Insight

Navigating the Next Generation of Children’s Privacy Laws and Online Safety Regulation

July 02, 2026

For years, the Children’s Online Privacy Protection Act (COPPA) served as the primary federal framework governing children’s online privacy. That landscape has changed dramatically. Regulators, lawmakers, and courts are now grappling with a broader set of concerns that extends beyond data collection and advertising practices to questions of online safety, age assurance, harmful content, dark patterns, and AI-generated intimate imagery.

Recent amendments to the COPPA Rule, the enactment of the Take It Down Act, the advancement of the DEFIANCE Act, and a rapidly evolving patchwork of state laws reflect a broader shift in policy priorities toward preventing online harms to children and other vulnerable individuals. At the same time, many of these measures face constitutional challenges, operational hurdles, and unresolved questions about implementation and enforcement.

This Insight, based on a recent Morgan Lewis Technology Marathon webinar, examines recent developments under COPPA, state children’s online safety laws and age appropriate design laws, the Take It Down Act, and the DEFIANCE Act, provides a review of notable enforcement and litigation trends, and explores the key debates that are likely to shape the next phase of children’s privacy and online safety regulation.

KEY TAKEAWAYS

  • Children’s online safety regulation is expanding beyond privacy and data collection to address platform design, harmful content, and AI-generated imagery.
  • The 2025 amendments to the COPPA Rule create new compliance obligations, specifically around data retention, deletion, and expanded definitions of personal information.
  • State lawmakers continue to pursue age-appropriate design, age assurance, and app store accountability measures despite ongoing constitutional challenges.
  • The Take It Down Act establishes a new federal notice-and-removal framework for nonconsensual intimate imagery, including AI-generated deepfakes.
  • The proposed DEFIANCE Act, if passed, would create significant new civil remedies for victims of intimate digital forgeries and deepfake abuse.
  • Enforcement activity and private litigation are increasingly converging, creating new compliance, reputational, and litigation risks for companies that interact with children.

COPPA AND STATE CHILDREN’S PRIVACY FRAMEWORKS INCORPORATE NEW RULES AMID GROWING ENFORCEMENT PRESSURE

COPPA Rule Amendments and Enforcement

The 2025 amendments to the COPPA Rule represent the most significant update to the federal children’s privacy framework in years. The amendments introduce several substantive obligations and expand the scope of information to which the rule applies. Operators had until April 22, 2026 to achieve full compliance with the updated rule.

The updated rule expands the definition of personal information to include certain biometric and government-issued identifiers. These new data elements join a list of data elements that were previously regulated by COPPA, such as audio recordings, telephone numbers, and certain geolocation information.

The amendments also impose enhanced notice requirements, clarify rules for mixed-audience services, and establish more prescriptive data retention and deletion obligations.

One area receiving particular attention is the requirement that companies develop and publicly disclose retention practices and specify deletion timelines. As regulators increasingly focus on data governance, organizations may face scrutiny not only for deficient policies but also for failures to operationalize those policies across systems and repositories.

COPPA remains a clear enforcement priority for the Federal Trade Commission (FTC). Agency officials have publicly emphasized their willingness to pursue children’s privacy cases, and recent enforcement actions continue to focus on unlawful data collection, inadequate parental consent mechanisms, and failures to comply with longstanding COPPA requirements.

State Developments

At the state level, lawmakers have moved beyond traditional privacy regulation to protect children online. California’s Age-Appropriate Design Code Act helped launch a wave of legislation focused on protecting children through product design and platform architecture rather than solely regulating data practices.

Similar laws have emerged in Maryland, Nebraska, South Carolina, Vermont, and elsewhere, often addressing issues such as age estimation, dark patterns, autoplay functions, infinite scroll, gamification, and other design features viewed as potentially harmful to minors.

Many of these laws, however, remain tied up in litigation. Courts have repeatedly been asked to evaluate whether age-appropriate design requirements, age-verification obligations, and content-related restrictions can withstand First Amendment and vagueness challenges. The result is a regulatory landscape that continues to evolve almost as quickly as new legislation is enacted.

THE TAKE IT DOWN ACT ACCELERATES PLATFORM RESPONSIBILITY FOR ONLINE HARMS

The Take It Down Act marks a significant shift in federal regulation of online harms. The law, which took effect in May 2026, targets the publication of nonconsensual intimate visual depictions, including AI-generated deepfakes.

