This bill revises the Children’s Online Privacy Protection Act (COPPA) to broaden who and what is protected online and to tighten operator obligations. It extends privacy rights and deletion/access controls to teens (distinct from parents’ consent), enlarges the definition of personal information (including persistent identifiers and biometrics), and expands the scope of who counts as an ‘‘operator.’' The bill also prohibits individualized, profile‑based advertising directed at children and teens and adds rules about storage and transfers of minor users’ data.
Beyond prohibitions, the bill creates affirmative duties: operators must give clear notice, obtain verifiable consent where required, implement reasonable security measures, and honor deletion and correction requests from parents and teens. It directs the Federal Trade Commission to produce feasibility analyses and reports and requires rulemaking to implement many of the new requirements.
Together these changes impose operational, legal, and product-design consequences for platforms, app developers, advertisers, ed‑tech vendors, and data processors serving minor users.
At a Glance
What It Does
The bill requires operators to obtain verifiable consent from a parent (for children) or from teens themselves for material uses of minors’ personal information, bans individual‑specific advertising to children and teens, and limits collection, retention, cross‑site tracking, and transfers absent a permitted purpose or consent. It expands the statutory definitions of operator and personal information, and adds new mechanisms for access, deletion, and accuracy challenges.
Who It Affects
Large social platforms and app publishers, mobile and web developers, advertisers and ad tech that profile minors, ed‑tech providers that contract with schools, data processors and service providers, and any operator that knowingly serves child or teen users online.
Why It Matters
By bringing teens into COPPA-style protections and by targeting profiling and individualized advertising, the bill shifts compliance from checkbox privacy notices toward product-level design and data minimization. High‑revenue social platforms face heightened standards, while smaller operators will need to adopt consent, deletion, and verification workflows.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill widens COPPA’s reach in two ways: who is covered and what counts as personal information. It expands the ‘‘operator’’ concept to capture anyone commercially operating a website, online service, online application, or mobile application that collects or enables collection of personal information, and it excludes only qualified 501(c)(3) nonprofits from that label.
The personal‑information definition adds persistent identifiers (cookies, IP addresses, device IDs), images and audio, geolocation down to street and town, and biometric markers such as fingerprints and facial templates. The bill expressly excludes certain internal‑use identifiers from the persistent‑identifier definition, but otherwise raises the set of data elements that trigger COPPA obligations.
Importantly, the statute now includes a ‘‘teen’’ category (an individual over age 12 and under 17) and gives teens direct rights: a teen who has provided personal information can obtain a description of the data collected, delete content or information they submitted, refuse further use or maintenance of their data, challenge inaccuracies, and request any retrievable personal information the operator holds. For children, parents retain the traditional rights.
The bill requires operators to obtain ‘‘verifiable consent’’ — a flexible, technology‑sensitive standard — before collecting or using minor data for material or changed purposes.The bill strictly forbids ‘‘individual‑specific advertising to children or teens’’ — defined as advertising targeted using a child’s or teen’s personal information or profiling them — while carving out contextual ads, responses to explicit child/teen queries (like search), measurement-only processing, and household-device exceptions where ads are served only to adult profiles. Operators can still deliver age‑appropriate non‑personal advertising if they use only the fact of age.There are practical compliance contours.
Operators must limit retention of minors’ personal information to what’s reasonably necessary for the requested transaction or service and must provide notice if they store, transfer, or permit access to that data in a ‘‘covered nation’’ as defined elsewhere in law. Operators acting under written agreements with educational agencies can rely on those agreements (so long as the contracts limit data use to educational purposes and give schools tools to review, prevent further use, or delete student data).
The bill allows operators to terminate a child’s account if parents refuse further use, but it prohibits discontinuing service if the operator can continue offering the service without the child’s data.On administrative and procedural matters the bill tasks the Federal Trade Commission with rulemaking and several studies: a feasibility assessment and possible rule to permit a common verifiable consent mechanism, a three‑year oversight review of high‑impact social media companies’ compliance, and annual enforcement reports. The bill also requires rulemakers to analyze impacts on small entities and directs the FTC to publish submissions and documents subject to its normal confidentiality rules.
The Five Things You Need to Know
The statute creates a new ‘‘high‑impact social media company’’ label: operators that generate $3,000,000,000 or more in annual revenue and report 300,000,000 or more monthly active users for at least three of the preceding 12 months, and whose product is primarily for user‑generated content.
Operators must provide notice before storing, transferring, or allowing access by a ‘‘covered nation’’ to children’s or teens’ personal information.
The FTC must complete a feasibility assessment (and report to Congress within one year) on whether a common verifiable‑consent mechanism can be used across multiple operators, and must promulgate rules if it finds such a mechanism feasible.
Rulemaking under the bill must include a Regulatory Flexibility Act analysis describing impacts on small entities; the bill explicitly requires that analysis be part of any proposed and final rules.
Starting one year after enactment, the FTC must submit annual enforcement reports to Congress listing actions, investigations, open inquiries, and complaints under the Act; a separate FTC oversight report on high‑impact social media compliance is due three years after enactment.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Expands operator and personal information definitions; adds teen and high‑impact tests
This section broadens who counts as an operator to include any person who commercially operates a website, online service, online application, or mobile application that collects or permits collection of personal information — and it specifically excludes only qualifying 501(c)(3) nonprofits. "Personal information" is expanded to list names, contact data, persistent identifiers (cookies, IPs, device IDs), photographs, audio, geolocation to street level, and biometric markers. It also carves out internal‑use identifiers that are used solely for internal operations. The bill introduces a statutory teen category (over 12 and under 17) and defines ‘‘high‑impact social media company’’ with revenue and monthly‑active‑user thresholds that trigger an elevated knowledge standard and later oversight.
