← Resources Policy Guide

COPPA Compliance Guide for Health Tech Operators

The FTC's revised Children's Online Privacy Protection Act rules impose new obligations on digital health companies serving children and families. Compliance deadlines arrived April 22, 2026. This guide explains what changed and what you need to do.

Published: April 2026 · By Pediatric Health Dispatch
Compliance deadline: April 22, 2026. If your product collects data from children under 13, you are now subject to the amended COPPA Rule.

What Changed in the Amended Rule

The FTC finalized significant amendments to the COPPA Rule in January 2024 — the most substantial update to the rule since it was first enacted in 1998. The amendments modernize the framework for the current digital health environment, closing loopholes that had allowed certain data practices to evade COPPA's protections.

The core change is a dramatic tightening of what constitutes "verifiable parental consent" and a substantial expansion of data categories requiring that consent. Where the original rule focused primarily on data collected directly from a child, the amended rule reaches further into how that data is used, shared, and retained — including by third-party technology providers that power health apps and platforms.

The major additions most relevant to health tech operators:

  • Biometric and health data are now explicitly covered. Fingerprints, facial geometry, voice prints, and health-related data are classified as sensitive data requiring separate, affirmative parental consent before collection.
  • Targeted advertising using children's data is prohibited without consent. Operators may no longer condition a child's access to a service on consent to targeted advertising.
  • Third-party data sharing restrictions tightened. Support services (including analytics, cloud hosting, and measurement providers) must agree to use children's data solely for the purpose of supporting the operator — not for any other commercial purpose.
  • Data minimization is now explicit. Operators may collect personal information from children only to the extent "reasonably necessary" for the activity or service the child participates in.
  • Retention limits strengthened. Children's personal information must be deleted once it is no longer needed for the purpose for which it was collected, with no indefinite retention.
  • Notification to parents of material changes. Operators must now provide notice to parents before making material changes to privacy practices affecting previously collected data.

Scope: Who Is Covered

COPPA applies to operators of websites and online services that are "directed to children" (under 13) or that have "actual knowledge" they are collecting personal information from children under 13. The amended rule did not change this core coverage, but it clarified and expanded what "actual knowledge" means in practice.

You are almost certainly covered if your product or service:

  • Is marketed to or primarily used by families with children under 13
  • Tracks children's health metrics (weight, growth, vitals, behavior, mental health)
  • Collects information about children as part of a family or parental account
  • Operates a school health or pediatric telehealth platform
  • Offers a pediatric care navigation or chronic condition management tool
  • Includes a parenting, infant monitoring, or newborn tracking feature

The "mixed-audience" platform question — services used by both adults and children — remains one of the most consequential scope questions for health tech. The FTC's amended guidance clarifies that when a service knows a user is a child, it must apply COPPA protections to that user's data even if the platform is not primarily child-directed. This is particularly relevant for family health apps where parents enroll children and actively input or monitor their health data.

The "safe harbor" for general audience services has narrowed. If your platform receives information indicating a user is under 13 — through signup flows, profile data, or usage patterns — the actual knowledge standard may apply even if your terms of service prohibit users under 13.

Key New Requirements

1. Verifiable Parental Consent — Updated Methods

The amended rule adds new acceptable methods for obtaining verifiable parental consent, including knowledge-based authentication (KBA) questions and electronic identity verification. It also tightens the standard for what constitutes "verified" — not just any attestation from a user claiming to be a parent qualifies.

For health tech operators: if your platform stores health data about a child (including growth charts, vaccination records, behavioral health session notes, or wearable device readings), you need a documented consent flow that satisfies the amended standard — not just a checkbox in a terms of service.

2. Separate Consent for Sensitive Data

Biometric identifiers, precise geolocation, and health and medical data now require a separate, dedicated consent distinct from general COPPA consent. You cannot bundle consent to collect a child's vital signs or behavioral health data into a general privacy agreement. The FTC expects specific disclosure of what health data is being collected, why, and how it will be used.

3. Third-Party Data Sharing — Support Services Rule

One of the most operationally significant changes for technology companies: any third party that receives children's personal information in the course of supporting your service — analytics providers, cloud infrastructure, crash reporting tools, AI model vendors — must contractually agree to:

  • Use the data only to provide the support service
  • Not retain, use, or disclose the data for any other commercial purpose
  • Delete the data once the support purpose is completed

This requires auditing your vendor stack. If you use a third-party AI API that ingests session transcripts or health records containing data about children, that vendor relationship now requires explicit COPPA-compliant data use agreements.

