The FTC’s amended Children’s Online Privacy Protection Rule took effect on April 22, 2026. It tightens what counts as personal information, requires separate parental consent before a kid’s data is used to train AI or shared with third parties, and adds new retention and deletion duties. Six days later, a bipartisan bill called the CHATBOT Act was introduced in the Senate to regulate AI chatbots used by minors. The rule is law; the bill is not yet. This post explains the practical difference for any AI product your kid uses, and gives you a checklist for the next time you click agree.
What just changed (April 22, 2026)
COPPA is the federal law that governs how online services collect personal information from kids under 13. The Federal Trade Commission enforces it through the Children’s Online Privacy Protection Rule, codified at 16 CFR Part 312. The rule had not been meaningfully updated since 2013. In January 2025 the FTC announced a final amendment after a multi-year proceeding; the amended rule was published in the Federal Register and took effect on April 22, 2026.1
The FTC’s own summary of the amendments is the cleanest place to start. We are not lawyers and we won’t paraphrase clauses we can’t link, but the four directional shifts are clear from the rule text and the Commission’s public statement.2
Broader definition of personal information. The amended rule expands what counts as covered data, including identifiers like biometrics and certain government identifiers that the prior version did not list explicitly. A product that fingerprints a kid’s voice or face for personalization is now squarely inside COPPA’s scope.
Separate consent for new uses. Verifiable parental consent must now be obtained separately for certain secondary uses of a kid’s personal information, including disclosure to third parties for purposes unrelated to the service itself. In plain terms: the same click that lets a product run cannot also be the click that lets the product hand kid data to a third party.
Limits on retention. Operators must establish and publish a written data-retention policy and cannot keep a kid’s personal information longer than reasonably necessary for the purpose collected. Indefinite retention is no longer the default posture.
Strengthened deletion rights and security. The amended rule sharpens parental access, deletion, and review rights, and codifies a written information-security program with specific safeguards. The Commission also expanded its enforcement guidance about what does and does not constitute “verifiable” parental consent.
Specific provisions sit in the public rule text. If you want to read them yourself, the cleanest entry point is the FTC’s press release announcing the amendments, which links the Federal Register notice and the final rule itself.2
The CHATBOT Act (introduced April 28, 2026)
Six days after COPPA 2026 took effect, a bipartisan group of senators introduced a new bill aimed specifically at AI chatbot products used by minors. The CHATBOT Act was introduced on April 28, 2026 by Senators Ted Cruz (R-TX) and Brian Schatz (D-HI), along with Senators John Curtis (R-UT) and Adam Schiff (D-CA).3
It is a bill, not law. That distinction matters. Bills in Congress die regularly, change shape in committee, and sometimes pass years after introduction. We can describe the bill’s introduced shape; we cannot tell you what will pass.
What the bill targets is narrower than COPPA. COPPA governs any online service directed to kids under 13 and any service with actual knowledge that it’s collecting from a kid under 13. The CHATBOT Act, as introduced, focuses on AI chatbots, age-verification requirements for those chatbots, mandated disclosures that the user is interacting with an AI, and restrictions on certain kinds of AI conversations with minors. The sponsors have framed it as a response to growing reporting about emotional harms from AI companion products marketed to or used by teens.3
The practical takeaway for parents reading this in May 2026 is that the political pressure on AI-for-minors products is real and ongoing. Even if the CHATBOT Act doesn’t pass in its current form, the questions it raises (age verification, AI disclosure, conversation safeguards) are likely to land in subsequent bills, state law, or FTC enforcement action.
What this means for AI products kids use
Step back from the legal language and the changes converge on four product behaviors. Any AI tool that wants to serve minors compliantly in 2026 has to do these four things, regardless of whether it’s a chatbot, a homework helper, a creative tool, or a tutoring app.
Verifiable parental consent before data collection. The kid cannot be the consenter. A real adult, verified to a standard the FTC accepts, has to sign the household up. The amended rule preserves the existing list of acceptable verification methods (credit card transaction, signed form, knowledge-based check, video call, and others) and continues to require that consent be obtained before personal information is collected.2 For most products this means a parent account with a verified email and a real payment method, not a free-for-anyone signup with a checkbox at the bottom.
