This week, the Federal Trade Commission (FTC) updated the law that is supposed to protect children's data online. On April 22, 2026, the amended Children's Online Privacy Protection Act (COPPA) rule took effect. It's the first major update to the law since 2013. The new rules are a step forward. They explicitly protect biometric data. They limit how long companies can keep your child's information. They force transparency. But there's a catch. A massive loophole.

The same law that says "you can't take my child's face without permission" also says "unless we claim we need it for age verification." Here's what changed, what it means for your child, and where the gaps remain.

The Big Shift: Finally, Your Face is Data

The FTC didn't just tweak the rules; they overhauled the definition of "personal information" to match the technology of 2026, not 2013.

The most significant change for is that biometrics are now "personal information." The definition of protected data now explicitly includes facial recognition data, voiceprints, and other sensor-derived identifiers.

Before April 2026, a platform could argue that a "face scan" was just a "feature," not "data," but now, the law is clear: Your child's face is their data. If an app collects a 3D map of your child's face, it is subject to COPPA. It requires parental consent, a privacy plan and deletion when the purpose is fulfilled.

They also tightened the screws on third-party sharing. Operators can no longer bundle "we share your data" into a single "I Agree" click. They must now obtain a separate, verifiable parental consent before disclosing children's data to third parties for targeted advertising or other secondary uses. This means the "data broker" model is now harder to hide. If an app wants to sell your child's location data to an advertiser, they need a specific, separate "yes" from you.

And for the first time, companies must publish a publicly accessible privacy plan that details exactly how they collect, use, retain, and delete children's data. No more vague "we may share data with partners" language. They have to spell it out. Plus, they can no longer hoard your child's data forever. The rule mandates concrete data-retention schedules. Data must be deleted once it is no longer necessary for the purpose it was collected.

Finally, they've strengthened security obligations. Operators must now have a written information security program, conduct annual risk assessments, and designate specific employees to coordinate security. It's no longer enough to have a "privacy policy." You need a security program.

The "Age Verification" Loophole

Here is where the law gets tricky. On February 25, 2026, just weeks before the new rules took effect, the FTC issued a Policy Statement that creates a massive exception.

The statement says: If a general-audience service (like Instagram or TikTok) collects children's data solely for age-verification purposes, they are exempt from the parental consent requirement. The irony is palpable. This is the exact justification many platforms use when they demand a selfie. "We need to verify your age."

Under the new rules, if an operator claims the biometric data (the selfie) is only for age verification, they can collect it without your consent. They don't need to publish a privacy plan for that specific data poin or delete it after verification (unless they claim they do).

"Age verification" is a black box. How do you know if the selfie is only for age verification? How do you know if it's also being used to train their facial recognition models? How do you know if it's being sold to data brokers?

The law protects the data on one hand and creates a pathway to collect it without consent on the other.

What This Means for Parents

The Good: You now have legal backing to demand transparency. If an app collects your child's biometric data for advertising or profiling without consent, it violates federal law. You can file a complaint with the FTC.

The Bad: Enforcement is the bottleneck. The FTC has limited resources. They are prioritizing "high-risk" services, but the vast majority of violations will go unpenalized. You are relying on a government agency to police a trillion-dollar industry.

The Ugly: The age-verification exemption means platforms can still demand your child's face. They just have to call it "verification" instead of "identification." And once they have it, the line between "verification" and "data collection" is blurry.

The new rules require "verifiable parental consent." But the interfaces for granting consent are often dense, confusing, and full of dark patterns.

For neurodivergent parents (or parents assisting neurodivergent children), these consent flows can be overwhelming. Long legal texts, nested menus, and confusing toggles can trigger anxiety or shutdown. The "right to consent" is hollow if the interface is a maze.

The FTC added new consent options, including "Text Plus" (sending a text to verify). This may be more accessible for some parents, but it still requires a phone number—another data point that is now in the system.

Legal protection is only meaningful if the person it protects can actually exercise it. If the consent interface is designed to confuse, the right to consent is a trap.

What Still Needs to Change

There are still gaps. Parents cannot sue under COPPA. Only the FTC can enforce. This means your recourse is to file a complaint and wait. You cannot take a company to court for violating your child's privacy.

And the law only covers children under 13 so teenagers (13-17) have no federal privacy protection specific to their age group. If your child just turned 14, the new rules do not apply to them.

Plus, foreign-based apps and services are harder to enforce against. If a server is in a country without a data treaty with the US, the FTC has limited reach.

The Law Is a Shield, Not a Sword

The new COPPA rules are progress. Biometrics are now protected, data retention is now limited and transparency is now required. But the law is reactive, not proactive. It punishes violations after they happen. It does not prevent the data from being collected in the first place.

The age-verification loophole is a reminder that the law is written by politicians, not technologists. It tries to catch up to the machine, but the machine is always one step ahead. The law is a shield, but you are the one who has to hold it. Audit the permissions, read the privacy plan and refuse the selfie. The FTC just gave you better armor—use it.