COPPA Amendments Now Enforceable and Garante Fines Poste Italiane

Want to receive these privacy recaps in your inbox each week? Subscribe here.

Two major privacy developments are demanding business attention: the FTC’s amended COPPA rules became fully enforceable on April 22, 2026, raising the bar for how companies handle children’s data, while Italy’s Garante has fined Poste Italiane and Postepay for processing user device data through an anti-fraud platform without a valid legal basis. Together, these actions underscore a global trend toward stricter privacy enforcement and the growing expectation that companies collect only what is necessary and with proper legal footing.

Keep reading to learn more and discover my takeaways.

United States

COPPA Rule Amendments Can Now Be Enforced.

The grace period for compliance with amendments to the Children’s Online Privacy Protect Act (COPPA) Rule, published by the FTC in April 2025, has ended as of April 22, 2026, meaning that the FTC can now enforce the amended rules against companies that have not yet made adjustments to comply. Key adjustments companies should have made by now include the following:

• Enhance security measures by designating a security coordinator, conducting annual risk assessments, and regularly testing and overseeing service providers. 

• Expand COPPA compliance to apply to biometric and government-issued identifiers

• Reassess whether services fall under the new definition of a “website or online service directed to children” by considering marketing and promotional materials and plans, representations to consumers and third parties, user and third-party reviews, and the age of users on similar websites and services (in addition to the previous list of artifacts) in determining the service’s audience composition and intended audience.

• Assess whether services constitute a “mixed audience website or online service” under the newly added definition. In summary, websites or online services directed to children but not as their primary audience fall under this definition. These websites and services should only collect personal information for limited purposes before determining if the visitor is a child. This determination must be neutral, not defaulting to a set age or encouraging visitors to falsify age information. 

• Obtain parental consent for third-party disclosures that are not integral to the website or online service separately from parental consent for general use (such that the parent can consent to the collection of their child’s personal information without consenting to such non-integral disclosure to third parties). 

• Enhance parental notices to include additional required details, such as how the operator will use the child’s personal information, the specific third parties receiving it, and the purposes of its disclosure.

• Maintain a written data retention policy and ensure it does not involve retaining children’s personal information indefinitely.

TAKEAWAY

 The COPPA rule changes are now enforceable against a backdrop of increasingly specific and overlapping children’s privacy requirements and enforcement activity at the state and federal level. Many states now have expanded protections to cover minors under 18, going beyond COPPA’s under-13 framework. At the same time, enforcement and litigation trends show a consistent focus on how companies actually handle children’s data in practice. Taken together, these developments show that companies must remain vigilant regarding children’s privacy. They need to evaluate not only whether COPPA-specific requirements are met, but also whether their practices involving children’s and teens’ data align with state law requirements and general privacy and consumer protection standards.

Europe

Garante Issues Fines for Processing “Anti-Fraud” Data Without a Legal Basis.

The Italian Data Protection Authority (Garante) fined Poste Italiane SpA and Postepay SpA, alleging that the companies collected and processed personal data from users of the Bancoposta and Postepay payment apps using their ThreatMetrix anti-fraud platform without a lawful basis for processing. Specifically, the companies identified “fulfillment of a legal obligation” as the legal basis for processing personal data from users’ mobile devices to protect against malware. They cited the Payment Systems Directive 2 (EU Directive 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market) as the legal obligation. However, the Garante found this insufficient because (i) the cited anti-fraud regulation did not require processing personal data, (ii) the processed data (information related to apps installed and running on the user’s device) was significantly intrusive to the user’s personal sphere, and (iii) the amount and nature of data collected were not strictly necessary for fraud prevention, as less intrusive alternatives were available. 

The processing, which involved accessing information already stored on the user’s terminal, also violated Italy’s implementation of the e-Privacy Directive. This was because the processing was not strictly necessary for providing the service requested by the user, and no valid consent was obtained. Specifically, technical authorization was requested, but it was not freely given because using the service offered by the companies was conditional on granting that authorization. Furthermore, the consent was neither informed nor specific, as data subjects were not informed of the essential elements of the processing and the purposes of processing were not clearly distinguished. Other violations cited included those related to transparency, security measures, and privacy-by-design.

TAKEAWAY

This action reminds us of some fundamental principles and important nuances under GDPR and e-Privacy, both in its final decision-making and its discussion. Most notable is the concept of data minimization. The decision stresses that “while it is undeniable that increasing the amount of information collected…generally corresponds to a more precise and reliable representation of the integrity of the device, its actual user, and any ongoing malicious activity, it is equally important to emphasize that such collection must nevertheless comply with the principle of data minimization”. 

Accordingly, where “there are tools and technical solutions that guarantee an equivalent level of security that do not require (or require to a lesser extent) access to personal data or to information stored on the device, the least invasive solution should be prepared.” The decision is also a reminder of the important distinction between technical authorization (often granted at the device or OS level) and legal consent. The Garante explains that the technical permissions implemented by operating systems, which allow users to condition access to their phone’s data to a specific action, “are not…designed to adequately collect user consent, as required by the Regulation,” pursuant to which consent is valid only if informed, specific and freely given. Accordingly, where consent is required, it “should be requested regardless of whether the operating system presents the user with the possibility of granting technical authorization.” 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• U.S. House Introduces Federal Comprehensive Privacy Bill
• Garante Issues Guidance on Tracking Pixels in Emails
  
  

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.