Kids and Teens Privacy: 2025 Look Back and 2026 Predictions - Part I: The Federal Landscape

As we look back at key privacy developments during 2025, one thing is clear: it was all about kids and teens. That trend seems likely to continue in 2026. The problem is, while there are very real concerns about the impact of online content and social media engagements on young people, legislative solutions – well-intentioned as they may be – continue to run afoul of the First Amendment, and judicial challenges are mounting. With the updated Children’s Online Privacy Protection Act (COPPA) Rule compliance date coming up, businesses are working on revising compliance initiatives. Yet rulings narrowing the scope of COPPA preemption over the past few years have contributed to a growing patchwork of state laws that greatly complicates the ability of businesses – especially small businesses – to operationalize privacy and security initiatives.

In Part 1 of a two-part series, we review federal legal developments in the kids and teens privacy space over the past year and make predictions for 2026. Spoiler alert: Much of the action is occurring in the states and the courts.

Key Takeaways

• The Trump Administration Promotes AI. Many of today’s issues involve the use of artificial intelligence (AI), and in a recent Executive Order (EO), the Trump administration seeks to preempt state laws, but expressly excludes those related to child safety protections.
• Congress continues discussions. While there is bipartisan support for creating online protections for children and teens, federal lawmakers are still at a stalemate over a comprehensive national data privacy law, even one aimed specifically at children, such as an update to COPPA (COPPA 2.0) or the Kids Online Safety Act (KOSA). Key issues are preemption and private rights of action.
• States fill the void. As we will cover in Part 2 of this series, states continue to enact their own privacy laws aimed at protecting children and teens, many of which focus on social media. The pent-up desire of states to regulate seems likely to continue even if federal legislation protecting kids and teens is enacted. If federal legislation is enacted, the strongest of preemption clauses will be needed to minimize inconsistency.
• Courts often agree that state laws violate the U.S. Constitution. As we will also cover in Part 2, the tech advocacy group NetChoice has been leading the way in legal challenges to restrictive state laws on federal constitutional grounds. Nevertheless, states continue to introduce or enact laws with similar or identical clauses.
• Businesses face growing compliance costs. Businesses that create content for children or teens – and many that do not – will need to update operational processes to meet the new requirements of the COPPA Rule, and an ever-growing number of privacy and state AI laws relating to children and teens. The compliance costs may already be having an impact.
   

The Administration

On December 11, 2025, President Trump issued an EO, “Ensuring a National Policy Framework for Artificial Intelligence,” that instructs “existing Federal regulatory frameworks to remove barriers to and encourage adoption of AI applications across sectors.” The EO directs Administration officials to draft legislative recommendations for “a uniform federal AI framework that would preempt conflicting state laws, while expressly preserving state authority over child-safety protections.”

The EO requires the Attorney General to assemble a litigation task force to bring lawsuits against states whose AI laws are inconsistent with the EO on constitutional, federal preemption, or other grounds. It also directs the Secretary of Commerce to identify such laws and make broadband funding conditional on states’ cooperation with any national AI policy. The EO, curiously, also directs the Federal Trade Commission (FTC) to initiate a proceeding to determine whether to adopt a federal reporting and disclosure standard for AI models that preempts conflicting state laws, and to issue a policy statement explaining how the state laws that require alteration to the “truthful output of AI models” are preempted by the FTC’s authority to bar deceptive acts and practices in interstate commerce.

The EO does not preempt “otherwise lawful State AI laws relating to child safety protections,” and, despite the reference to the FTC, the FTC Act itself does not preempt state law related to child safety, advertising, or AI. Only Congress can adopt laws that include a preemption clause. Whether the EO will ultimately result in the FTC taking a more muscular interpretation of the scope of federal preemption under COPPA remains to be seen. In the meantime, the White House is reportedly working on a draft preemptive AI bill that will include protections for children.

Federal Legislative Activity

COPPA, enacted in 1998, remains the primary federal law protecting children’s online privacy. COPPA is designed to protect the privacy of children under 13. It imposes a variety of obligations on online services directed to kids or those with actual knowledge that they are collecting personal information from kids, and bars inconsistent state laws. Updated implementing regulations took effect on June 23, 2025, but the compliance deadline for regulated entities is April 22, 2026, as we discuss below.