Limited data retention with a written policy. If a product is keeping a kid’s chat history, drafts, photo uploads, or voice samples, there now needs to be a documented reason for how long, and a process for purging beyond that. “Forever” is no longer the lazy default. Parents should be able to read the product’s retention policy in plain language and have it match what they see in the dashboard.
No training on kid data without separate consent. The blanket consent that gets a kid into a product cannot quietly authorize using the kid’s prompts, drawings, voice, or other content to train the underlying AI model. Training is a separate use that, in most readings of the amended rule, requires its own consent gate. The bigger AI providers have been moving in this direction independently; the new rule makes it explicit for products serving under-13 users.
Deletion and export on demand. A parent has to be able to ask the product to delete a kid’s data and have that request honored within a reasonable window. Export rights vary by regime (GDPR has stronger portability than COPPA) but every kid-AI product should be able to package up what it holds about a kid and either delete it or hand it back.
If you read those four items and think “those are basic,” you are right. They are also the four items that a lot of consumer AI products built before April 2026 do not cleanly do. The retrofitting work is real, and not every product is going to make it through.
What to ask before clicking “agree”
The most useful thing a parent can do, today, is treat the consent screen as a moment to actually read it. Most parents click through. That’s by design; the screens are written to be clicked through. A short list of questions slows the click down and reveals the product’s posture. Use these the next time your kid asks to sign up for anything AI-shaped.
Who actually owns the account, the kid or the parent?
A real kid-safe product has the parent as the verified account holder, not the kid. If the kid can sign up alone, the product is not built for COPPA compliance.
Why this matters →What gets sent to the AI provider, and what gets kept?
Ask what data leaves the device, where it sits, and how long. A vague answer is the answer. The retention window should be in writing.
Why this matters →Will my kid’s content be used to train an AI model?
Under the amended rule this needs separate consent. “No, unless you opt in” is the right shape. “Yes, by default” is a problem.
Why this matters →Can I delete or export the kid’s data, and how?
There should be a button, a dashboard, or a clear email address. “Email us and we’ll see” isn’t good enough anymore.
Why this matters →Is the AI marketed as a friend, companion, or confidant?
Companion framing is the surface the CHATBOT Act is reacting to. A tool that pretends to be your kid’s emotional partner is the wrong shape for a kid’s life.
Why this matters →Where do I see what my kid did and what the AI proposed?
Parent visibility into AI interactions should be a built-in dashboard, not a request-by-email afterthought. If there’s no surface, there’s no oversight.
Why this matters →The consent screen is written to be clicked through. The product’s posture lives in the answers to six questions the screen tries to skip. On reading the agreement instead of dismissing it
If a product answers those six questions cleanly, in writing, and with a place in the parent dashboard for each, the product is taking the new regime seriously. If the answers are vague, defensive, or buried in a thirty-page policy, that’s information too. Common Sense Media’s 2026 parent guide to the COPPA changes makes the same point in slightly different language: parental due diligence is the missing input most products were built around.4
What Tell and Show does about each
The studio was designed and built before the April 2026 COPPA amendments. We didn’t write the rule, and we didn’t design for it specifically. But because the parent is the account owner and the kid has no separate online identity, the architecture happens to map cleanly onto the new requirements. The shorter version: kids in the studio don’t have accounts that collect data; parents do. Here is what we do for each of the four product behaviors above, with links into the privacy page for the underlying detail.
Verifiable parental consent before data collection. The kid never signs up. The parent creates the account with a verified email and a payment method (Stripe handles card verification), and the parent explicitly creates each kid profile. Kid sign-in inside the studio is a four-digit PIN on the parent’s account; the PIN is hashed with SHA-256 in the browser and the plain digits never reach our servers. The COPPA framing for this is on our COPPA page; the architecture is in our privacy posture.
Limited data retention. The kid’s creative output (project files, wizard drafts, the Keep / Review / Undo decisions) sits in per-account isolated storage. Backups are encrypted at rest and retained for 30 days. Purchase records are kept as long as tax and accounting law require (typically seven years) and are isolated from operational systems. We don’t keep behavioral profiles. We don’t keep ad-tech identifiers. We don’t have a behavioral retention question because we don’t collect the data that would create one.
