โš–๏ธ Compliance & Data Privacy

COPPA Compliance for Childcare Apps: A 2026 Guide for Directors

The parent app that shares your classroom photos and the tablet your toddlers tap on are both governed by a federal children's-privacy law โ€” and that law just got stricter. Here's what it means for your center, in plain English.

By Eshan de Silva ยท ยท 8 min read

Almost every modern childcare center runs on apps. You post daily photos to parents, track naps and meals on a tablet, message families about pickup, and maybe stream a live classroom camera. Each of those tools collects information about children under 13 โ€” which puts them squarely inside the Children's Online Privacy Protection Act, better known as COPPA. And as of April 22, 2026, the federal rules behind COPPA got noticeably tougher. If you've never thought about COPPA as your problem, this is the year to start.

The reassuring news: you don't need a law degree or a big budget to handle this. You need to understand a few core ideas, ask your software vendors the right questions, and keep your consent and security tidy. This guide walks through all of it.

Quick note: This article is general guidance, not legal advice. COPPA is a federal rule that interacts with California privacy law, and every center's situation is different โ€” confirm specifics with your attorney or compliance advisor before making decisions.

What COPPA actually is โ€” and why it lands on you

COPPA governs online services that collect personal information from children under 13. It requires those services to tell parents what they collect, get verifiable parental consent before collecting it, let parents review or delete it, and protect it with reasonable security. The companies on the hook are the "operators" โ€” the app makers, not usually the center.

So why should a daycare director care? Because the responsibility flows through the tools you choose. When you put a learning app on a classroom iPad or sign your families up for a photo-sharing platform, you're the one deciding what data gets collected and, in many cases, the one gathering the parental consent the app depends on. If that vendor isn't compliant โ€” or if you never collected proper consent โ€” the gap is yours to explain. Picking compliant vendors and documenting consent is exactly how a center meets its COPPA obligations in practice. Our broader childcare data privacy and Title 22 guide covers how this fits alongside your state record-keeping duties.

What changed in 2026

The Federal Trade Commission finalized a major update to the COPPA Rule in 2025, and the compliance deadline arrived on April 22, 2026. A few of the changes matter directly to childcare centers:

  • Biometrics are now personal information. Faceprints, voiceprints, and similar identifiers are explicitly covered. That's significant for any app that runs facial recognition on classroom photos or analyzes audio โ€” features that have quietly crept into photo-sharing and security tools.
  • Separate consent for sharing with third parties. An operator now needs a distinct, separate parental consent before disclosing a child's data to outside parties such as advertisers. "We agreed to the app" no longer implies "we agreed to let it sell or share data."
  • A written data-security program is required. Operators must maintain a written program to protect children's information, sized to the sensitivity of the data and the operator's size. Expect compliant vendors to be able to show you theirs.
  • More ways to verify a parent. The rule expands approved methods for confirming you're really dealing with a parent โ€” including knowledge-based questions, government-ID checks, and text-message verification with extra steps.
  • Real penalties. Civil penalties can reach up to $50,120 per violation, and the FTC has signaled that children's privacy is an enforcement priority.
The photo trap: A photo or video of a child has always been personal information under COPPA. What's new is that the facial template an app might generate from that photo is now its own protected biometric identifier. If your photo-sharing app offers "smart tagging" or face grouping, that's worth a direct question to the vendor.

Where consent actually happens at your center

"Verifiable parental consent" is the heart of COPPA, and it's where centers most often get loose. A parent clicking "I agree" inside an app may satisfy the vendor's requirement โ€” but you should know which apps rely on the center to collect consent on their behalf, because some do. The cleanest approach is to fold app and photo-sharing permissions into your enrollment paperwork, keep a record of who consented to what, and store those records somewhere secure and searchable rather than in a stack of paper forms a new family signs and forgets.

It also pays to give parents a genuine choice. A family that doesn't want their child's photo on a shared classroom feed should be able to opt out without losing access to the rest of the service. Building that flexibility in protects you and builds the kind of trust that keeps families enrolled.