4. Prohibition on Conditioning Access on Targeted Advertising Consent

Operators may not require children (or their parents on their behalf) to consent to targeted advertising as a condition of accessing a service. If your revenue model includes behavioral advertising to family or pediatric audiences, this provision requires restructuring.

Health Tech-Specific Considerations

COPPA + HIPAA: Not the Same Shield

A common misconception among health tech founders: HIPAA compliance does not make you COPPA-compliant, and HIPAA does not preempt COPPA. The two frameworks have different scopes, different consent standards, and different enforcement mechanisms.

HIPAA applies to covered entities and their business associates handling protected health information. COPPA applies to online operators collecting personal information from children under 13. If you are a HIPAA covered entity running a pediatric app, you must comply with both — and you cannot use your HIPAA Notice of Privacy Practices as your COPPA consent mechanism.

School-Based and Clinical Settings

The "school exception" under COPPA allows schools to provide consent on behalf of parents in educational contexts. However, this exception is narrowly construed — it applies to data collected for an educational purpose, not for commercial health services operating within schools. School telehealth platforms and behavioral health programs embedded in K-12 settings should not assume the school exception covers all data collection.

Clinical settings (pediatric practices, children's hospitals) may have HIPAA authorization that addresses some of the same data — but COPPA's specific online service requirements apply to the app or platform layer, not just the underlying clinical record.

AI and Machine Learning Models

If you train or fine-tune AI models using data derived from children's health interactions — behavioral health session transcripts, growth data, wearable device readings, engagement patterns — the amended COPPA rule's data minimization, retention, and third-party sharing requirements apply to the training data pipeline as well as to the end product. This is an area where FTC enforcement interest has been explicitly signaled.

Operator Compliance Checklist

Use this checklist to identify gaps. This is not legal advice — consult counsel before finalizing your compliance approach.

Scope Assessment Determined whether your product is directed to children or whether you have actual knowledge of users under 13
Privacy Notice Updated privacy notice to clearly describe all categories of personal information collected from children, including health and biometric data
Parental Consent Implemented a verifiable parental consent flow (not just a checkbox) using an FTC-approved method
Sensitive Data Consent Obtained separate, affirmative consent for collection of health data, biometrics, or precise geolocation from children
Data Minimization Reviewed data collection practices to ensure only data reasonably necessary for the service is collected
Retention Policy Established and enforced a deletion schedule — children's data is deleted once no longer needed
Third-Party Vendors Audited all vendors receiving children's data; obtained COPPA-compliant data use agreements from each
Support Services Confirmed analytics, AI, cloud, and crash reporting vendors are contractually prohibited from using children's data for any purpose other than supporting your service
Advertising Confirmed no targeted advertising conditioned on parental consent; reviewed any ad tech stack touching children's data
Material Change Notice Established process to notify parents before any material change to privacy practices affecting previously collected children's data
Parent Rights Provided mechanism for parents to review, correct, and delete their child's personal information on request
Documentation Documented consent records, vendor agreements, and data practices in a form suitable for FTC review

Enforcement and Penalties

The FTC has made COPPA enforcement a priority. Civil penalties for COPPA violations can reach $51,744 per violation per day — and the FTC has increasingly treated each child affected as a separate violation, which can produce eight-figure liability in enforcement actions against consumer-facing platforms.

The FTC has demonstrated willingness to bring COPPA cases against health and wellness companies. The amended rule's explicit inclusion of health data as a sensitive category, combined with the growth of pediatric digital health products, suggests health tech will be an active area of enforcement focus.

Beyond FTC enforcement, state attorneys general have independent COPPA enforcement authority in some states, and several states have enacted their own children's data protection laws (including California's Age-Appropriate Design Code, which imposes additional requirements beyond federal COPPA) that compound compliance obligations.

Disclaimer: This guide is provided for informational purposes only and does not constitute legal advice. COPPA compliance requirements depend on your specific products, data practices, and business model. Consult qualified legal counsel before making compliance decisions. PHD has no commercial relationship with any legal, compliance, or technology vendor referenced in this guide.

← Resources Funding Tracker