Bans individualized targeting of minors; creates teen rights and verifiable consent standard
The heart of the bill is here: operators of services directed to children, or that have knowledge a user is a child or teen, may not collect personal information in violation of forthcoming FTC regulations, may not collect or use minors’ information to provide individual‑specific advertising, and must limit collection to what’s contextually necessary. The bill replaces ‘‘verifiable parental consent’’ with a broader ‘‘verifiable consent’’ requirement and adds a direct set of remedies for teens — access, deletion, refusal of further use, accuracy challenges, and retrieval of data — with authentication by reasonable means. It also permits educational‑contract exceptions where vendors under school agreements can act without individual verifiable consent so long as their contracts restrict non‑educational use and provide school control.
Safe harbor language updated; FTC publication rules clarified with confidentiality limits
The bill expands safe‑harbor language to include teens and requires the FTC to publish required reports or documentation on its website, subject to the FTC’s existing statutory confidentiality provisions (the same limits that apply under the FTC Act). That means the agency must balance transparency with the need to protect sensitive investigative material and law‑enforcement or business confidential details.
Preemption and administrative requirements; small‑entity analysis required
The bill reiterates a broad preemption clause: states and political subdivisions cannot maintain laws that relate to the Act’s provisions. It updates administrative cross‑references to reflect the new structure and adds an explicit requirement that any regulation promulgated under the Act include a Regulatory Flexibility Act analysis of impacts on small entities. That creates a statutory floor for the FTC to analyze compliance burdens on smaller companies during rulemaking.
FTC reporting and oversight obligations
The bill requires the FTC to (1) deliver a one‑time oversight report after three years detailing processes high‑impact social media companies use to comply with the Act and its regulations, and (2) produce annual enforcement reports beginning one year after enactment that enumerate enforcement actions, investigations, open inquiries, and complaint volumes. These reporting deadlines are mandatory and intended to provide Congress ongoing visibility into enforcement and industry compliance.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Teens aged 13–16: gain direct statutory rights to access, delete, challenge, and refuse further use of their online personal information without relying on parental intervention.
- Parents of younger children: retain COPPA-style controls and get expanded clarity on what counts as personal information and what operators must disclose.
- Privacy‑first app developers and niche platforms: benefit from a legal advantage when they minimize data collection (fewer consent burdens and lower compliance risk compared with profiling-based services).
- Educational agencies and schools: receive a clear pathway to contract with vendors under a written agreement that limits vendors to educational uses and requires data‑access and deletion tools.
- Civil‑society groups and researchers focused on child welfare: have stronger statutory tools to push for reduced profiling and individualized marketing to minors.
Who Bears the Cost
- High‑impact social media companies: face heightened scrutiny and a stricter knowledge standard, plus three‑year oversight and potential operational redesigns to avoid individualized advertising to minors.
- Advertisers and ad‑tech firms that rely on profiling and cross‑site identifiers: will need to rework targeting models or rely on contextual approaches, potentially reducing ad revenue tied to minors’ profiles.
- App developers and smaller online services: must implement verifiable‑consent flows, deletion and data‑access workflows, data inventory and retention policies, and notice mechanisms — all of which increase engineering, legal, and operational costs.
- Schools and educational IT teams: while given contractual authority, they may bear implementation and oversight burdens to vet vendors and post required notices or links on public websites.
- FTC and enforcement resources: the agency must run feasibility studies, rulemakings with small‑entity analyses, and recurring reports — producing workload and budgetary implications that could affect enforcement pacing.
Key Issues
The Core Tension
The central dilemma is protecting minors by sharply limiting profiling and targeted marketing while avoiding an overly prescriptive technical regime that stifles legitimate services and burdens smaller operators: stronger protections push platforms toward data minimization and safe defaults, but those same protections require expensive reengineering, leave open difficult definitional gaps (what is ‘‘individual‑specific’’ in practice?), and hinge on FTC rulemaking capacity to translate statutory standards into workable technical rules.
The bill tightens protections but leaves several implementation questions open. The ‘‘verifiable consent’’ standard is intentionally flexible — ‘‘reasonable effort (taking into consideration available technology)’’ — but the statute defers the technical specifics to FTC rulemaking.
That raises near‑term compliance uncertainty: operators must modify products now to anticipate stricter standards but will need to pivot again once the FTC issues regulations. Similarly, the bill prohibits individual‑specific advertising to children and teens but preserves contextual ads and limited household/device exceptions; translating those legal distinctions into ad‑tech practices (what counts as ‘‘profiling’’ or ‘‘individual‑specific’’ in real time) will be technically and legally fraught.
The high‑impact social media designation introduces an enforcement targeting tool, but its thresholds are blunt. Operators close to the revenue or MAU cutoffs may face strategic incentives to change reporting or product design to avoid the label, while genuinely large platforms will need tailored compliance programs.
The storage/transfer notice requirement for ‘‘covered nations’’ raises additional operational questions in a fragmented global data‑transfer landscape — operators will need legal mapping of jurisdictions and new notice mechanisms. Finally, the educational‑agency exception balances classroom utility against the risk of commercial mission creep: contracts will define outcomes, but monitoring vendor behavior will fall on resource‑constrained schools.
Collectively, these factors create uncertainty for both regulators and industry. The bill forces a design‑first approach to product development serving minors, but without immediate regulatory detail, firms will have to make conservative engineering choices or await the FTC’s more granular rules.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.