Time Is Running Out: The COPPA Compliance Deadline Every Website Owner Needs to Know

On April 22, 2026, the Federal Trade Commission's amended Children's Online Privacy Protection Rule becomes enforceable. If your website collects data from anyone under 13, or if you run what the FTC now defines as a "mixed audience" website, the clock is almost out.

This isn't a warning for the distant future. It's a deadline most website operators don't know they're already approaching.

What the COPPA Amendments Actually Changed

The FTC published the finalized COPPA Rule amendments in April 2025, giving businesses exactly one year to come into compliance. The original COPPA Rule has been in place since 2000 and was last updated in 2013. It was built for a different internet. The 2025 amendments caught up with how data actually flows in 2026.

The most significant changes:

Expanded definition of personal information

Biometric identifiers, including facial geometry, fingerprints, and voice prints, are now explicitly classified as personal information under COPPA. If your site uses any facial recognition, biometric authentication, or similar technology accessible to users under 13, that data is now regulated.

Separate consent for targeted advertising

This is the change that will hit the most operators. Under the amended Rule, you cannot share a child's personal information with a third party for targeted advertising unless you obtain separate, specific parental consent for that purpose. Bundled consent, a single checkbox that covers everything, is no longer enough.

Mixed audience websites now have explicit requirements

A "mixed audience" website is one that is directed to children but does not target children as its primary audience. If your site appeals to a general audience that includes minors, you now have specific obligations: age screening for all users before collecting personal information, and strict limits on what you can collect from visitors who may be children.

Written security and retention programs required

Operators must establish and maintain a written information security program and a written data retention policy. If you don't have documented policies for how you secure and eventually delete children's data, you're out of compliance as of April 22.

Who This Affects (Beyond the Obvious)

The easy assumption is that COPPA only applies to apps and websites explicitly marketed to children: games, educational platforms, kids' entertainment. That's wrong, and it's the assumption that leads to enforcement.

The FTC's definition of a "child-directed" website covers any online service whose subject matter, visual content, music, celebrities, or animated characters could appeal to children under 13. That's a broad net. It can include:

• Sports media platforms (PlayOn Sports found this out the hard way)
• Fitness apps
• Cartoon-adjacent entertainment
• Online communities with younger demographics
• Retail sites that sell products popular with children

The new "mixed audience" category adds even more operators to the compliance universe. If your analytics show any meaningful segment of users under 13, or if your content could reasonably appeal to minors, you need to take the April 22 deadline seriously. We covered one of those enforcement actions in detail in PlayOn Sports' $1.1M CCPA Fine.

The Targeted Advertising Consent Problem

The most operationally complex requirement in the amended Rule is the separate consent mandate for targeted advertising.

Under previous COPPA guidance, many operators handled parental consent with a single blanket agreement. The amendments end that approach. Now, if you want to share a child's data with an advertising platform, a data broker, an analytics provider, or any third party for targeted advertising purposes, you need a separate opt-in from the parent that identifies:

• The specific categories of third parties receiving the data
• The purpose for which the data will be disclosed

This means your consent flow needs to present parents with a genuine, specific choice about advertising, not just a bundled terms-of-service acknowledgment. Operators that rely on ad networks like Google AdSense, Facebook Audience Network, or similar programmatic advertising platforms need to review whether those integrations are compatible with this requirement.

Age Screening Under the New Rule

Mixed audience websites now face an explicit obligation to implement age screening before collecting personal information. The FTC's amended Rule allows several methods:

• Knowledge-based authentication questions that a child under 12 could not reasonably answer
• Comparison of a government-issued ID image against an image of the parent's face (for parental consent)
• Other reliable mechanisms the FTC has recognized

This creates a new design requirement: gates before data collection, not after. If your site asks for an email address, a name, or allows account creation without first determining whether the user is a minor, you're collecting first and asking questions later. That approach doesn't comply.

