Morning Overview

New rules now bar collecting kids’ face and voice data without a parent’s consent

Parents of children who use apps with voice assistants or camera-based features now have a stronger legal shield. The Federal Trade Commission finalized amendments to the Children’s Online Privacy Protection Rule that explicitly bar operators from collecting facial images or voice recordings from kids under 13 without first obtaining verifiable parental consent. The amended rule, published in the Federal Register on April 22, 2025, also restricts how companies can monetize data they do collect, closing gaps that had allowed some platforms to treat biometric information as less protected than names or email addresses. In a related FTC announcement, the agency emphasized that operators may no longer freely leverage children’s data for advertising or other commercial purposes, even when they have obtained consent.

Why the FTC’s biometric consent rule changes the calculus for apps

The core tension is straightforward: many apps and connected devices aimed at children rely on cameras and microphones for basic functionality, from augmented-reality games to voice-controlled learning tools. Under the prior version of the rule, the FTC had already signaled that photos and audio files counted as personal information. In October 2017, the agency released guidance on voice recordings clarifying that operators could avoid an enforcement action only if a voice recording was used solely to fulfill a child’s request and then promptly deleted. But that guidance operated as a policy carve-out, not a binding rule change. The 2025 amendments convert that expectation into a formal regulatory requirement and extend the same logic to facial data.

For operators that already process biometric signals entirely on a child’s device, without transmitting raw images or audio to external servers, the compliance burden may be lighter. On-device age-estimation tools, for instance, can analyze a face locally and discard the data in milliseconds, never creating a record that triggers the consent obligation. Companies that instead send facial scans or voice clips to cloud servers for analysis face a harder path: they must either redesign their data pipelines or build out verified parental consent workflows before the rule’s compliance deadline. The FTC has not published compliance-cost estimates or detailed technical standards for what counts as adequate consent when the data at issue is a voiceprint or facial geometry, leaving operators to interpret the rule’s general “verifiable parental consent” framework on their own.

These changes also affect business models. Apps that once relied on harvesting voice snippets or facial data to refine algorithms or build advertising profiles must now justify every instance of collection. Because the amendments treat biometric identifiers as fully covered personal information, an operator can no longer treat a child’s face or voice as a low-risk data point gathered in the background. Instead, companies must treat every camera or microphone activation as a potentially regulated event and design user flows accordingly.

What the amended COPPA rule actually requires

The COPPA guidance materials already listed photos and audio files as covered data categories, but the final rule amendments do three things that matter most for families and the companies that serve them. First, they tighten the definition of personal information to leave no ambiguity that facial features and voice characteristics are covered. Second, they add restrictions on monetization, preventing operators from using collected data for targeted advertising or selling it to third parties even after obtaining consent. Third, they strengthen the notice requirements so that parents receive clear, specific descriptions of what biometric data will be gathered and how it will be used before they agree.

Under the updated rule, operators must provide a direct notice to parents before collecting any biometric data from a child. That notice must explain, in plain language, what types of images or recordings will be captured, the purposes of collection, how long the data will be retained, and whether it will be shared with service providers or other partners. Only after sending that notice and obtaining verifiable parental consent can the operator legally activate biometric features for a child under 13.

The amended rule also narrows the circumstances under which operators may rely on implied or blanket consent. A one-time acceptance of general terms of service is unlikely to satisfy the requirement when the app later introduces a new camera-based game or voice-interaction feature. Instead, companies are expected to secure fresh consent when they materially change their data practices, especially when those changes involve new forms of biometric collection or new uses of existing recordings.

Separately, the FTC in February 2026 issued a policy statement encouraging age-verification technologies, provided those tools are deployed solely to determine a user’s age and not repurposed for profiling or ad targeting. That statement signals the agency’s willingness to accept facial-analysis tools for age gating, but only under narrow conditions. An operator that uses a face scan to check whether a user is under 13, then deletes the scan immediately, would fall within the statement’s safe harbor. An operator that retains or analyzes the same scan for other purposes would not.

Open questions for parents and platform operators

Several gaps in the regulatory record leave practical questions unanswered. No publicly available FTC enforcement log or dataset shows how many apps currently collect facial or voice data from users under 13 without consent. Without that baseline, it is difficult to gauge the scale of the compliance challenge or predict how quickly the market will adjust. The Federal Register notice contains no quantitative estimates of costs for small developers who may need to retrofit consent mechanisms into existing products.

The rule also does not specify which technical methods satisfy the “verifiable parental consent” standard when the data involved is a biometric identifier rather than a name or email address. Existing approved methods, such as credit card verification or signed consent forms, were designed for text-based data. Whether those same methods are sufficient when a company is asking permission to capture a child’s face or voice is a question the FTC has left for future guidance or enforcement actions to resolve. Developers face a risk that a consent flow they design in good faith today could later be deemed inadequate if the agency issues more detailed criteria.

Another unresolved issue is how aggressively the FTC will enforce the new biometric provisions. Historically, headline COPPA cases have focused on obvious failures, such as collecting full profiles on children without any consent process at all. The amended rule suggests that more subtle practices-like retaining voice snippets longer than necessary or reusing facial images to improve unrelated products-could now become enforcement targets. But until the agency brings specific cases under the new rule, operators will have to infer its priorities from general statements rather than concrete settlements.

What parents should look for now

For parents, the immediate practical step is direct: any app or website directed at children under 13 must now ask for consent before activating a camera or microphone to collect identifiable images or recordings. If a child-focused app turns on the camera for a game or invites the child to talk to a virtual character without first involving an adult, that is a red flag. Parents should expect to see a clear notice explaining what will be captured and should have an opportunity to approve or decline before the feature works.

Parents can also review privacy settings inside apps and devices. Many platforms now offer toggles that disable camera or microphone access for child accounts unless a parent turns them on. In light of the new rule, leaving those defaults in the most restrictive position may be the safest choice until an operator demonstrates that it has a robust consent process and transparent data practices.

Finally, families may want to ask a few basic questions whenever a new app asks to use a child’s camera or microphone: Is this strictly necessary for the feature my child wants to use? What happens to the recordings after the interaction ends? Can I review or delete what has been captured? The amended COPPA rule gives parents stronger legal backing to demand those answers-and to walk away when an operator cannot provide them.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.