The intersection of artificial intelligence and children’s privacy is no longer a future concern. It is the defining compliance challenge of 2026. Regulators across every jurisdiction are coordinating, legislating, and enforcing with an urgency that should command the full attention of every privacy leader.
This article distills the key insights from TrustArc’s on-demand webinar, Privacy Regulatory Briefing: AI & Children’s Regulatory Update, where experts from TrustArc and the Future of Privacy Forum unpacked how the EU AI Act, new COPPA rules, and converging state design codes are reshaping what compliance looks like. The question is no longer whether your organization needs a strategy here. The question is whether your strategy can keep up.
AI Regulation Is a Global Patchwork, and Children Are at the Center of It
Privacy professionals have watched the AI regulatory landscape evolve from a single EU-centric conversation into a sprawling, fast-moving, multi-jurisdictional reality. At the state level in the U.S., California, Colorado, and Texas have enacted some of the most comprehensive frameworks, including the California TFAIA, Colorado AI Act and Texas’s Responsible AI Governance Act (TRIGA). Common themes are emerging across states: transparency requirements, high-risk AI governance, deepfake restrictions, criminal liability for AI misuse, and protections for minors interacting with AI systems.
At the federal level, momentum is building around several bills, including the Algorithmic Accountability Act, the AI Accountability and Personal Data Protection Act, and the CHAT Act, which would specifically regulate AI companions. The White House has also issued formal legislative recommendations calling for a national AI policy framework, one that explicitly names children’s privacy protection as a core pillar.
Globally, the EU AI Act, the world’s first comprehensive AI law, is currently undergoing revision as part of the Digital Omnibus initiative, with trilogue negotiations expected this spring ahead of the August 2nd high-risk AI compliance deadline.
What makes 2026 distinct is not just the volume of legislation. It is that children’s privacy has become the rallying point where regulatory consensus is most visible, most bipartisan, and most likely to produce durable enforcement consequences.
“It’s Definitely the Year of Children’s Privacy” and Your Program Needs to Reflect That
COPPA has governed children’s online privacy in the U.S. since 1998. For nearly three decades, it was the primary framework. That era is ending.
Today’s legislative environment is building something far more expansive, and privacy leaders who continue to treat COPPA as the ceiling of their obligations are navigating without a map.
Here is what the current children’s privacy landscape actually looks like:
Age-Appropriate Design Codes are reshaping product obligations. Inspired by the UK’s pioneering framework and California’s importation of it into U.S. law, states have adopted or are advancing age-appropriate design code principles. These codes do not merely regulate what data you collect. They regulate how your product is built. Default privacy settings, restrictions on dark patterns, limits on geolocation tracking, and prohibitions on features designed to drive excessive engagement are becoming standard requirements.
Comprehensive state privacy laws are adding a children’s layer. All 20 states that have enacted comprehensive privacy legislation envision heightened protections for minors. Connecticut, Colorado, and Montana go furthest, imposing duties of care and mandatory DPIA requirements specifically tied to harms involving children’s data.
Federal legislation is advancing on multiple tracks. The current federal youth privacy package includes Sammy’s Law, the Kids Online Safety Act (KOSA), COPPA 2.0, and the App Store Accountability Act. These four bills continue to move, and they have drawn the attention of state attorneys general who are closely watching how federal preemption questions will be resolved.
New COPPA rule amendments become enforceable on April 22nd. The FTC’s updated COPPA rule places new emphasis on notice and consent, data minimization, and transparency. Combined with the FTC’s stated enforcement priorities around AI-minor interactions, this is not a deadline to miss.
The Convergence Is Real: Why AI and Children’s Privacy Are Now One Problem
Regulators are not treating AI and children’s privacy as parallel tracks. They are treating them as a single, converging challenge. Understanding why this convergence is happening is essential to understanding where enforcement energy will be directed in 2026 and beyond.
Children are encountering AI in virtually every digital context: chatbots designed for their age group, connected toys, AI tutoring tools in schools, personalized algorithmic feeds on social media, and companion AI services that are specifically engineered to build emotional attachment. In the most severe cases, and these cases are no longer hypothetical, AI companion platforms have been connected to catastrophic mental health consequences for adolescent users.
