The FTC’s amended COPPA rule reached full enforcement on April 22, 2026. Penalties reach $53,088 per violation and stack per tag, per child, per day. Every targeted-advertising pixel on your WooCommerce store now needs separate verifiable parental consent before it fires for a visitor under 13. Cognosphere paid $20 million and Disney paid $10 million for COPPA violations in 2025. If your store sells anything in the mixed-audience category — toys, family apparel, educational products, games — your Meta Pixel, Google Ads remarketing tag, and TikTok Pixel are all in scope.
What Changed on April 22, 2026
The FTC’s amended COPPA rule is now fully enforceable — and the Commission has already told you it plans to use it.
The compliance deadline hit three weeks ago. The FTC published the amended COPPA rule in the Federal Register on April 22, 2025, gave operators one year to comply, and started enforcing on April 22, 2026. This isn’t a proposed rule or a comment period. It’s live.
At an IAPP summit in late March 2026, FTC Commissioner Mark Meador said the Commission is “willing and eager” to enforce the new requirements. Associate Director Ben Wiseman went further: the Commission has been “loud and clear” that protecting children’s data is the highest enforcement priority. Five of the six largest federal privacy enforcement actions from 2024 to 2026 invoke COPPA.
The amended rule brings three changes that matter for every WooCommerce store running ad pixels. First, you now need separate verifiable parental consent before disclosing children’s personal information to third parties for targeted advertising. A general privacy notice no longer covers it. Second, the definition of personal information has expanded to include biometric identifiers, geolocation data, and audio recordings. Third, operators must publish a written data retention policy specifying why they collect children’s data and when they delete it.
The amended COPPA rule requires separate verifiable parental consent before disclosing children’s personal information to third parties for targeted advertising, effective April 22, 2026.
The Penalty Math That Makes This Urgent
The penalty isn’t one fine per incident. It stacks per violation — and each pixel, each child, each day is a separate violation.
Courts can impose civil penalties of up to $53,088 per COPPA violation per day. That number alone should stop you scrolling. But the stacking is what makes it existential for a small business.
Consider a single page load on your WooCommerce product page. Your Meta Pixel fires. Your Google Ads remarketing tag fires. Your TikTok Pixel fires. Your Klaviyo tracking script fires. Your Microsoft UET tag fires. That’s five third-party scripts, each collecting personal information from the visitor’s browser. If that visitor is under 13 and you haven’t obtained parental consent, each script firing is a separate COPPA violation.
Five violations per page load. $53,088 each. $265,440 for a single child viewing a single page. Now multiply by every under-13 visitor across every day your store has been non-compliant since April 22.
The FTC doesn’t always seek maximum penalties — the amount depends on factors including severity, the number of children affected, and the company’s size. But the math illustrates why this isn’t a compliance item you defer. The statutory ceiling is high enough to threaten any business.
The FTC’s Enforcement Track Record
The Commission isn’t theorising about enforcement. It’s already collecting.
The penalty amounts from recent settlements show the FTC is serious and scaling.
| Company | Settlement Date | Penalty | Violation |
|---|---|---|---|
| Cognosphere (Genshin Impact) | January 2025 | $20 million | Collected children’s data without consent; failed to act after learning users were under 13 |
| Disney | September 2025 | $10 million | Failed to designate child-directed YouTube videos; personal data collected for targeted ads without consent |
| Apitor Technology | September 2025 | $500,000 (suspended) | Third-party SDK in children’s toy app collected geolocation without parental consent |
| YouTube (Google) | September 2019 | $170 million | Tracked viewing history of minors for targeted advertising |
| Epic Games (Fortnite) | February 2023 | $275 million | Collected children’s data and enabled communications without consent |
Cognosphere paid $20 million in January 2025 to settle FTC allegations of collecting children’s data without parental consent, and Disney paid $10 million in September 2025 for similar violations on YouTube.
The pattern is clear. The FTC goes after companies that collect data from children through third-party scripts — ad pixels, SDKs, tracking tags — without obtaining separate parental consent. The mechanism that triggers the violation is the same mechanism running on most WooCommerce stores: a tracking pixel that fires before any consent check.
What the Amended Rule Covers Now
The definition of personal information expanded in 2025 to cover data types that modern tracking pixels routinely collect.