No training on kid data. We don’t train models on kid work, and our AI providers (Anthropic and OpenAI for the managed Co-Pilot add-on) are contractually prevented from training on data we route through them. If you bring your own AI subscription, the prompts go directly to your provider and your account’s training settings apply. This is not a new posture in response to COPPA 2026; it has been the architecture since launch.
Deletion and export. Email hello@tellandshow.ai from your parent-account address. We will delete every kid profile and its projects, drafts, deploy history, and safety-log entries within seven business days, and we will erase your parent-account record at the same time. Export works the same way and produces a downloadable archive in the same window. The end-to-end policy is in the deletion and export section of the privacy page.
A few specific notes worth being honest about. We use a parent-visible ChangeDisclosure card so the kid (and you) can see what the AI proposed, but we do not yet have a dedicated parent-side audit log of every AI interaction across a kid’s session history; the approval queue and the project-by-project view together cover most of that today, and a longitudinal audit view is on the roadmap. We don’t track screen time as a behavioral profile, by design; see our screen-time post for the longer argument. None of this makes us compliant by default; compliance is enforcement-pattern dependent, and we will update the privacy page and this post as the picture clarifies.
If you compare the six checklist questions in the previous section to what we publish on /parents/privacy, the answers should line up. If they don’t, email us and tell us where they don’t.
What’s still uncertain
The honest part of this post. COPPA 2026 enforcement patterns are not yet established. The amended rule took effect three weeks before this piece was written. The FTC will bring its first enforcement actions under the new text over the coming year and those actions will define, in practice, where the line sits on retention windows, what counts as verifiable consent in the AI era, and how strictly the “separate consent for training” requirement is read.
Some products will retrofit. Some products will quietly age out of compliance and shrink their kid-facing surfaces. Some products built around adult AI workflows with a thin “kid mode” bolted on are likely to be enforcement targets, and the public actions are how the industry will calibrate.
The CHATBOT Act is even less settled. Bills frequently change between introduction and passage, and many bills do not pass at all. The bill as introduced reflects a bipartisan concern that’s probably durable even if the specific text isn’t. State-level action (California, Texas, New York have all run AI-and-minors bills in 2025 and 2026) is the other pressure source to watch.
Common Sense Media’s May 2026 joint announcement with OpenAI on a shared youth-safety standard is the most concrete recent signal that the industry knows the answer to these questions has to come from product design, not just compliance paperwork.5 Whether the standard becomes a meaningful floor or a marketing artifact will be visible by the end of 2026.
We will update this post as the picture clarifies. The date at the top is the publish date; if you read this six months from now and the answers have shifted, check the FTC’s enforcement page and Common Sense Media’s coverage for the current state. The skeleton of the parent checklist (account ownership, retention, training, deletion, framing, visibility) should still be useful. The specifics under each will change.
References
- Federal Trade Commission, Children’s Online Privacy Protection Rule, 16 CFR Part 312. The amended rule was published in the Federal Register and took effect April 22, 2026. Full text via the eCFR at ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312.
- Federal Trade Commission, “FTC Finalizes Changes to Children’s Privacy Rule Limiting Companies’ Ability to Monetize Kids’ Data,” press release and Federal Register notice, January 2025. Linked from the FTC’s COPPA hub at ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa.
- U.S. Senate, the Children Harmed by AI Technology Bots Online Today Act (CHATBOT Act), introduced April 28, 2026 by Senators Ted Cruz (R-TX), Brian Schatz (D-HI), John Curtis (R-UT), and Adam Schiff (D-CA). Bill text and sponsor statements via the Senate Commerce Committee at commerce.senate.gov.
- Common Sense Media, parent guidance on COPPA and AI safety for kids, 2026 updates at commonsensemedia.org. Common Sense maintains an ongoing parent-facing explainer series on AI products for minors.
- Common Sense Media and OpenAI, joint announcement on youth-safety standards for AI products, May 2026. Coverage and the joint statement are linked from the Common Sense Media newsroom at commonsensemedia.org.