FTC Intensifies Children’s Privacy Enforcement With Major COPPA Settlements
The Federal Trade Commission has demonstrated renewed vigor in its enforcement of children’s privacy protections, announcing two significant proposed settlement orders in September 2025 that underscore the agency’s commitment to safeguarding minors’ personal information online. These enforcement actions signal a broader trend toward heightened scrutiny of companies’ compliance with children’s privacy laws and highlight the evolving regulatory landscape that businesses must navigate.
Disney’s $10 Million Settlement: YouTube Configuration Failures
The larger of the two proposed settlements involves The Walt Disney Company, which has agreed to pay $10 million to resolve allegations that it failed to properly configure YouTube settings to designate its videos as “Made for Kids.” This mislabeling allegedly resulted in the unauthorized collection of personal information from children under 13, which was then used for targeted advertising without parental consent.
The complaint, filed by the Department of Justice following an FTC referral, alleges that Disney violated the Children’s Online Privacy Protection Act (COPPA) by failing to properly label some videos uploaded to YouTube as “Made for Kids.” This designation is crucial because it ensures that certain protective features are enabled, including the disabling of personalized advertisements and data collection from viewers under 13.
Under the proposed settlement, Disney must not only pay the substantial civil penalty but also implement a comprehensive program to review each video before uploading it to YouTube to determine the appropriate audience designation. This forward-looking provision reflects and anticipates the growing use of age assurance technologies to protect kids online, potentially relieving Disney of this obligation if YouTube implements robust age verification systems.
The enforcement action highlights critical compliance considerations for content creators and digital platforms. Disney’s policy was to set the audience at the channel level, rather than checking the audience for each video, resulting in child-directed content being incorrectly categorized and exposing children to inappropriate advertising and content recommendations.
Apitor Technology’s $500,000 Settlement: Third-Party Data Collection Violations
The second proposed order involves Apitor Technology, a Chinese robot toy manufacturer that allegedly enabled third-party data collection from children without obtaining proper parental consent. The FTC alleges that Apitor’s companion app for its robot toys incorporated a third-party software development kit (SDK) that allowed a Chinese company to collect geolocation information from children using Android devices.
The app required users to enable location sharing to use it and connect the toy, but it did not incorporate a process to obtain parental consent before such sharing could occur. This case illustrates the complex privacy compliance challenges that arise when companies integrate third-party technologies into their products and services.
The proposed settlement requires Apitor to pay a $500,000 penalty, though this amount is suspended due to the company’s claimed financial inability to pay the full amount. Apitor will be required to pay the full amount if it is found to have lied about its finances. Additionally, the company must delete any personal information collected in violation of COPPA unless it obtains retroactive parental consent.
Broader Enforcement Trends in Children’s Privacy
These FTC actions represent just the latest developments in an intensifying regulatory focus on children’s digital privacy. The enforcement landscape has been particularly active in 2025, with multiple significant cases demonstrating regulators’ willingness to pursue substantial penalties.
Federal Class Action Settlement
In August 2025, Google agreed to a $30 million payment to settle claims that its targeted advertising practices on YouTube using data collected from children violated various state laws. The class action lawsuit, filed in the Northern District of California, could cover up to 45 million children who used YouTube between 2013 and 2020.
This settlement builds upon Google’s previous $170 million penalty in 2019 for similar COPPA violations, suggesting that despite prior enforcement actions, compliance challenges persist across the industry.
State-Level Enforcement Actions
State attorneys general have also intensified their focus on children’s privacy compliance. Recent enforcement actions have targeted major technology companies across various platforms and services:
- Utah Attorney General: Filed complaints against Snap regarding alleged collection of personal information from users of its My AI feature, even after users indicated they were under 13.
- Michigan Attorney General: Initiated legal action against Roku based partly on alleged collection of personal information from users accessing platform sections and content directed to children.
Expanding State Legislative Framework
The enforcement actions occur against a backdrop of rapidly expanding state legislation that extends children’s privacy protections beyond the federal COPPA framework. States including Oregon, Vermont, Nebraska, Connecticut, and Nevada have enacted comprehensive children’s privacy legislation, while New York’s Child Data Protection Act has already taken effect.
This patchwork of state laws creates complex compliance obligations for businesses, as companies must navigate varying requirements across multiple jurisdictions while maintaining operational efficiency.
Key Compliance Implications for Businesses
The recent enforcement actions highlight several critical areas where businesses should focus their privacy compliance efforts:
Content and Audience Designation
Companies that create or distribute content on platforms like YouTube must implement robust processes for accurately designating content intended for children. This requires understanding not just the content itself but also the platform’s technical requirements and the legal implications of misclassification.
Third-Party Technology Integration
The Apitor case demonstrates the importance of thoroughly vetting third-party technologies, particularly SDKs and other integrated software components. Businesses must ensure that any third-party tools comply with applicable privacy laws and that appropriate contractual protections are in place.
Age Verification and Parental Consent
Both cases underscore the fundamental COPPA requirement for obtaining verifiable parental consent before collecting personal information from children under 13. Companies must implement technical and procedural safeguards to ensure compliance with these requirements.
Data Minimization and Purpose Limitation
Effective children’s privacy programs require clear policies regarding what information is collected, how it is used, and how long it is retained. Companies should implement data minimization practices and purpose limitation principles specifically tailored to their interaction with minors.
Looking Forward: Industry Response and Future Enforcement
The FTC’s recent enforcement actions send a clear signal that children’s privacy remains a top regulatory priority. As FTC officials have noted, “COPPA enforcement is a key priority for the Trump-Vance FTC,” and “the FTC will continue its efforts to keep Americans first in the marketplace by protecting families and children from unlawful practices.”
Businesses should expect continued scrutiny in this area, particularly as:
- Technology Evolution: Advances in artificial intelligence and automated content recommendation systems create new privacy compliance challenges.
- State Law Expansion: In addition to states with existing laws that regulate children’s data, further states are likely to enact comprehensive children’s privacy legislation, thereby complicating the compliance landscape.
- International Coordination: U.S. enforcement actions increasingly align with global children’s privacy frameworks, creating pressure for consistent international standards.
- Age Verification Mandates: States have passed laws requiring age verification (see list of states with online age verification laws) to access potentially harmful content, while the UK’s Online Safety Act requires all sites hosting such content to implement “highly effective age assurance” using methods like photo ID or facial scans. This trend toward mandatory age verification technologies presents both compliance opportunities and privacy concerns for businesses, particularly as critics argue these measures may curtail internet freedom while creating new data security risks.
Conclusion
The FTC’s recent proposed settlements with Disney and Apitor Technology demonstrate the agency’s commitment to robustly enforcing children’s privacy protections. These cases highlight the importance of implementing comprehensive compliance programs that address both technical requirements and operational procedures.
For businesses operating in the digital economy, particularly those with products or services that may attract children, these enforcement actions serve as a reminder that privacy compliance cannot be an afterthought. Companies must proactively assess their data practices, implement appropriate safeguards, and regularly review their compliance with evolving legal requirements.
As the regulatory landscape continues to develop, businesses would be well-served to work with experienced children’s privacy counsel to ensure their practices align with both current requirements and emerging regulatory trends. The cost of compliance is invariably less than the price of enforcement action, and the reputational benefits of demonstrating genuine commitment to children’s privacy can provide competitive advantages in an increasingly privacy-conscious marketplace.
The intersection of technology, advertising, and children’s privacy will continue to evolve, but the fundamental principle remains clear: protecting children’s personal information requires deliberate, ongoing attention from businesses, regulators, and technology platforms alike.