The amended rule added biometric identifiers — fingerprints, voiceprints, facial templates, faceprints — to the definition of personal information. It also added government-issued identifiers, phone numbers, audio recordings, and certain geolocation information.
Modern ad pixels capture more of this data than most store owners realise. The Meta Pixel collects browser fingerprint data, IP addresses (which enable geolocation), and device identifiers. The Google Ads remarketing tag collects similar signals for audience building. Third-party chat widgets with voice features may capture audio. Each of these data types now falls under COPPA’s definition of personal information.
The FTC also expanded the factors it considers when determining whether a site is “directed to children.” The Commission now looks at marketing materials, promotional plans, representations to third parties, user reviews, and the ages of users on similar websites. If you sell anything that children might reasonably use — and the FTC can find reviews, ads, or competitor data suggesting children visit similar stores — your site may qualify as a mixed-audience site subject to COPPA.
You may be interested in: UTM Parameter Best Practices for WordPress in 2026
Where WooCommerce Stores Are Exposed
Every third-party tracking script that fires before consent is a separate COPPA exposure point.
The typical WooCommerce store runs between three and eight third-party tracking scripts. Each one represents a separate consent obligation under COPPA.
The Meta Pixel fires on page load and collects browser data, IP address, and page-view events. If you’re running custom conversions or the Conversions API alongside the browser pixel, both the client-side and server-side paths are collecting data. Under COPPA, each path that discloses a child’s information to Meta without consent is a separate violation.
Google Ads remarketing tags collect visitor data for audience building. The tag fires on every page load and sends identifiers to Google. If a child under 13 triggers that tag, you’ve disclosed their personal information to a third party for advertising without the required separate parental consent.
TikTok Pixel, Pinterest Tag, Microsoft UET — each follows the same pattern. They fire on page load, collect device and behavioural data, and send it to their respective platforms. None of them check the visitor’s age before collecting. That’s your responsibility as the site operator.
Klaviyo, Mailchimp, and email marketing scripts that collect email addresses or track on-site behaviour are subject to the same rules. If a child enters an email address to sign up for a newsletter and your email marketing platform is collecting that data, COPPA applies.
What to Do Now: The Compliance Checklist
Six steps between your current pixel setup and COPPA compliance — none of them optional.
Step one: determine if COPPA applies to your store. If you sell products that children might use, visit, or interact with — even if you don’t market directly to children — COPPA likely applies. Look at your product categories, customer reviews, marketing materials, and competitor demographics. If there’s a reasonable case that children under 13 visit your store, assume COPPA applies.
Step two: implement an age-screening mechanism. This runs before any tracking script loads. A simple age gate or date-of-birth check is acceptable. The critical requirement is that it executes before any third-party pixel fires. If your tracking scripts load in the page head and the age screen renders in the body, you’ve already failed.
Step three: block all third-party scripts until consent is verified. For visitors identified as under 13, no tracking pixel should fire until you’ve obtained separate verifiable parental consent. Use a consent management platform that supports age-gated consent flows, or implement conditional script loading in your theme.
Step four: obtain verifiable parental consent for under-13 visitors. The amended rule permits several methods including signed consent forms, credit card verification, video conferencing, and — new in this amendment — text message verification and knowledge-based authentication.
Step five: publish a written data retention policy. The amended rule requires a published policy specifying what children’s data you collect, the business need for retention, and a deletion timeline. This goes in your privacy policy and must be specific enough that a reviewer can verify compliance.
Step six: audit your third-party scripts quarterly. Plugins update. New scripts get added. Marketing teams install new pixels without checking COPPA implications. Build a quarterly audit that inventories every third-party script on your store and verifies each one is behind your consent mechanism.
You may be interested in: Why Your Email Campaign UTMs Keep Disappearing Before They Reach WordPress
The Server-Side Tracking Advantage
When data flows through your server instead of the visitor’s browser, you control what gets sent and when.
Client-side pixels are the core COPPA problem for WooCommerce stores. They fire in the browser, collect data before your consent logic intervenes, and send it directly to third parties. You’re structurally out of control.
Server-side tracking reverses this. Events flow from the visitor’s browser to your WordPress server first, then from your server to the advertising platforms. At the server level, you can check consent status, verify age, and block outbound data for any visitor who hasn’t cleared your COPPA requirements. No data reaches Meta, Google, TikTok, or any other third party until your server explicitly forwards it.
