Photo of Sheila MillarPhoto of Tracy MarshallPhoto of Anushka R. Stein

On February 25, 2026, the Federal Trade Commission (FTC) released an important children’s privacy enforcement discretion statement: COPPA – Enforcement Policy Statement Promoting the Adoption of Age-Verification Technology. Age verification of minors is an increasingly hot topic in children’s privacy law, as several states recently adopted laws requiring companies to conduct age verification before allowing access to certain apps and online services. With the proliferation of these laws, the regulated community has raised questions about how to comply with the Children’s Online Privacy Protection Rule (COPPA Rule) when implementing age-verification mechanisms, and this was one of the topics discussed during a recent full-day workshop at the FTC. The FTC’s policy statement makes clear that the Commission will not bring enforcement actions under the COPPA Rule against operators of general audience sites and services and mixed audience sites and services that collect, use, or disclose personal information without verifiable parental consent for the sole purpose of determining a user’s age. Notably, the policy statement does not alter the Commission’s longstanding position that sites primarily directed to children under 13 should not collect age information; rather, they should assume audiences are under 13 and align data collection practices with COPPA.  

Read more here.

Photo of Sheila MillarPhoto of Tracy MarshallPhoto of Anushka R. Stein

As we discussed in Part 1 of this series, while the Children’s Online Privacy Protection Act (COPPA) remains the primary federal law protecting children’s online privacy, there is a growing patchwork of state laws aimed at protecting both children and teens online. These laws identify a variety of potential harms, but many of them expand the universe of businesses subject to “children’s privacy” obligations and greatly complicate their compliance challenges. It is no secret to anyone who follows the state privacy law landscape that these laws create constitutional and other legal concerns.

In this second part of our two-part series, we briefly review the state landscape and provide some predictions for 2026. Read more here.

Photo of Sheila MillarPhoto of Tracy MarshallPhoto of Anushka R. Stein

As we look back at key privacy developments during 2025, one thing is clear: it was all about kids and teens. That trend seems likely to continue in 2026. The problem is, while there are very real concerns about the impact of online content and social media engagements on young people, legislative solutions – well-intentioned as they may be – continue to run afoul of the First Amendment, and judicial challenges are mounting. With the updated Children’s Online Privacy Protection Act (COPPA) Rule compliance date coming up, businesses are working on revising compliance initiatives. Yet rulings narrowing the scope of COPPA preemption over the past few years have contributed to a growing patchwork of state laws that greatly complicates the ability of businesses – especially small businesses – to operationalize privacy and security initiatives.

In Part 1 of a two-part series, we review federal legal developments in the kids and teens privacy space over the past year and make predictions for 2026. Spoiler alert: Much of the action is occurring in the states and the courts.

Read the full article here.

Photo of Sheila MillarPhoto of Tracy Marshall

In the midst of the busiest shopping season of the year, Federal Trade Commission (FTC or Commission) staff reminded companies of their obligations under the Rule on the Use of Consumer Reviews and Testimonials (Consumer Review Rule). On December 22, 2025, the FTC announced that staff had sent letters to ten companies warning that they may be in violation of the Consumer Review Rule, which is intended to rein in the practice of using fake reviews and testimonials to boost sales of products or services. The FTC’s Endorsement Guides, last updated in July 2023, offer guidance on reviews and testimonials in advertising (including in social media), but the Consumer Review Rule addresses a specific issue of fake reviews and testimonials. The Rule empowers the FTC to file federal lawsuits or take other legal action and obtain civil penalties of up to $53,088 per violation.

Read the full article here.

Photo of Sheila MillarPhoto of Anushka R. Stein

Starting January 1, 2026, retailers of covered battery-embedded (CBE) products in California must charge consumers a CBE Waste Recycling Fee at point of purchase or cover the costs of the fee themselves. Per regulations finalized last week, the fee will be 1.5% (capped at $15) of the retail sales price of a CBE product. Proposed regulations that would clarify related requirements are still pending as of this writing.

The CBE Waste Recycling Fee is required under SB 1215, which we previously wrote about here. To review, CBE products are those that contain batteries that are “not designed to be easily removed from the product by the user of the product with no more than commonly used household tools.” These do not include products that incorporate video display devices measuring greater than four inches diagonally (such products are separately subject to California’s Covered Electronic Waste (CEW) Recycling Fees) or standalone batteries (which will be covered by future requirements under AB 2440, as we wrote about here). However, the scope of CBE products remains unclear since the proposed regulations add new definitions, including one for “commonly used household tools.” If finalized in their current form, these definitions could affect how broadly the fee applies.

Read the full article here.

