COPPA's April 22 Amendments: What Changed for EdTech Operators in 2026

Table of contentsLoading the Elevenlabs Text to Speech AudioNative Player...

The Compliance Deadline That Already Passed

April 22, 2026 was not a target date — it was a hard cutoff. The FTC's 2025 COPPA Final Rule, published exactly one year before its compliance date, carried no grace period and no soft-launch window. Operators of websites, apps, and connected products that collect personal information from children under 13 were either compliant on that date or they were not. For many operators who have not yet audited their data practices against the amended rule, the answer is not.

The financial exposure is not theoretical. FTC civil penalties for COPPA violations run $53,088 per violation per day under the agency's current inflation-adjusted authority. For a platform with thousands of child users, a single non-compliant data practice does not produce a single violation — it produces one for each affected child, each day. The arithmetic compounds quickly, and the FTC has shown no reluctance to pursue large penalties against operators who treat children's privacy obligations as optional.

The FTC does not issue compliance deadlines as suggestions. With $53,088 per violation per day in available civil penalty authority and a documented willingness to pursue EdTech operators who treat children's privacy requirements as optional, the question is not whether enforcement is coming — it is which platform draws the first action under the new requirements.

The sections that follow break down exactly what the 2025 Final Rule changed: expanded definitions, new consent mechanics, data retention limits, and the structural requirements that affect how EdTech operators build and document their compliance programs. If your organization has not yet completed its compliance review, contact Promise Legal to assess your current exposure before the next enforcement action makes the decision for you.

New Data Categories: Biometrics, Geolocation, and What COPPA Now Covers

The April 22, 2026 amendments to 16 CFR 312.2 expand COPPA's definition of "personal information" in two directions that hit EdTech products hard: biometric identifiers and precise geolocation. These are not interpretive extensions — they are enumerated additions to the regulatory text, which means a product that touches either category is now unambiguously inside COPPA's consent and notice requirements.

Biometric identifiers now covered under the amended rule include fingerprints, handprints, retina patterns, iris patterns, and genetic data (including DNA sequences). EdTech products using fingerprint-based device authentication, iris scanning, or any feature that processes a child's genetic information now fall unambiguously within COPPA's consent requirements. Notably, the FTC declined to include voice-derived data, facial-derived data, and gait-derived data in the final biometric definition — these were proposed in the 2024 NPRM but removed from the final rule after public comment about overbreadth. Operators using speech recognition or facial recognition features should assess their obligations under separate personal information categories (such as audio files containing a child's voice, which were already covered under 16 CFR 312.2 before the amendments) rather than the new biometric provision.

Precise geolocation is defined as information sufficient to identify a street name and city or town. Classroom check-in features, tutoring apps that surface local resource recommendations, or any SDK that logs IP-derived city-level location data all fall within this definition. If your product knows a child is at a particular street address or named neighborhood, COPPA's consent framework now applies to that data point specifically.

Data Minimization and Retention: Two New Structural Requirements

The April 22 amendments introduced two obligations that go beyond updating a privacy policy — they require changes to what data your systems collect and how long your infrastructure holds it. Under amended 16 CFR 312.7, operators now carry an affirmative data minimization duty: collection must not exceed what is reasonably necessary to fulfill the specific purpose for which the parent gave consent. Critically, operators cannot condition a child's participation on collecting more than that baseline. If your platform gathers behavioral analytics or device data beyond what the core educational feature actually needs, that collection is no longer defensible on the theory that a parent clicked through a broad consent screen.

The retention side is equally concrete. Amended 16 CFR 312.10 now requires a written retention policy that specifies the purposes for keeping each category of data, the business necessity justifying the retention period, and a defined timeframe after which deletion occurs. That policy must appear in the operator's online notice — it cannot live only in internal documentation. For EdTech companies, this directly targets the accumulation of student learning records: assessment histories, performance logs, and behavioral analytics cannot be held indefinitely unless a documented, publicly disclosed business reason supports the timeline. The FTC's preamble to the rule made clear that preventing indefinite data accumulation was a primary design goal of the retention amendments.

Both requirements are structural. A minimization obligation demands that engineering and product teams audit data collection pipelines, not just that legal teams redraft a notice. A retention schedule requires per-category decisions baked into database architecture — automated deletion, not a policy statement promising eventual cleanup.

Consent Architecture Overhaul: Unbundled, Documented, and Expanded

The amendments restructure how operators must obtain and document parental consent across three dimensions: how consent is collected, what notices must say, and how identity is verified. Each dimension carries its own compliance obligation — and failing any one of them creates standalone liability.

Unbundle Third-Party Disclosure Consent

Under amended 16 CFR 312.5(a)(2), bundling consent to third-party data disclosure into the same mechanism as consent to collection is now prohibited under amended 312.5(a)(2), which requires separate consent mechanisms for non-integral third-party disclosures. The Commission drew the line clearly: disclosures to third parties for monetary consideration, advertising purposes, or AI training and development are not integral to the service and require separate, independently revocable consent. If your current flow gets one parental approval that covers both service access and downstream data sharing, it needs to be split before the compliance deadline.

Name Your Third Parties in Direct Notices

Amended 16 CFR 312.4(c)(1)(iv) eliminates the placeholder language that characterized earlier-generation privacy notices. Operators must now identify the names or categories of specific third parties receiving children's personal information and state the purpose of each disclosure. "We share data with select partners" is no longer sufficient. If your product passes data to an analytics vendor, an LMS integration, or an advertising SDK — even passively — those recipients and their purposes must appear in the direct notice parents receive.

Choose From Three New Verification Methods

The Final Rule added three new options to the verifiable parental consent menu: knowledge-based authentication using dynamic questions a twelve-year-old could not reasonably answer (new § 312.5(b)(2)(vi)); face match to a government-issued photo ID with live camera comparison, with the image deleted after the match is confirmed (new § 312.5(b)(2)(vii)); and a text-plus method via mobile phone analogous to the existing email-plus approach (new § 312.5(b)(2)(ix)). For most EdTech operators, the text-plus option will be the most accessible addition — it lowers friction compared to ID upload while still meeting the heightened verification standard.

Building Your Compliance Response

Translating the amended 16 CFR Part 312 into a compliance project means treating this as eight discrete workstreams, not a single policy refresh. Operators who approach it that way will surface the gaps that matter — and avoid the most common planning error, which is updating only one of the two required notice documents. The 2025 amendments imposed parallel obligations on both the public online notice under 312.4(c) and the direct parental notice under 312.4(d). Updating your privacy policy but leaving the direct notice unchanged leaves you facially non-compliant regardless of how thorough the policy revision is.

Prior enforcement gives this project its stakes. The FTC's $6 million settlement with Edmodo — which targeted systemic violations including data used for advertising — demonstrates the agency's appetite for pursuing EdTech operators with multi-year exposure. No enforcement actions specifically citing the 2025 Final Rule have been filed yet; the compliance deadline only passed on April 22, 2026. That gap is an advantage for operators who move now. Being demonstrably compliant before the first wave of enforcement actions is filed is a materially different position than scrambling in response to an investigative inquiry.

The compliance project has a clear skeleton: data inventory, two notice documents updated in parallel, consent flow rebuild, retention policy, and school authorization review. Each workstream requires mapping the amended regulatory text against your live data flows — not against what your product was doing two years ago. EdTech operators working through these checkpoints often find that the data inventory step alone surfaces collection points that the original product design never accounted for.

If your team is working through these checkpoints and needs a structured gap analysis, schedule a COPPA compliance review with Promise Legal to identify exposures before they become enforcement targets.