Enterprise DNA

Omni by Enterprise DNA

Enterprise DNA Resources

Latest AI and industry news. Practical AI operating-system thinking for owners, operators, and teams doing real work.

220k+

Data professionals

Omni

AI agents and apps

Audit

Map the manual work

News Breaking Regulation

COPPA AI Rule Takes Effect: What Businesses Must Know

The FTC's updated COPPA rule enters mandatory compliance April 22, requiring separate parental consent before children's data is used for AI training.

Enterprise DNA | | via Data Protection Report
COPPA AI Rule Takes Effect: What Businesses Must Know

As of today, April 22, 2026, the Federal Trade Commission’s amended Children’s Online Privacy Protection Act (COPPA) rule enters mandatory compliance. The updated rule, which the FTC voted 5-0 to adopt in January 2025 and published in the Federal Register almost exactly a year ago, carries a provision that is particularly significant for anyone building or deploying AI: you can no longer use children’s personal data to train AI models without obtaining separate, explicit parental consent.

This is not a gray area. The FTC has stated clearly that disclosing a child’s personal information to train or develop AI technologies is “generally not considered integral to a website or online service.” That single sentence reshapes the data pipeline for EdTech companies, AI labs, voice assistants, and any consumer product that might be used by a person under 13.

What Changed

The updated COPPA rule makes four key changes that affect AI-driven businesses:

1. Separate consent for AI training. Companies that want to use children’s data to train or improve AI models must now obtain parental consent specifically for that purpose. Bundling it into a general privacy consent flow is no longer sufficient. The consent request must be standalone, verifiable, and clearly describe how the data will be used.

2. Biometric data is now explicitly protected. The rule expands the definition of “personal information” to include biometric identifiers: voiceprints, facial templates, fingerprints, retina scans, and gait patterns. If your voice AI product processes a child’s voice, that audio and any derived voiceprint is now subject to COPPA’s consent and retention rules.

3. Indefinite data retention is banned. Companies must establish and maintain a written data retention policy for children’s data, with a defined deletion schedule tied to the purpose for which the data was collected. Keeping children’s data indefinitely “just in case” is no longer permissible.

4. Data sharing requires its own consent. Sharing children’s personal data with any third party, including AI vendors, analytics platforms, and advertising networks, now requires separate parental consent. This has downstream implications for every business that uses third-party AI tools that process customer data, if those customers might include minors.

Violations carry penalties of up to $51,744 per incident per day. The FTC has a history of following through: YouTube paid $170 million in 2019, TikTok paid $5.7 million the same year, and those were under the old rules.

Who Is Actually Affected

The most obvious targets are EdTech companies and consumer apps with young audiences. But the blast radius is broader than most businesses realize:

Voice AI products. Any voice assistant or AI phone agent that could receive a call from or interact with a person under 13 now generates data that falls under COPPA’s expanded biometric provisions. Voice AI companies need to audit whether their products could encounter minors and, if so, what data is being collected and how long it is retained.

AI-powered learning tools. If you offer any educational product with an AI tutor, writing assistant, or adaptive learning engine, the AI features require separate parental consent from the core product.

Customer-facing AI agents. Businesses that deploy AI agents for customer support, intake, or communication need to understand whether their customer base includes anyone under 13, and if so, whether their AI vendor’s data practices meet COPPA’s new standards.

Data teams using AI for analytics. If your business collects data on users that might include children (a reasonable assumption for any consumer-facing service), you need to review your AI analytics pipeline for COPPA compliance.

What This Means for Business

There is a compliance cost here, and it falls harder on smaller companies. The engineering work required to build consent-aware data pipelines, segment children’s data from general training sets, and establish documented retention policies scales by complexity, not by user count. Large platforms with existing compliance infrastructure absorb these costs more easily than startups and small businesses.

The regulation also creates a market signal. AI products that can demonstrate clear, auditable COPPA compliance will have a meaningful trust advantage in any market where families are customers — education, healthcare, retail, entertainment, and more.

The deadline is today. If your business uses AI in any context that could involve children’s data and you have not yet conducted a COPPA audit, the first step is understanding your data flows: what you collect, where it goes, whether any of it feeds AI systems, and whether parental consent is in place.

If you want the playbook other teams are using with Claude and Codex right now, grab the free Working With Claude field guide. Download it here.