The vendor questions that do most of the work

You can't audit a software company's code, but you can ask a handful of questions that quickly separate the careful vendors from the risky ones. Before you adopt any tool that touches a child's data โ€” parent app, photo platform, check-in kiosk, classroom learning app โ€” ask:

  • Are you COPPA-compliant, and will you put it in writing? A confident vendor says yes without flinching and can point to a current privacy policy that addresses children specifically.
  • What exactly do you collect from or about the children โ€” and do you generate biometrics? You want a clear list, and a straight answer on whether faces or voices are analyzed.
  • Do you share or sell any of it, and is that consent separate? The right answer is that nothing goes to advertisers or data brokers, and any sharing has its own opt-in.
  • Where is the data stored, how is it encrypted, and how long do you keep it? Look for U.S.-based storage, encryption in transit and at rest, and a sensible deletion timeline.
  • Can we export and delete our data if we leave? You should never be locked into a platform that holds your families' information hostage.

This is also where the right systems quietly reduce your exposure. A digital visitor-management tool like SenLobby.ai, for example, replaces the paper sign-in sheet that shows every visitor the name and contact details of everyone before them โ€” turning a daily privacy leak into a secure, consent-aware log. Fewer places where children's and families' data sits exposed means fewer places COPPA and state law can bite you.

The security layer COPPA now expects

COPPA's updated rule formalizes something good operators already do: protect children's data with real security. You don't carry the vendor's burden, but the accounts you control โ€” the logins to your parent app, your photo platform, your email โ€” are part of the picture. The highest-value steps are the same ones that protect the rest of your business:

  • Multi-factor authentication on every account that touches family data. Most breaches at small organizations start with a stolen password; MFA blocks the overwhelming majority and is free on the platforms you already use.
  • Role-based access. A floater covering one classroom doesn't need admin rights to your entire photo library. Limit who can see what.
  • A short, living inventory of apps. Keep one list of every tool that touches a child's data, who owns the account, and when you last reviewed it. You can't protect data you've forgotten you collect.

If that sounds like a lot to keep straight on top of running a center, it's exactly the kind of thing a good managed IT partner handles in the background. EDCON sets up and maintains these controls for childcare centers across Los Angeles, Oxnard, Ventura, and Azusa โ€” see our managed IT services or our guide to choosing a provider that understands childcare.

What happens if you ignore it

COPPA enforcement targets operators first, but a center that hands children's data to a non-compliant app, never collects consent, or leaks information through a sloppy setup is exposed too โ€” to FTC scrutiny on the federal side and to California's own privacy and breach-notification rules on the state side. (If you handle California consumers' data more broadly, our CCPA guide for California small businesses is a useful companion.) For an authoritative primer straight from the regulator, the FTC's children's privacy guidance is the best free resource available.

The flip side is encouraging: nearly all of this is preventable with a modest, well-organized setup. Choose compliant vendors, collect and store consent properly, turn on a few key security controls, and keep a simple inventory. That's the whole game โ€” and it's very achievable for a small center with the right help.

Common questions from childcare directors

Does COPPA apply to my childcare center?

Your center usually isn't a direct COPPA "operator" โ€” the law targets online services that collect data from children under 13. But the apps you choose for parents and classrooms often are operators. Because you select those tools and gather the parental consent they rely on, COPPA becomes your responsibility through the vendors you pick. Choosing compliant vendors and documenting consent is how a center meets its obligations.

What changed in the FTC's COPPA rule for 2026?

The amended rule took effect in mid-2025 with a compliance deadline of April 22, 2026. Biometric identifiers such as faceprints and voiceprints are now personal information; operators need separate parental consent before sharing a child's data with third parties; they must keep a written data-security program; and the rule adds new ways to verify a parent. Penalties can reach up to $50,120 per violation.

Do photos and videos of children count under COPPA?

Yes. A photo, video, or audio clip containing a child's image or voice is personal information. Under the amended rule, the facial or voice templates some apps generate from those files are also covered as biometric identifiers. So the photo-sharing and live-streaming features many centers love are a real consideration โ€” confirm what your app captures, how long it keeps it, and that parents have consented.

What's the simplest way to stay COPPA-compliant as a small center?

Keep a short list of every app that touches a child's data, confirm each vendor is COPPA-compliant and will sign a written agreement, and store parental consent in one secure place instead of scattered paper forms. Pair that with multi-factor authentication and role-based access on the accounts that hold the data. Most small centers can get compliant in a few focused hours with the right help.

Not sure which of your apps are compliant?

EDCON helps California childcare centers vet their software, lock down consent and security, and stay audit-ready under COPPA and California privacy law. Book a free 30-minute consultation and we'll review the tools you use, flag any gaps, and give you a clear, no-pressure plan.

Book a Free Consultation