Contact Us

09 Apr

COPPA updated

2026 Requirements and What’s Changed

A Practical COPPA Guide for Product Managers, Engineers, and Trust & Safety Teams

The FTC’s amended COPPA Rule compliance deadline is April 22, 2026. If your game has users under 13, or has reason to, your data architecture, consent flows, and third-party integrations are all in scope.

We work with gaming studios on the trust and safety infrastructure that sits underneath their communities. That means we’re in scope too. When the amended rule makes clear that operators are responsible for every third-party integration that touches children’s data, that includes your moderation platform. It’s part of why we’re writing this guide and why we’re being specific about what it means for your entire stack, not just your first-party code.

This guide is for product managers, engineers, trust and safety leads, and legal teams working with technical counterparts. It covers what changed, what it means for game companies specifically, and where to start.

What Changed: The 5 Key Updates at a Glance

  • Stricter parental consent standards – Low-friction consent flows (email-plus-confirmation, etc.) may no longer satisfy the rule
  • Explicit data minimization – You can only collect what’s necessary for the specific service the child is using
  • Third-party integrations in scope – You’re responsible for SDK and ad network compliance, not just your own code
  • Expanded “actual knowledge” standard – “We don’t ask for age” is a weaker defense for general audience games with under-13 usership
  • Disaggregated advertising consent – Parents can refuse targeted advertising while consenting to core data practices

What Changed (In Detail)

COPPA has been law since 1998. The amended rule doesn’t replace the framework, it sharpens and expands it in response to how digital platforms have evolved. The core obligations remain: verifiable parental consent before collecting personal information from children under 13, accurate privacy notices, data security, and the right to delete. What’s changed is the detail, the scope, and the enforceability.

1. Parental consent mechanisms are subject to stricter standards

The amended rule narrows what counts as “verifiable parental consent.” Low-friction mechanisms (email-plus-confirmation, credit card verification with negligible friction, knowledge-based authentication) face higher scrutiny. The FTC is signaling a preference for methods that meaningfully verify the consenting adult is actually a parent or guardian.

For game companies, this often means revisiting account creation flows for under-13 users. If your parental consent mechanism was designed for ease of completion rather than actual verification, it may no longer satisfy the rule.

2. Data minimization is explicit and operationalized

You may only collect, retain, and use personal information from children to the extent reasonably necessary for the specific service the child is using. Three practical implications:

– Analytics collection that goes beyond what’s needed to operate the game is now directly at risk
– Personalization and recommendation features need to justify their data requirements
– Retention periods need to be defined and enforced, not just stated in a privacy policy

3. Third-party integrations are your focus, including your moderation platform

If you use third-party SDKs, ad networks, analytics platforms, or other services that process data from users under 13, you are responsible for their compliance. The amended rule makes clear that operators can’t outsource liability by pointing to a third party’s own privacy policy.

This is the area where most game studios have the most exposure and it extends further than most compliance checklists capture. Ad networks are the obvious target. But your moderation platform is in scope too. If your AI-powered moderation platform processes user-generated content (chat messages, voice communications, images) from accounts that include under-13 users, that processing needs to fit within your COPPA compliance framework.

The questions to ask any moderation vendor (including us):

  • “What data does the platform collect and process?”
    • GGWP’s Community Copilot receives usernames and user IDs, chat logs and in-game communications, gameplay activity, reports, player relationships, session data, and flagged incidents. It processes only what’s passed through the API by the game developer, no independent data collection.
  • “How long is that data retained?”
    • GGWP’s default retention period is 6 months, configurable by the game developer. Voice moderation data is handled separately: safe audio is retained for 3 days; audio from flagged incidents is retained for 3 months. Extended retention is available for specific users where a safety investigation is ongoing or law enforcement has requested it.
  • “Does the vendor sell or share data with third parties?”
    • GGWP does not sell or rent player data, and uses no third-party tools for data processing.
  • “What’s the vendor’s role under applicable privacy law, and how does that interact with your COPPA obligations?”
    • This is the most important question to get right. GGWP operates as a Data Processor, the game developer is the Data Controller and retains responsibility for COPPA compliance determinations, including obtaining the parental consent that authorizes data collection in the first place. If GGWP becomes aware that data from a child under 13 has been provided without the necessary consents, GGWP’s policy is to delete that data and notify the relevant customer. But the legal determination of whether your platform has met COPPA’s consent requirements is yours to make, not ours.
  • “Is the vendor independently audited?”
    • GGWP is SOC 2 certified. Full security details, including encryption standards and access controls, are in the GGWP Security Policy.
  • “Can players request deletion?”
    • Yes: deletion requests are directed to the game developer as Data Controller, who coordinates with GGWP. Data is securely deleted or anonymized once contractual obligations conclude.
      The Data Processor / Data Controller distinction matters here: understanding it helps you place COPPA liability correctly. Your moderation vendor isn’t the one responsible for verifiable parental consent – you are. But your vendor’s data practices need to fit within the compliance framework you’ve built, and you need documentation to show that they do.

