COPPA vs. KOSA: What Changed for Kids App Developers in 2026
Two laws, different purposes. Here is how COPPA and KOSA work together, what each requires, and how Jumpyloo complies with both.
The Two Pillars of Kids Online Safety
If you build a mobile app directed at children, two federal laws define your compliance responsibilities. The Children's Online Privacy Protection Act (COPPA) has been the baseline since 2000. The Kids Online Safety Act (KOSA), which advanced through Congress in 2025 with final rulemaking unfolding in 2026, adds a second layer focused on platform design and addictive patterns.
Understanding the distinction between these two laws — and how they interact — is essential for any developer building kids apps in 2026. This post breaks down both laws, what they require, and how Jumpyloo was designed to satisfy both from day one.
COPPA: The Privacy Layer
COPPA, enforced by the Federal Trade Commission (FTC), regulates how apps and websites collect personal information from children under 13. The core requirements are:
- Parental notice and consent: Before collecting personal information from a child, the operator must provide direct notice to the parent and obtain verifiable parental consent.
- Data minimization: Operators may collect only the information reasonably necessary to provide the service. The 2025 FTC rule update codified that "reasonable necessity" does not include behavioral advertising or profiling.
- Data security and retention: Operators must maintain reasonable procedures to protect children's data and retain it only as long as necessary.
- Third-party responsibility: Operators are liable for third-party SDKs embedded in their apps, including advertising networks and analytics services.
The FTC's 2025 COPPA rule update brought significant changes: it expanded the definition of "personal information" to include biometric data, and it explicitly stated that using children's data for targeted advertising is never "reasonably necessary" for the service a child is using.
KOSA: The Design and Safety Layer
KOSA, which passed the Senate in 2024 and advanced through the House in 2025, takes a broader approach. While COPPA focuses on data, KOSA focuses on platform behavior — the design patterns and features that platforms use to engage minors. Key provisions include:
- Duty of care: Platforms must exercise reasonable care to prevent and mitigate harms to minors, including addiction, mental health disorders, and exposure to harmful content.
- Addictive design prohibition: Platforms must not use design features that cause minors to have an unreasonable degree of engagement, such as infinite scroll, variable reward schedules designed to maximize time on platform, and personalized recommendation systems optimized for engagement rather than wellbeing.
- Default safeguards: The strongest privacy and safety settings must be enabled by default for minor accounts.
- Transparency: Platforms must disclose their data practices, recommendation algorithms, and advertising policies in language accessible to both parents and children.
COPPA vs. KOSA: The Comparison
| Dimension | COPPA | KOSA |
|---|---|---|
| Enforced by | FTC | FTC (civil enforcement); state AGs |
| Scope | Data collection from children under 13 | Platform design, safety, and conduct toward minors (under 17) |
| Key requirement | Parental consent for data collection | Duty of care to prevent harm |
| Impact on games | No third-party ad SDKs without verified parental consent | No dark patterns, no addictive engagement mechanics |
| Penalties | Civil penalties up to $50,120 per violation | Civil penalties, injunctions, state actions |
| Effective | 2000 (updated 2025) | Final rulemaking in progress (2026) |
For COPPA: Zero data collection. Jumpyloo collects no personal information from any player. No account creation, no email, no phone number, no persistent identifiers. The app does not include any third-party SDK that transmits data. Parental consent is not needed because there is nothing to consent to.
For KOSA: No dark patterns. Jumpyloo has no infinite scroll (the game has a natural endpoint — falling), no addictive reward schedules (streak rewards are flat, not escalating), no personalized recommendations, no social feeds, and no algorithmic content. A children's game that collects nothing and manipulates nothing is inherently KOSA-ready.
What This Means for Developers
For indie developers building kids games, the COPPA + KOSA regulatory environment creates a strong incentive toward a simple architecture: collect nothing, manipulate no one. Every third-party SDK is a compliance risk. Every dark pattern — even the subtle ones like escalating streak rewards — is a potential liability.
The safest path is the one Jumpyloo took: build a self-contained game with no network calls, no user accounts, no advertising SDKs, and no analytics frameworks. The game binary is the complete experience. Nothing is uploaded, nothing is tracked, and nothing is optimized for engagement at the expense of wellbeing.
This approach is not for every app. But for a kids arcade game, it is the only approach that lets us sleep at night.
— Children's Online Privacy Protection Rule, 16 CFR § 312, FTC, 2025 revision.
— Kids Online Safety Act, S. 1409, 118th Congress, as reported by the Senate Committee on Commerce, Science, and Transportation.
— FTC, "FTC Report on COPPA Enforcement and the 2025 Rule Update," 2025.
— Common Sense Media, "KOSA and Kids App Design: What Developers Need to Know," 2025.
— Electronic Frontier Foundation, "COPPA and KOSA: A Side-by-Side Comparison," eff.org.