Is your institution ready for COPPA’s 2026 changes to better protect children’s online privacy?

The Children’s Online Privacy Protection Act (COPPA) addresses the collection, use, and disclosure of personal information from children online. The Federal Trade Commission’s (FTC) implementing regulation imposes requirements on operators of websites and online services that are directed to children.

With important changes coming up in 2026, it’s important for website operators to refresh their understanding of COPPA and to prepare to be fully compliant.

Focal points of regulatory requirements

The FTC’s regulation supports the act’s prohibition of unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children under the age of 13 on the internet.

Financial institutions that operate websites and online services should be diligent in understanding the focal points of the rule and, as required, establish processes to help ensure compliance.

• What is collection? As the rule focuses on collecting personal information from a child, it is essential to understand what that entails. Collection includes requesting, prompting, or encouraging a child to submit any personal information online. It also refers to enabling a child to make personal information publicly available in a recognizable form and includes the passive tracking of a child online.
• What is personal information? Personal information refers to individually identifiable information collected online and includes items such as: a first and last name, a home or physical address, online contact information, a screen or user name, a telephone number, a government-issued identifier, a persistent identifier that can be used to recognize a user such as an Internet Protocol (IP) address, a photograph or audio file, geolocation information, a biometric identifier and other information concerning the child or parents that is collected and combined with an identifier.
• What should an operator of a website or online service be aware of in connection with this rule? At a high level, an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting information from a child, must adhere to five specific requirements:
  • Provide a notice on the website or online service about what information is collected, how it is used and its disclosure practices.
  • Obtain parental consent prior to any collection, use or disclosure of such information.
  • Provide parents with a reasonable means for a review of such information that allows the parent to refuse its use.
  • Refrain from setting any condition on a child’s participation in a game or activity that is based on disclosing more personal information than is reasonably necessary.
  • Maintain reasonable procedures for compliance.
• What are the notice requirements? Covered institution operators should be aware that the rule addresses two different notices. First, a direct notice is required to be provided to the parent for obtaining consent related to the collection, use or disclosure of personal information from children. Second, a clear notice on the website or online service is to be posted, linking to details about the information practices. Both notices must meet certain content requirements.
• What should a covered institution operator be aware of regarding parental consent? When an operator obtains parental consent prior to collection, use or disclosure of a child’s personal information, that consent must be verifiable. While the regulation provides various methods of obtaining verifiable consent, some examples include obtaining a parent’s signature on a consent form and having a parent call a toll-free number that is staffed by trained personnel.
• Does the FTC provide any safe harbor? Yes. The FTC permits industry groups to apply for approval of a self-regulatory program. As reflected in the FTC’s regulation, programs must meet certain performance standards, and specific information must be submitted in connection with a request for approval.

You might be asking, how does this impact my institution when our website and online services are not directed towards children?

Great question. While most institutions may conclude that their online services are not directed towards children, that doesn’t mean they can consider this topic as not applicable. An operator of a general or mixed audience website or online service can still be subject to these provisions if they knowingly collect information from children.

So, if you have a website or online service that is generally accessible but has child-friendly areas, it will be important to assess your information practices and determine whether you only collect personal information from visitors, other than for the limited purposes designated in the regulation, prior to collecting age information.

Related to this, one example of a risk management technique is to consider implementing an “age gate,” which some institutions may use as an age verification mechanism to assist with online COPPA compliance and information sharing. While it is not considered a fail-safe feature, it is one step that could be taken to support the protection of children in an online environment.

Bottom line — an institution that operates a general or mixed audience website or online service with child-friendly areas should review its environment and take steps to comply with COPPA or block data collection where prohibited by COPPA.

COPPA examinations

As COPPA grants each of the federal financial regulatory agencies’ enforcement authority over the institutions they supervise, institutions should be aware of their agency’s resources and examination materials, which can be very helpful in supporting your implementation for compliance.

In an examination, you can expect your examiner to determine whether you operate a website or online service directed at children that collects information or operates a general audience website and knowingly collects information from a child online.

If you are subject to COPPA, an examiner will consider whether you participate in an FTC-approved regulatory program. If you do not, it will proceed with further examination steps to assess the quality of your risk management program. These additional steps can include assessing staff knowledge, adopting policies and procedures, providing training, monitoring, conducting audits and handling complaints.

Upcoming changes

The FTC published a final rule in 2025 to implement amendments to its COPPA regulation. The revisions are based on a review of public comments and enforcement experience. It is essential to note that amendments have been made to certain definitions and that specific provisions have been updated to reflect changes in technology.

Except for certain changes that were made to the FTC’s safe harbor provisions, covered institutions have until April 22, 2026, to comply with the 2025 rule. Important adjustments include:

• A new definition of “mixed audience website or online service” was added to the regulation to add clarity to identifying such environments. This refers to a website or online service that does not target children as its primary audience and only collects personal information for certain limited purposes.
• The FTC also established required opt-in consent for targeted advertising and other disclosures to third parties. That means that covered institution operators will be required to obtain separate verifiable parental consent to disclose a child’s information to third parties related to targeted advertising.
• Data retention provisions were also implemented to establish that a child’s personal information may only be retained “for as long as is reasonably necessary to fulfill the specific purpose(s) for which the information was collected.” Operators may not retain that information indefinitely.
• Operators that participate in the FTC’s COPPA safe harbor program should be aware that they will be required to publicly disclose their membership lists and to report additional information to the FTC.

Keep up with changing COPPA landscape

Institution operators should remain cognizant of this important act and protections for children’s data. While an institution may determine that it is not covered by the act, reassessing coverage may be necessary over time to keep pace with changes in its online environment.

When changes require your compliance with COPPA, procedures should be developed to help ensure compliance with the various requirements and avoid any unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from or about children.

How Wipfli can help

Reduce COPPA risk today and build procedures that prevent unfair or deceptive practices in collecting, using and disclosing children’s information. Reach out to a Wipfli compliance specialist and get practical guidance on notices, separate parental consent for targeted ads and safe‑harbor implications. Learn how our experienced team is well-equipped to help you maintain compliance.

Read more

• What do financial institutions need to know about the ‘guaranteeing fair banking’ executive order?
• FDIC extends compliance deadline
• FDICIA compliance readiness guide for $1B banks