Audit every integration in your stack that touches users under 13 – not just the ad networks.

4. The “actual knowledge” standard has been clarified

COPPA applies when an operator has “actual knowledge” that a user is under 13. The amended rule clarifies that this extends to situations where a company has reason to know, not just cases where a child explicitly self-identifies. If your general audience game has substantial under-13 usership, or if your content, marketing, or distribution channels attract children, the “we don’t ask for age” defense is weaker than it used to be.

5. Parental rights around targeted advertising

The amended rule significantly restricts behavioral advertising to children. Parents can now consent to a service’s core data practices while separately refusing targeted advertising. This requires platforms to offer disaggregated consent, not a single blanket consent that covers everything.

What This Means for Game Companies Specifically

General-audience games have always been in a gray zone under COPPA. Unlike children’s apps designed explicitly for under-13 users, most games don’t go through children’s app stores or carry age restrictions that filter out minors. The amended rule doesn’t resolve this gray zone, but it makes operating in it riskier. Studios in that gray zone face real exposure: FTC enforcement actions have reached into the tens of millions of dollars, and the reputational cost of a public kids privacy violation is harder to quantify but just as real.

Scenario 1: Free-to-play mobile game, general audience

You don’t collect age on sign-up. Your analytics pipeline is a standard industry stack: attribution, behavioral analytics, a couple of ad network SDKs.

Risk: If your user base includes a material number of under-13 users (which most F2P mobile games do), your current setup likely doesn’t satisfy the amended rule. Data minimization requirements apply to those users, and your ad network integrations may be processing children’s data without verifiable parental consent.

Action: Segment your user data by age group. Implement age-gating with a path to parental consent. Audit your third-party SDK stack for compliance. Consider a separate data processing configuration for users who complete the under-13 flow.

Scenario 2: Online multiplayer game with user accounts

You collect age at sign-up, gate under-13 users behind a parental consent flow, and use a third-party consent management platform.

Risk: The quality of your parental consent mechanism needs review. Does it meet the amended rule’s verification standards? Is your consent management platform itself compliant? Are you restricting data collection for verified child accounts, or running them through the same analytics pipeline as everyone else?

Action: Review your consent mechanism against the amended rule’s new standards. Ensure your data collection for child accounts is minimized to what’s necessary for the game service itself.

Scenario 3: Game with significant under-18 audience and in-game economy

Your game allows avatar customization, peer interaction, and has a virtual currency economy. Age verification is in place for purchases.

Risk: Peer interaction and UGC features generate behavioral data that may not be covered under your current consent framework. The virtual economy creates additional data collection points that need to be mapped and justified.

Action: Map every data collection point in your game experience against COPPA requirements, including behavioral data generated through gameplay and social features.

Where to Start: A Practical COPPA Audit Framework

Step 1: Map your data flows
Document every category of personal information you collect, from whom, through what mechanism, and where it goes, including third-party integrations. You can’t minimize or protect data you haven’t mapped.

Step 2: Identify your under-13 user population
Do you know what percentage of your active users are under 13? If you don’t collect age, what signals do you have? A game with 2% under-13 users has a different implementation challenge than one with 30%.

