with minor provisions).

For website operators, the takeaway is simple: treating all users identically in your consent flow is no longer an option. Age-aware, jurisdiction-aware consent management isn't a nice-to-have - it's becoming a legal requirement.