Photo of Sheila Millar

The long-awaited updates to the Children’s Online Privacy Protection Act Rule (Final Rule) took effect on June 23, 2025, with a compliance deadline of April 22, 2026. With this fast-approaching compliance deadline, businesses should be actively working to update backend systems to meet the new requirements.

Read the full article here.

Photo of Sheila MillarPhoto of Antonia Stamenova-DanchevaPhoto of Anushka R. Stein

The July 8, 2026, effective date for the U.S. Consumer Product Safety Commission’s (CPSC or Commission) electronic filing (eFiling) requirements is fast approaching. As we previously discussed, last December, CPSC approved a Final Rule to implement mandatory eFiling of certificates of compliance (CoC) for imported consumer products that are subject to a CPSC rule, ban, standard, or regulation (Final Rule). Given the Final Rule’s broad applicability, and its lack of a de minimis exemption, importers of covered goods should ensure that they are ready to comply. While most covered imports must comply by July 8, 2026, CPSC-regulated products imported through a Foreign Trade Zone (FTZ) are given additional time and have an effective date of January 8, 2027.

Read the full article here.

Photo of Sheila MillarPhoto of Antonia Stamenova-DanchevaPhoto of Anushka R. Stein

On November 3, 2025, the New York Attorney General announced a $1.1 million settlement with the U.S. subsidiary of the world’s largest beef producer, ending the state’s lawsuit accusing the company of misleading the public about its environmental practices and sustainability commitments. The complaint, filed in February 2024 in New York state court, alleged that defendants JBS USA Food Company and JBS USA Food Company Holdings (together, JBS USA), and JBS USA’s parent, subsidiary, and affiliate companies, misled the public about a pledge to reduce greenhouse emissions and their stated goal to be “Net Zero by 2040.” However, JBS USA now faces a new false advertising challenge involving essentially the same claims, joining a growing number of companies getting sued over aspirational environmental claims.

These false advertising lawsuits come at a time when many companies are under pressure to make certain climate claims in the EU and the U.S., including to comply with new mandatory reporting requirements in California next year under SB 253 and SB 261. Starting on January 1, 2026, the latter will require biennial reporting of “climate-related financial risks” by certain companies (i.e., U.S. entities with total annual revenue exceeding $500 million doing business in California), including posting these reports on the company website. Meanwhile, SB 253’s first set of reports (on Scope 1 and 2 greenhouse gas emissions by U.S. entities with total annual revenue exceeding $1 billion doing business in California) are expected to be due by June 30, 2026. As these deadlines approach, companies should be aware of the recent challenges against JBS USA and others and they should make sure that any environmental and climate-related marketing claims align with the information included in required reports.

Read the full article here.

Photo of Sheila MillarPhoto of Anushka R. Stein

State legislatures have continued to enact privacy laws aimed at protecting kids and teens despite significant—and often successful—legal challenges that largely focus on First Amendment flaws. Some laws have recently gone into effect, or will become effective soon, while others are not slated to take effect until 2027. The Children’s Online Privacy Protection Act (COPPA) remains the primary federal law protecting children’s online privacy (updated implementing regulations took effect earlier this year, with a compliance deadline of April 22, 2026) and bars inconsistent state laws. While there have been some recent legislative efforts at the federal level to expand children and teens’ privacy protections (including a bill introduced this week to regulate the use of AI chatbots and companions by minors), these have failed to pass. However, states continue to pursue their own online privacy laws with a goal of enhancing protections for children and teenagers, particularly around social media use and exposure to AI. The unabated pace of legislative action reflects rare bipartisan support for protecting kids and teens, adding to the growing patchwork of laws that now make up the state privacy landscape. Because these laws do not simply cover websites or services “directed to children,” as defined in COPPA, but to websites and services that are “likely to be accessed” by children, they often effectively regulate businesses that target general, largely adult-only audiences. Many of these laws are therefore being challenged as overbroad, unconstitutional restrictions on speech.

We review recent developments affecting children’s privacy, and potentially the broader online privacy landscape, including current and likely challenges on the horizon.

Read the full article here.

Photo of Sheila MillarPhoto of Anushka R. Stein

On October 2, 2025, after the federal government shut down, the Senate received President Trump’s nomination for a new commissioner at the Consumer Product Safety Commission (CPSC or Commission)—William “Billy” Hewes III, former mayor of Gulfport, Mississippi. This recent nomination came as a surprise, since for the last few months, it was not clear if President Trump would in fact nominate a replacement for former Republican Commissioner Douglas Dziak (who stepped down in August, before the end of his term) or seek to fill the seat vacated by Mary Boyle (one of the recently fired Democratic commissioners whose term ends October 27, 2025).

Read the full article here.