Over the years, a variety of Congressional proposals have introduced legislation to amend COPPA. Some of the bills have, among other things, proposed changing the age of a “child” to at least age 16 and eliminating COPPA’s actual knowledge standard in favor of a constructive knowledge standard. Some bills have proposed weakening COPPA’s current preemption clause, while others propose stronger preemptive language. On December 2, 2025, a hearing before the House Energy and Commerce Committee focused on a flurry of data privacy bills introduced earlier in the year with the purported goal of protecting children and teens online. Chief among the bills introduced were revised versions of KOSA and COPPA 2.0. The continued lack of success of these two bills, which have now been introduced in multiple iterations over the last several years, illustrates how the entrenched priorities of Democrats and Republicans make passage of any new federal law on children’s privacy rights difficult. For example, the Republican-led House version of KOSA was amended to contain a strong preemption clause that would override conflicting state legislation, an area of concern for Congressional Republicans, but it received pushback from Democrats. The House version of COPPA 2.0 also added a robust preemption clause but had no Democratic sponsor. None of the nineteen bills examined during the hearing made it through the last session, which ended January 3, 2026.

Federal Rulemakings, Workshops, and Enforcement

Protecting kids and teens is also a federal agency priority. FTC actions in 2025 addressing privacy and marketing practices affecting children and teens included publishing the final updated COPPA Rule, enforcement actions and investigations, and workshops. Meanwhile, at the end of last year, the National Telecommunications and Information Administration (NTIA) explored the topic of excessive screen time. Clearly the impact of media, in particular social media and screen-related activities, remains a high concern for the current Administration, just as it was for past administrations.

Updated COPPA Rule

On January 16, 2025, the FTC announced finalization of the long-awaited update to the COPPA Rule. The updated Rule was subject to President Trump’s EO requiring a review of new rules, so the final COPPA Rule was subsequently published in the Federal Register on April 22, 2025, and took effect on June 23, 2025, with a compliance deadline of April 22, 2026. At a high level, key changes to the COPPA Rule include, among others:

• a requirement that operators directly notify parents of the identities or categories of each third party to whom the operator discloses children’s personal information and obtain parental consent;
• more expansive data security requirements for covered businesses;
• creation of written data retention policies; and
• new retention disclosure obligations for website privacy notices.
   

The final COPPA Rule also includes new definitions, including “mixed audience” and “personal information” (which now includes biometric and government identifiers, each separately defined). In addition, COPPA Safe Harbor programs must now publicly disclose their membership lists and provide additional accountability reports to the FTC. More details are available in our article on the COPPA Rule changes and article on the FTC’s response.

Investigations and Enforcement

During 2025, the FTC entered into some notable settlements related to alleged COPPA violations and also launched an investigation into AI chatbots.

U.S. v. Cognosphere, LLC

In January 2025, Cognosphere, maker of the video game Genshin Impact, agreed to a $20 million settlement with the FTC over charges that the company violated COPPA by collecting children’s personal information without parental consent. The FTC also alleged that the company misled users about both the cost of in-game purchases and the odds and complexity involved in winning certain prizes. Under the settlement agreement, Cognosphere must prohibit children under sixteen from making in-game purchases without parental consent. This type of “fencing in” relief goes beyond the COPPA framework but represents options the FTC can and does explore in enforcement situations.

U.S. v. Iconic Hearts Holdings, Inc.

Messaging apps – especially those marketed to children and teens – have caught the attention of the FTC on both privacy and advertising grounds. In September 2025, the FTC brought a complaint against Sendit, a social media messaging app designed for children and teens. Users can download Sendit for free from online app stores, and its revenue stream comes from in-app purchases and subscriptions, which would reveal the senders of anonymous messages. According to the complaint filed by the DOJ on referral from the FTC, the makers of Sendit used deceptive practices to manipulate kids and teens into buying subscriptions, in violation of the COPPA Rule and Section 5 of the FTC Act. The complaint also alleged that Sendit failed to provide accurate information about subscription fees and automatic renewal terms, as required by the Restore Online Shoppers’ Confidence Act (ROSCA). The case is ongoing. Previously, in 2024, the FTC and Los Angeles District Attorney jointly settled with another anonymous messaging app company, NGL Labs (NGL), over alleged COPPA violations. That investigation resulted in NGL paying a $5 million fine and being permanently banned from offering anonymous messaging apps to users under 18.