The law applies broadly to covered online platforms and requires them to establish a mechanism for individuals to report qualifying content. Once valid notice is received, platforms generally must remove the content within 48 hours. The compressed timeframe creates substantial operational challenges, particularly as platforms must assess authenticity, consent, or the location of the content.

The FTC continues to make clear that compliance is expected. The agency has issued notices to major platforms, launched reporting mechanisms for consumers, and publicly emphasized enforcement readiness. Regulators are also scrutinizing businesses that allegedly facilitate the creation or dissemination of nonconsensual intimate imagery.

While the statute does not create a federal private right of action against platforms, litigation risks remain. Plaintiffs may seek to use the law as evidence of an emerging standard of care, particularly in cases involving delayed removals or alleged failures to respond adequately to notices. As a result, organizations may face exposure not only from regulators but also from private litigants seeking to build negligence, product liability, or related claims around the statute’s requirements.

THE DEFIANCE ACT LAYS GROUNDWORK FOR NEXT WAVE OF DEEPFAKE LITIGATION

The DEFIANCE Act, which has passed the Senate and is under consideration in the House, represents the next step in federal lawmakers’ efforts to address AI-generated sexual abuse and nonconsensual imagery.

Unlike the Take It Down Act, which focuses primarily on content removal obligations, the DEFIANCE Act focuses on remedies. The legislation would create a federal civil cause of action for victims of “intimate digital forgeries” and allow recovery against individuals who create, disclose, solicit, or distribute qualifying deepfake content involving identifiable individuals without consent.

The bill proposes substantial statutory damages and a lengthy limitations period, reflecting growing concern that existing legal remedies do not adequately address the harms associated with AI-generated intimate imagery.

While the legislation is principally aimed at individual bad actors rather than institutions, its practical effects could extend beyond direct defendants. New federal causes of action often generate broader litigation ecosystems involving discovery disputes, secondary defendants, and efforts to identify deeper pockets. Companies should closely monitor developments, even if they are not the legislation’s primary target.

LOOKING AHEAD

As lawmakers, regulators, courts, and private litigants continue to shape the regulatory and enforcement landscape for children’s online privacy and safety, several themes are likely to influence the next phase of development.

  • Lawmakers continue to struggle with the challenge of preventing harm through regulation of online content and platform design. Legislatures and regulators are attempting to address issues ranging from targeted advertising and dark patterns to addictive product features and AI-generated abuse, often through overlapping and sometimes conflicting approaches.
  • Constitutional challenges are likely to remain a defining feature of this area. Courts continue to scrutinize age-verification requirements, content restrictions, and design mandates, creating uncertainty around which legislative models will ultimately survive.
  • AI is accelerating both innovation and regulatory pressure. Questions surrounding deepfakes, avatars, synthetic media, and age assurance technologies are forcing policymakers to confront issues that existing legal frameworks were never designed to address.
  • Organizations should expect continued convergence between privacy regulation, online safety requirements, and product design obligations. What began as a narrow children’s privacy issue has evolved into a broader debate about how digital services should be designed, operated, and governed to protect children online. Organizations that take steps to strengthen their compliance and take a proactive approach to children’s online safety and privacy will be better positioned to reduce risk exposure in the long term.

CONCLUSION

The next generation of children’s privacy law is no longer defined solely by data collection practices. Regulators and lawmakers are increasingly focused on how online services are designed, how harmful content is distributed, and how emerging technologies can be used to create new forms of abuse. As federal and state requirements continue to develop, organizations will need to navigate a rapidly changing landscape marked by expanding obligations, active enforcement, ongoing litigation, and significant legal uncertainty.

HOW WE CAN HELP

Our lawyers are well situated to help companies navigate the complex landscape of children’s online privacy and safety laws. Our team is prepared to support businesses as they navigate this evolving and challenging regulatory environment.

Associate Alyssa Wolfington contributed to this Insight.

Contacts

If you have any questions or would like more information on the issues discussed in this Insight, please contact any of the following:

Authors
Ashley R. Lynam (Philadelphia)
Hannah Levin (Washington, DC)