This is architecturally cleaner than conditional client-side pixel loading for three reasons. First, there’s no race condition — client-side scripts can fire during page load before your JavaScript consent check executes. Server-side gating eliminates this timing vulnerability because the data never leaves your infrastructure without an explicit server-side decision. Second, you get a complete audit log of what was sent and what was blocked. Third, you can update consent rules in one place — your server — rather than across every client-side script on every page.
The definition of personal information under the amended COPPA rule now includes biometric identifiers, government-issued identifiers, geolocation data, and audio recordings — all of which modern tracking pixels can capture.
The Transmute Engine™ routes WooCommerce events through a server-side pipeline where consent status and age verification are checked before any data is forwarded to advertising platforms. Talk to Seresa about COPPA-compliant tracking for your WooCommerce store.
Key Takeaways
- The FTC’s amended COPPA rule is now fully enforceable as of April 22, 2026: The Commission has stated it is “willing and eager” to enforce, and five of its six largest recent privacy actions target children’s data violations.
- Penalties reach $53,088 per violation and stack per tag, per child, per day: A single page load with five tracking pixels firing for one under-13 visitor creates five separate potential violations.
- Every third-party tracking pixel on your WooCommerce store is an exposure point: Meta Pixel, Google Ads remarketing, TikTok Pixel, Klaviyo, and any other script that collects personal information from a child without separate parental consent violates the rule.
- Mixed-audience stores are in scope even if they don’t sell kids’ products: The FTC now considers marketing materials, competitor demographics, and user reviews when determining whether a site is directed to children.
- Server-side tracking provides structural COPPA compliance: When events flow through your server first, you can gate outbound data on consent status and age verification before anything reaches a third-party advertising platform.
Yes, if children under 13 visit your site. COPPA applies to any website or online service that is directed to children or has actual knowledge that it collects personal information from children. The amended rule expands the factors the FTC considers when determining whether a site is directed to children, including marketing materials, reviews by users, and the ages of users on similar sites. If your store sells anything that might attract children — toys, games, family apparel, educational products — the FTC may classify it as a mixed-audience site subject to COPPA.
The definition now includes biometric identifiers such as fingerprints, voiceprints, facial templates, and faceprints. It also covers government-issued identifiers, phone numbers, audio recordings, and certain geolocation information. This means that if any tracking pixel on your site captures device fingerprints, location data, or voice recordings from a child, that data falls under COPPA’s consent requirements.
Courts can impose civil penalties of up to $53,088 per violation. The penalty stacks per tag, per child, per day. A single page load with five third-party tracking pixels firing for one under-13 visitor without parental consent creates five separate potential violations. The FTC considers factors including the number of children affected, the type of information collected, how it was used, whether it was shared with third parties, and the size of the company.
You need an age-screening mechanism that runs before any third-party tracking script loads. If the visitor is under 13, you must obtain separate verifiable parental consent before disclosing their personal information to third parties for targeted advertising. In practice, this means your Meta Pixel, Google Ads remarketing tag, TikTok Pixel, and any other third-party scripts must be blocked until age is verified and, for children, parental consent is obtained.
Server-side tracking gives you control over what data is collected and when it is forwarded to third parties. Because the data flows through your server rather than the visitor’s browser, you can implement age-screening logic and consent checks at the server level before any data reaches an advertising platform. This is architecturally cleaner than trying to conditionally load client-side pixels, which can still fire during page load before your consent logic executes.
References
- Federal Trade Commission — Children’s Online Privacy Protection Rule, Final Amendments (Federal Register, April 22, 2025)
- Davis Polk — FTC Prioritizes COPPA Enforcement as New Compliance Obligations Take Effect (April 2026)
- Reed Smith — The FTC’s Latest Round of COPPA Enforcement: Disney and Apitor Settlements (September 2025)
- Hunton Andrews Kurth — COPPA Rule Amendment Compliance Deadline Approaches (April 2026)
- White and Case — Unpacking the FTC’s COPPA Amendments: What You Need to Know (2025)
- UniConsent — US Privacy 2026: State Laws, FTC Actions, and Class Action Risk (May 2026)
- FTC — Complying with COPPA: Frequently Asked Questions (July 2025)
- Mintz — FTC COPPA Enforcement: Still Alive and Well (September 2025)
