The COPPA deadline: Kids’ privacy meets the fine print

This is how a lot of American policy becomes real: one quiet morning, one unglamorous deadline, a thousand compliance calendars. No ribbon. No anthem. Just the moment when “guidance” turns into “enforceable.”

April 22 is the full compliance date for the FTC’s updated COPPA rule, the biggest rewrite of the kids’ online privacy playbook since 2013. The amendments were finalized and published in the Federal Register in April 2025, took effect in 2025, and came with a one-year runway that ends today. Now the training wheels come off. Now the rule lives in the real world, where press-release smiles get replaced by lawyer-grade jaw clenching.

What the updated COPPA rule does (in plain English)

COPPA is the federal law that gives parents control over the collection and use of personal information from children under 13. The FTC enforces it. The Commission adopted amendments meant to modernize COPPA for an internet that has learned to turn childhood into a revenue stream.

• Data minimization by time: limits on keeping kids’ data longer than necessary.
• Paperwork with a purpose: a requirement to maintain a written children’s data retention policy.
• Stricter sharing rules: updated rules around third-party disclosures and parental consent.
• Broader definition of “personal information”: including biometric identifiers and government-issued identifiers.

Bloomberg Law’s reporting captures the immediate business reality: new enforcement risk starts when the deadline hits. And it is not just for firms that think of themselves as “kids companies.” COPPA has always had a hook for general-audience services that knowingly collect from children. The modern web has plenty of “general audience” products with kid-sized footprints.

The Paine test: Does this expand liberty, or concentrate power?

For families, a stronger COPPA can expand liberty in the basic, underrated way: fewer hidden third-party disclosures, less indefinite retention, more structure around security. The freedom here is the freedom not to be profiled before you can spell “profile.”

But the other half of liberty is power. COPPA enforcement sits with the FTC: capable of real consumer-protection good, and also unelected, often operating through settlements, consent orders, and the quiet leverage of “we can make this very expensive.” Broad rules plus discretionary enforcement should make any adult reach for guardrails.

The Orwell check: When “compliance” becomes a moat

Watch the euphemisms. “Monetize” can mean track. “Engagement” can mean compulsion. “Support for internal operations” can cover a lot of vendor behavior that smells like third-party measurement while wearing a “service provider” label.

Deadlines can discipline markets, and they can also reshape them. Big platforms can staff privacy teams to map data flows, vet vendors, and build consent machinery. Small developers often have a founder, a contractor, and a dream. Complexity can become a moat.

The tradeoff: Less tracking, more accountability, no surveillance starter kit

The tradeoff worth making is stricter limits on collecting, sharing, and retaining children’s data, paired with clearer transparency and due process around enforcement. The tradeoff worth rejecting is “trust us” from companies that treated childhood like an oil field, or from government that sometimes treats discretion like a birthright.

And one tension should stay front and center: protecting children online should not become a back door for normalizing age verification or broader identity checks for everyone else. So here is the question: if kids’ privacy is the goal, what guardrails should we demand so the next “protection” does not quietly become a permission slip for wider surveillance?