This is exactly the gap we built age-gated consent to close, and it's the same gap the FTC is pointing at with the amended Rule.

Enforcement Context: The FTC Is Actively Looking

The April 22 deadline isn't theoretical enforcement. The FTC has been building toward this.

In March 2026, the FTC took action against OkCupid and Match Group for sharing user data, including photos and location information, with a third party in violation of their stated privacy policy. The FTC also recently settled a case involving a mobile gaming company (Jam City, maker of Harry Potter and Frozen-branded games) for COPPA violations related to children's data in gaming environments.

The pattern is consistent: the FTC is targeting operators who make privacy promises they don't keep, who collect children's data without proper consent, and who use that data for advertising without authorization. COPPA enforcement is not hypothetical, and April 22 is not a soft deadline.

What Consent Management Looks Like Under the New Rules

Meeting the April 22 requirements isn't just a legal checkbox exercise. It requires changes to how your site actually handles data collection and script execution.

Script blocking by default

Any tracking, analytics, or advertising scripts that could collect data from users under 13 must be blocked until you've confirmed the user's age and, where required, obtained parental consent. This is especially critical for mixed audience websites, where you can't assume every visitor is an adult.

Layered consent flows

Parental consent for core functionality and parental consent for targeted advertising are now separate requirements. Your consent management system needs to handle both, and record both independently.

Age gate implementation

Before collecting any personal information, mixed audience websites need a mechanism to determine whether the user is under 13. The design of these gates matters: the FTC has specifically called out gates that are trivially easy for a child to bypass (entering a false birth year, for example) as insufficient.

Third-party disclosures by category

Your parental consent notice for advertising must identify the categories of third parties receiving the data. This means knowing your own tech stack: which advertising platforms, analytics tools, and data brokers are receiving data from your site, and being able to describe them in plain language to parents.

Written retention and deletion policies

Children's data must be retained only as long as necessary for the purpose it was collected, then deleted. Your CMP or data management system needs to support this, and you need a written policy documenting it.

The State Patchwork Is Only Getting More Complex

COPPA compliance doesn't exist in a vacuum. The same week this federal deadline hits, state-level privacy requirements continue to multiply.

Virginia's Governor signed an amendment on April 13, 2026, prohibiting the sale of precise geolocation data under the Virginia Consumer Data Protection Act, effective July 1, 2026. Kentucky signed its own amendment the same day, classifying automatic content recognition data from smart TVs as sensitive data requiring opt-in consent.

Each new state law adds requirements on top of COPPA: different consent standards, different opt-out mechanisms, different definitions of sensitive data. Managing this manually, across multiple jurisdictions, is not a sustainable approach. Oklahoma became the 21st state with a privacy law in March 2026, and the pace isn't slowing.

The federal COPPA framework doesn't preempt stricter state children's privacy laws. Several states have their own requirements that go further than COPPA. That means your compliance program needs to track both.

Where AutoCMP Fits

AutoCMP is built to handle exactly the technical requirements the amended COPPA Rule creates:

• Script blocking by default — no tracking or ad tech fires until consent conditions are satisfied
• Layered consent flows — separate consent records for core functionality and advertising, with parental consent support
• Age-aware consent logic — geo- and age-based rules that apply the correct consent standard for each user
• Third-party script categorization — audit what's actually loading on your site, so you can disclose it accurately
• Consent logging — records of every consent interaction for audit and enforcement defense
• Multi-jurisdiction support — COPPA, GDPR, CCPA, and the growing list of state requirements, handled automatically

For the product context behind the age-gating piece, see COPPA 2.0 Is Why We Built Age-Gated Consent Into Our CMP. For the legislative direction beyond this deadline, see COPPA 2.0 Passed the Senate.

The Bottom Line

COPPA's 2025 amendments are not a vague future obligation. The compliance deadline is April 22, 2026. The FTC is actively enforcing children's privacy rules. The targeted advertising consent requirement alone will require changes to how most websites handle ad tech for mixed audiences.