U.S. v. Disney Worldwide Services, Inc. and Disney Entertainment Operations LLC

On New Year’s Eve, 2025, the FTC announced that Disney agreed to pay $10 million to settle FTC allegations that the company allowed personal data to be collected from children who viewed kid-directed videos designated “Made for Kids” (MFK) on YouTube without notifying parents or obtaining their consent, as required by the COPPA Rule. In addition to the $10 million penalty, the final settlement order requires Disney to create and implement a program to assess whether videos posted to YouTube should be designated as MFK unless YouTube either prohibits MFK designations from content creators or implements technologies that can determine the age, age range, or age category of all YouTube users.

Inquiry into AI Chatbots Acting as Companions

On September 11, 2025, the FTC issued orders under Section 6(b) of the FTC Act to seven companies that provide consumer-facing AI-powered chatbots. The orders seek information on how the companies measure, test, and monitor potentially negative impacts of this technology on children and teens. AI chatbots may use generative AI technology to simulate human-like communication and interpersonal relationships with users. They can effectively mimic human characteristics, emotions, and intentions, and generally are designed to communicate like a friend or confidant, which may prompt some users, especially children and teens, to trust and form relationships with chatbots. The FTC inquiry seeks to understand what steps, if any, companies have taken to evaluate the safety of their chatbots when acting as companions, to limit the products’ use by, and potential negative effects on, children and teens, and to apprise users and parents of the risks associated with the products.

Workshops and Listening Sessions

The Attention Economy: How Big Tech Firms Exploit Children and Hurt Families

One of the first privacy-related public events the FTC held in the new Administration was a June 2025 workshop titled, “The Attention Economy: How Big Tech Firms Exploit Children and Hurt Families.” The workshop brought together parents, child safety advocates, and government representatives to address a topic framed as “how Big Tech companies impose addictive design features, erode parental authority, and fail to protect children from exposure to harmful content.” Panelists also discussed including age verification and parental consent requirements.

Kids’ Excessive Screen Time
NTIA, a division of the U.S. Department of Commerce (DOC), held a listening session on December 10, 2025, titled “Kids’ Excessive Screen Time.” The session’s purpose was to elicit stakeholder feedback to “examine how federal law, broadband funding, and other federal programs may influence school-based device and digital platform use.” In a speech on December 2, 2025, NTIA Director Arielle Roth stated: “NTIA has no authority to set education policy. But NTIA does have a role in reviewing whether federal spending on broadband and connected technology in the name of education has fulfilled its mission. Federal dollars should be tied to outcomes that support children, guided by parents and teachers.” It is unclear whether NTIA will impose funding restriction recommendations on schools whose policies it feels allow children excessive screen time.

Age Verification Workshop
The federal focus on kids and teens has continued in 2026. On January 28, 2026, the FTC held its first privacy-related workshop for 2026, focused on the topic of age verification. The purpose of the workshop was to “bring together a diverse group of stakeholders, including researchers, academics, industry representatives, consumer advocates, and government regulators, to discuss topics including: why age verification matters, age verification and estimation tools, navigating the regulatory contours of age verification, how to deploy age verification more widely, and interplay between age verification technologies and the Children’s Online Privacy Protection Act (COPPA Rule).” The last point is critical, as the FTC has taken the position that age verification is prohibited where an online service is primarily directed to children under 13.

Our Federal Predictions for 2026

The most urgent priority for businesses that target kids under 13 (or have actual knowledge that they collect personal information from kids) is to complete the process of updating processes, notices, and commercial relationships to comply with the new COPPA Rule. Businesses whose online services fall in the “likely to be accessed” by minors category face an even larger challenge. As we will discuss in Part 2, state laws have the potential to even more dramatically affect a large number of businesses. While many of these laws are stayed pending legal challenges, creating a more urgent need for strong legislation that preempts state law, state legislation is likely to continue.

At the federal level, it is hard to see how political divides over how to define a “child,” the scope of preemption, and a private right of action, much less the contours of constitutional authority, will be resolved, especially with other pressing federal legislative priorities and continued threats of a budget impasse that could again lead to a federal shutdown.

At any rate, it is going to be a busy year, including more action in the states, which we will cover in Part 2 of this review.