Step 3: Evaluate your consent mechanisms
When was your parental consent flow last reviewed against the regulatory standard? Does it meet the amended rule’s verification requirements, or does it sit at account creation and get ignored downstream?

Step 4: Audit your third-party stack
List every SDK, analytics tool, ad network, integration, and moderation platform that processes user data. For each that might touch under-13 users: What data do they collect and retain? What are their retention periods? Are they SOC 2 certified or independently audited? Will they sign a data processing agreement?

Note the Data Processor / Data Controller distinction: most reputable vendors (including moderation platforms) operate as Data Processors, meaning COPPA compliance responsibility stays with you as Data Controller. That doesn’t reduce your due diligence obligation; it clarifies where the legal accountability sits. You still need documentation of their data practices to demonstrate your own compliance.

Step 5: Review your privacy notice
The amended rule includes updated disclosure requirements. Review your privacy notice against the current requirements and make sure it’s readable by a non-lawyer parent, not just legally defensible.

Step 6: Establish a retention and deletion process
Define retention periods and build a mechanism to delete children’s data on request or when it’s no longer necessary. If this is a manual process, it won’t scale.

The Bigger Picture: This Is Not the Last Rule

The FTC’s amended COPPA Rule is one data point in a much larger regulatory trend. K-ID tracked 43 regulatory changes related to kids safety online in a single month in early 2026. COPPA 2.0 legislation in Congress would extend protections to teens up to 16. The EU’s DSA imposes similar and in some cases stricter obligations. Indonesia, Brazil, India, and other jurisdictions are enacting their own requirements.

Studios that treat each of these as a separate compliance checkbox will be in perpetual catch-up mode. Studios that invest in privacy-respecting data architecture (age-appropriate design, genuine data minimization, meaningful consent mechanisms) are building infrastructure that flexes to regulatory change rather than scrambling for each new deadline.

COPPA compliance isn’t a destination. It’s a design posture. And the platforms and vendors you build with need to hold the same posture. If you’re working through a COPPA audit and have questions about how your moderation infrastructure fits in, reach out to our team.

COPPA FAQs

Does COPPA apply to general audience games?
Yes, if the platform has actual knowledge or reason to know that children under 13 are using it. General audience games with significant under-13 usership are not exempt simply because they don’t market specifically to children.

What counts as verifiable parental consent under the amended rule?
The FTC hasn’t prescribed a single method, but has tightened standards around low-friction approaches. Methods that meaningfully verify the consenting adult is a parent or guardian, not just any adult, are preferred. Consult your legal team on the specific mechanism appropriate for your platform.

Are third-party SDKs my responsibility?
Yes. If a third-party service processes personal information from your under-13 users, you are responsible for ensuring their compliance. Your vendor’s privacy policy does not transfer your liability.

Does my moderation vendor share my COPPA liability?
No: but that’s not the same as saying they’re irrelevant. A moderation platform typically operates as a Data Processor: they process data on your behalf, per your instructions, and you remain the Data Controller responsible for COPPA compliance determinations. What that means practically is that you need to verify their data practices fit within your compliance framework – what they collect, how long they retain it, whether they can delete on request and you need documentation to show that. Your vendor’s SOC 2 certification and privacy policy are part of your compliance evidence trail, not a substitute for your own assessment.

What’s the difference between COPPA and COPPA 2.0?
The current amended COPPA Rule is an FTC regulatory update. COPPA 2.0 is pending federal legislation that would extend protections to teens up to age 16 and add new requirements. The April 22, 2026 deadline applies to the FTC’s amended rule, not COPPA 2.0.

What are the penalties for non-compliance?
The FTC can seek civil penalties per violation per day. Recent enforcement actions have resulted in settlements in the tens of millions of dollars. Individual violations can compound quickly at scale.

Resources

FTC Amended COPPA Rule — full text and compliance guidance
FTC’s COPPA FAQ for businesses
K-ID Regulatory Trackers — monthly blog updates on kids safety legislation globally
FOSI guidance on family-oriented platform design
GGWP Privacy Policy — data collection, retention periods, deletion rights, and Data Processor obligations
GGWP Security Policy— SOC 2 certification, encryption standards, and access controls

No Comments