The April 2026 COPPA Deadline Has Passed: A Face-Blurring Compliance Checklist

Łukasz Bonczol
Published: 6/21/2026

Anonymizing a photo or video means altering its identifiable visual elements so they can no longer be recognized in the copy you publish, share, or keep for a lower-risk purpose. In this article, the key techniques are face blurring, meaning obscuring visible faces, and license plate blurring, meaning obscuring vehicle registration plates that appear in footage. On-premise software means software deployed in an organisation’s own IT environment, rather than relying on cloud upload as the default processing model.

The April 22, 2026 compliance deadline for the 2025 amendments to the Children’s Online Privacy Protection Rule has now passed. For COPPA-covered operators publishing photos and videos involving children under 13, and for organisations working with those operators, this changes the risk posture. COPPA is no longer a future implementation project. It is an operational control issue for marketing teams, school communications teams, EdTech platforms, public sector communicators when they use or procure COPPA-covered online services, and compliance teams handling visual content.

This article is a practical compliance checklist, not legal advice. It focuses only on photos and videos in the United States COPPA context.

A calendar with thumbtacks stuck in the Fridays and a circle marking the 30th day of the month. The names of the days of the week are placed at the top.

What changed in the 2025 COPPA amendments for images and video?

COPPA applies to operators of websites and online services directed to children under 13, and to operators with actual knowledge that they collect personal information online from children under 13 [1]. The COPPA Rule already treats a photograph, video, or audio file containing a child’s image or voice as “personal information” [2]. That point is central for visual publishing. A classroom video, camp photo gallery, product testimonial, sports clip, or app user-generated video may be in scope when it is collected through, uploaded to, or published by a COPPA-covered website or online service and the child’s face or voice appears in the file.

The 2025 COPPA amendments strengthened several operational obligations that matter for visual media. Organisations often focus on consent banners and account data, but the same compliance logic applies to photos and videos where a child is identifiable.

First, the amended rule strengthens the operational focus on data retention and deletion. Operators must retain children’s personal information only as long as reasonably necessary for the specific purpose for which it was collected, and must delete it using reasonable measures once it is no longer needed [3]. For visual content teams, this means that raw footage libraries, exported clips, rejected edits, social media drafts, and backup copies need retention rules.

Second, the amendments increase attention on disclosures to third parties. In many cases, separate verifiable parental consent is required before disclosing a child’s personal information to third parties, unless the disclosure is integral to the nature of the website or online service [3]. For photos and videos, “disclosure” can include making media publicly available, sending media to an agency, embedding third-party platforms, or providing footage to vendors for editing, hosting, analytics, or promotion.

Third, the amendments add and clarify security and governance expectations, including the need for a written children’s personal information security program. Visual content is not low-risk merely because it is “just a picture.” A face in a school corridor, a child’s voice in a classroom clip, a vehicle plate near a pickup area, or background details in a video can reveal context that a text field does not.

Why footage of children is in COPPA scope?

Under the COPPA Rule, where the operator and collection are otherwise covered, a photo or video containing a child’s image or voice can be personal information [2]. That makes visual data anonymization a practical control before publication or sharing. It does not replace parental notice, consent, retention, security, or vendor governance where those duties apply. It does reduce the chance that the published version exposes a child’s face or other visible identifiers.

The distinction matters. If a covered operator records or receives a video and later blurs faces before uploading it to a public website, the public version may be less identifiable. However, the original unblurred footage may still be children’s personal information. The compliance workflow must therefore cover both the source file and the redacted output.

For teams that need a dedicated workflow for photos and videos, Gallio PRO supports visual data anonymization by detecting and blurring faces and license plates in recorded images and video files. It is important to define the scope accurately. The software does not blur entire silhouettes. Automatic detection covers faces and license plates only, not logos, tattoos, name tags, documents, or content displayed on screens. Those additional elements can be handled manually through the built-in editor when needed.

On the computer screen, set against a background of code, a "stayhome TODO" list is visible, featuring daily activities such as family time, work, photography, sports, and reading.

Face-blurring compliance checklist after the April 2026 COPPA deadline

The following checklist is designed for publishing scenarios: school websites, EdTech platforms, social media clips, PR materials, public meeting recordings, marketing campaigns, event galleries, and vendor-delivered video edits.

Step

Practical control

Evidence to keep

Common owner

 

1. Map where children appear

Identify all recurring photo and video sources involving children under 13.

Media inventory, publication channels, source folders, vendor list.

Marketing, communications, school operations.

2. Separate source files from publishable files

Keep unblurred originals in restricted storage and create redacted export versions.

Folder structure, access rules, export naming convention.

IT, media team, compliance.

3. Blur faces before external sharing

Apply face blurring before publication, agency transfer, public release, or broad internal distribution.

Redaction log, approval record, final file hash or filename.

Content owner, privacy lead.

4. Check visible context

Review plates, name tags, screens, distinctive tattoos, uniforms, and location clues.

Manual review checklist, notes on manual edits.

Publisher, reviewer.

5. Apply retention and deletion rules

Delete raw footage and working copies when no longer reasonably needed for the stated purpose.

Retention schedule, deletion confirmation, exception approvals.

Records owner, IT.

6. Review vendor transfers

Confirm whether agencies, editors, platforms, or processors receive identifiable footage.

Contract clauses, transfer register, vendor security questionnaire.

Procurement, legal, privacy.

1. Audit where children appear in photos and videos

Start with media sources, not legal categories. List the places where children may appear: classroom recordings, event livestream recordings, playground footage, learning app videos, summer camp galleries, testimonials, field trip photos, public board meeting recordings, and promotional footage.