At the same time, AI systems are consuming children’s data at scale. Whether through chatbot interactions, AI-powered educational tools, or personalized content recommendation engines, the question of how children’s data is being collected, used, and potentially fed into AI training pipelines is becoming a central enforcement and legislative focus.
Regulators are not waiting for Congress to act. They are using existing consumer protection authority, specifically unfair and deceptive trade practices claims, to hold platforms accountable for product designs that harm children. Lawsuits against chatbot providers over harms to minors are already reshaping how companies think about their duty of care.
The Regulatory Themes Every Privacy Leader Should Track Right Now
Across all the legislative and enforcement activity in this space, five themes are emerging as consistent focal points:
- Age Assurance and the Schrodinger’s Cat Problem How do you determine whether a user is a minor so you can obtain proper notice and consent, without collecting data before you have consent to collect it? The FTC recently issued a non-enforcement policy statement on age assurance technologies, establishing a safe harbor with six to seven criteria that companies must satisfy. Crucially, the safe harbor only applies if you are already COPPA-compliant. Age assurance is a mechanism, not a shortcut around the underlying law.
- Behavioral Advertising and Profiling Restrictions Are Becoming Consensus Restrictions on behavioral advertising to minors have moved from a COPPA-era concern to a near-universal requirement across emerging privacy frameworks. Maryland has enacted a complete ban on behavioral advertising to users under 18. Most comprehensive state privacy laws require opt-in consent for teens. The profiling restrictions that once felt like outliers are becoming the floor.
- Deepfakes Involving Children Are Drawing the Sharpest Regulatory Response Wyoming’s law takes a criminal liability approach to AI-generated harmful content involving minors and is one of the most comprehensive state-level frameworks on the subject. South Dakota enacted similar protections with enhanced penalties when the content involves children. Argentina is considering criminal imprisonment of up to 10 years for non-consensual deepfakes involving minors.
- Agentic AI and Chatbot Regulation Is Accelerating In 2026 alone, 98 bills have been introduced across various states specifically addressing chatbots, AI companions, and their use in therapy and other sensitive contexts, including Illinois’ Wellness and Oversight for Psychological Resources Act and California’s AI companion chatbot law. The key regulatory themes include transparency and disclosure requirements, age assurance and minor access controls, parental consent, content safety, and data minimization.
- Children’s Data for AI Training Is an Emerging Frontier Most current laws focus on chatbot interactions rather than training data specifically, but this is changing. Maryland has introduced legislation that would prohibit using children’s data from chatbot interactions as inputs for AI training. As regulators identify gaps between existing frameworks and the realities of how AI systems consume data, expect this to become a more active area of legislation and enforcement.
What This Means for Your Privacy Program: A Strategic Blueprint for Leaders
| Inventory every AI use case | Documented inventory identifying any system minors could access, even if not marketed to them |
| Operationalize DPIAs before deployment | A completed DPIA on file for every AI system processing children’s data, with mitigations documented |
| Strengthen transparency and disclosure | Age-appropriate privacy notices and clear AI-use disclosures |
| Restrict behavioral targeting of minors | Default-off settings for profiling; audited advertising practices |
| Build the cross-functional coalition | Privacy, legal, product, engineering, and trust-and-safety aligned on shared obligations |
| Document everything | Decision logs, risk assessments, and governance records regulators can review |
The Bottom Line for Privacy Leaders
The convergence of AI and children’s privacy regulation is not a problem that privacy professionals stumbled into. It is the natural consequence of a world that handed powerful, attention-maximizing, data-hungry technologies to the most vulnerable users it has, and then waited to see what happened.
Enforcement is already underway, and the frameworks being built this year will define what compliance looks like for the next decade. The privacy leaders who map their exposure, validate their AI systems, and document their decisions now will shape that definition instead of reacting to it.
Watch the full on-demand webinar: Privacy Regulatory Briefing: AI & Children’s Regulatory Update with Joanne Furtsch, Daniela Sanchez, and Daniel Hales. Eligible for 1 CPE credit.