The audit should distinguish three versions of each asset: raw footage, edited working files, and final published files. COPPA risk is usually highest where covered footage is copied into unmanaged folders, sent to creative vendors, or retained indefinitely because nobody owns deletion.

2. Redact before sharing or publishing

Face blurring should happen before the file leaves the controlled workflow. A common business practice is to create a “redacted master” and use that version for websites, newsletters, social media, public records portals, press packs, and partner materials.

License plate blurring is also useful in visual publishing workflows, especially around schools, childcare facilities, sports venues, and pickup zones. COPPA is not a general license-plate statute, but plates can reveal location, household routines, or vehicle associations when combined with footage of children.

After defining a workflow, teams can try the demo to test how recorded photos and videos move from detection, through face blurring and license plate blurring, to manual review and export.

3. Do not treat auto-detection as a full privacy review

Automated detection should be scoped correctly. Gallio PRO automatically detects faces and license plates. It does not automatically detect company logos, tattoos, name tags, paper documents, or information visible on monitors. It also does not provide real-time anonymization or video stream anonymization. The workflow is for recorded files.

This matters for COPPA because a blurred face may not be enough if the child’s name is visible on a badge, a classroom screen shows account details, or the audio contains the child’s voice. The practical control is a human review step before publication.

4. Document retention and deletion

The amended COPPA Rule’s retention focus makes visual storage discipline essential [3]. A defensible workflow should state how long raw footage is kept, who may access it, when working files are deleted, and which published redacted versions are retained for business records.

A simple rule works well: if the purpose is event communication, keep the unredacted footage only while editing and approval are necessary. If there is a legal, safety, or contractual reason to keep it longer, document that reason and restrict access. Where an organisation has complex deployment needs, such as enterprise rollout, on-premise software, or strict internal storage requirements, it is sensible to get in touch before selecting the technical architecture.

5. Keep detection data and logs out of the risk surface

Operational logs can create their own privacy problem if they store detection results or personal data. Gallio PRO does not store logs containing face or license plate detection data. It also does not collect logs containing personal data or sensitive data. For compliance teams, this reduces the number of secondary locations that must be reviewed when assessing where visual identifiers may have been processed.

Common mistakes after the COPPA deadline

The first mistake is publishing first and blurring later. Once a child’s face has been posted publicly, copied by platforms, indexed, downloaded, or shared, later redaction may reduce ongoing exposure but does not erase the original disclosure.

The second mistake is assuming that parental consent for one use covers every later use. A school newsletter, an EdTech product page, a paid ad, a partner case study, and a public social media post can be different contexts. Whether a particular consent is sufficient is context-dependent and should be assessed against the specific COPPA role, notice, purpose, and disclosure model.

The third mistake is treating “group scene” logic as a COPPA shortcut. Some image-right regimes discuss exceptions for public figures, a person appearing as part of a wider public event scene, or a paid model. Those concepts should not be imported mechanically into COPPA. For children under 13, the relevant questions are collection, use, disclosure, notice, verifiable parental consent, security, retention, and deletion.

The fourth mistake is forgetting vendors. If an agency receives unblurred school footage to create a promotional video, that is a visual data transfer requiring governance. The review should include editing contractors, cloud storage, video hosting, analytics tools, social platforms, and public relations partners.

The fifth mistake is relying only on automated face blurring. A child may still be identifiable through a jersey name, a classroom display, a spoken name, a unique medical device, or distinctive surroundings. Automated face and license plate detection should be followed by manual review for the final publishable file.

Abstract wall design with 3D geometric shapes in grey tones, featuring a prominent 3D question mark in the center.

FAQ: COPPA face-blurring checklist for photos and videos

Does COPPA apply to photos and videos of children?

Yes, where COPPA otherwise applies to the operator and the child is under 13. The COPPA Rule includes a photograph, video, or audio file containing a child’s image or voice within the definition of personal information [2].

Does face blurring remove all COPPA obligations?

No. Face blurring is a risk-reduction and publishing control. It does not retroactively remove obligations connected with collecting, using, storing, disclosing, securing, or deleting the original unblurred footage.

Should license plates be blurred in COPPA-related footage?

Often yes as a practical privacy measure, especially near schools, childcare locations, events, and pickup areas. COPPA focuses on children’s personal information, but plates can add identifying context when combined with images of children.

Can automated software detect every visual identifier in a video?

No. In the Gallio PRO workflow, automatic detection covers faces and license plates only. Logos, tattoos, name tags, documents, and screen content require manual review and manual redaction if they need to be obscured.

Is real-time video stream anonymization required for this checklist?

No. This checklist focuses on recorded photos and videos before publication or sharing. Gallio PRO does not perform real-time anonymization or video stream anonymization.

How long should unblurred footage of children be retained?

The common compliance approach is to keep it only as long as reasonably necessary for the purpose for which it was collected, then delete it using reasonable measures. The 2025 COPPA amendments place clear emphasis on retention limits and deletion [3].

References list

  1. Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501-6506, available through the U.S. House Office of the Law Revision Counsel: https://uscode.house.gov/
  2. Federal Trade Commission, Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312, including the definition of “personal information” in 16 C.F.R. § 312.2: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312
  3. Federal Trade Commission, Children’s Online Privacy Protection Rule Amendments, Final Rule, 90 Fed. Reg. 7434, Jan. 22, 2025: https://www.federalregister.gov/documents/2025/01/22/2025-00763/childrens-online-privacy-protection-rule
  4. Federal Trade Commission, Complying with COPPA: Frequently Asked Questions: https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions
  5. Federal Trade Commission, Children’s Privacy guidance for businesses: https://www.ftc.gov/business-guidance/privacy-security/childrens-privacy