Online privacy law protects kids under 13. Teens are next.
5 min read·Last updated May 29, 2026··
Why it matters
Since 1998, one federal law has guarded the online data of kids under 13 — then dropped them the day they turned 13. S. 836 extends those protections to teens through age 16, bars apps from using their data to target ads, and forces companies to delete data on request and notify parents when it is shipped overseas. The Senate passed it by unanimous consent.
The original Children's Online Privacy Protection Act, passed in 1998, covers kids under 13. S. 836 stretches that umbrella to include teens — defined as anyone age 13 through 16 — who have spent years in a legal gap where almost anything went.
It also rewrites what counts as "personal information." The old definition stuck to names, addresses, and phone numbers. The new one sweeps in the data that actually tracks you online: IP addresses and device IDs, geolocation precise enough to name your street, photos and voice recordings, and biometrics like fingerprints, facial scans, iris scans, DNA, even the way you walk.
The core of the bill targets "individual-specific advertising." Companies couldn't collect a minor's data to serve ads aimed at a particular kid or teen based on their profile, their behavior, or their device. Contextual ads matched to what's on the page, and ads tied to an adult's profile on a shared family device, are still allowed.
Teens, and parents of younger kids, would get new rights over that data: to see what's been collected, delete it, correct it, and get a copy. Companies couldn't hold the data longer than needed, would have to keep it reasonably secure, and would have to notify parents or teens directly if the data is stored or moved outside the United States.
Enforcement turns on whether a company knew — or reasonably should have known — that a user was a kid or teen. Congress is giving the FTC 180 days to spell out what "should have known" means, and the bill says companies don't have to start age-gating or collecting birthdates they don't already gather. The FTC has to report on enforcement every year, and the GAO has to study how fintech apps handle teens' privacy and mental health.
S. 836 Bill Summary
What S. 836 actually does.
1
Privacy rights reach teens, not just kids under 13
The bill defines a "teen" as anyone age 13 through 16 and extends federal online privacy protections to them. The 1998 law covered only children under 13, leaving teenagers in a gap where most data practices faced no federal limit.
2
Targeted ads to minors get banned
Operators may not collect a child's or teen's data to serve "individual-specific advertising" — marketing aimed at a specific minor or their device based on personal information, profiling, or a unique device ID. Contextual ads, responses to a user's own search, ad-performance measurement, and ads aimed at an adult's profile on a shared device are excluded.
3
What counts as personal data gets much broader
Beyond names, addresses, emails, and Social Security numbers, the definition now covers persistent identifiers like IP addresses and device serial numbers, geolocation precise enough to name a street and city, photos and voice files, and biometrics including fingerprints, voice prints, iris and retina scans, facial templates, DNA, and gait.
4
Teens and parents can delete and correct data
Teens, and parents of children, could request a description of what data was collected and why, delete it, challenge and correct inaccurate information, and obtain a copy if the company has it. A company can't cut off service just because someone exercises the deletion right.
5
Overseas storage notice and shorter retention
Companies must give direct notice — to a parent for a child, or to the teen directly — before storing or transferring a minor's data outside the United States. They also can't keep the data longer than reasonably necessary to provide the requested service, and must maintain reasonable security to protect it.
6
FTC guidance due within 180 days
The FTC must issue guidance within 180 days of enactment explaining when a company has "knowledge fairly implied on the basis of objective circumstances" that a user is a child or teen. The bill says this doesn't require age-gating or collecting age data companies don't already gather. The FTC reports on enforcement yearly, plus an oversight report at three years.
Who benefits from S. 836?
Teens age 13 through 16
For the first time, this group gets federal online privacy rights — to learn what data apps collect, delete it, correct it, refuse targeted advertising, and get direct notice if their data is shipped overseas. They no longer fall off the cliff the day they turn 13.
Parents of kids under 13
Parents gain firmer control over their children's data: the right to a plain description of what's collected and why, to demand deletion, to correct bad information, and to be told directly when a child's data is stored or moved abroad.
Students using school technology
When a company works under a written agreement with a school, it can use student data without individual consent only if that use is limited to educational purposes and the school gets specific notices and a way to review or delete the data.
States with tougher privacy laws
The bill only overrides state law where it directly conflicts, so states can still pass or keep rules that protect kids and teens more than the federal baseline does.
Who is affected by S. 836?
Apps, websites, and online services
Any commercial operator that runs a website, online service, online application, or mobile app and collects personal information would face new duties — clearer notices, deletion and correction handling, retention limits, and security requirements. Nonprofits exempt under the FTC Act are not covered.
Advertising and ad-tech companies
Firms that rely on persistent identifiers — IP addresses, device IDs, cookie numbers — to profile users face tight limits when the user is a child or a teen age 13 through 16, especially for advertising aimed at a specific individual.
Schools and ed-tech vendors
To use the bill's consent exemption, schools and their technology vendors would need written agreements limiting data use to educational purposes, plus notices and review tools that let institutions and parents see and delete the data.
The FTC and GAO
The FTC must issue knowledge-standard guidance within 180 days, report on enforcement every year, and deliver an oversight report at three years. The GAO must report to Congress one year after enactment on teens' privacy and mental health in financial technology products.
Share this story
On the Record
What Congress Is Saying
S. 836 has come up 11 times in the Congressional Record so far.
“
I thank my friend for his consistent support in protecting teenagers and children in our country. With that, Mr. President, I ask unanimous consent that the Senate proceed to the immediate consideration of Calendar No. 304, S. 836.
Without objection, it is so ordered. The committee-reported amendments were agreed to. The bill (S. 836), as amended, was ordered to be engrossed for a third reading, was read the third time, and passed, as follows: Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.—This Act may be cited as the "Children and Teens' Online Privacy Protection Act". (b) Table of Contents.—The table of contents for this Act is as follows: Sec. 1. Short title; table of contents. Sec. 2.
The Presiding Officer··Senate
S. 836 also appeared in 5 routine cosponsor filings.
S836 Legislative Journey
4 actions
Passed 860-869
Mar 5, 2026
860-869
Passed Senate with amendments by Unanimous Consent. (consideration: CR S860-869; text: CR S861-868)
+1 more action this day
Committee Action
Jan 27, 2026
119-99
Committee on Commerce, Science, and Transportation. Reported by Senator Cruz with amendments. With written report No. 119-99.
Passed Committee
Jun 25, 2025
Committee on Commerce, Science, and Transportation. Ordered to be reported with amendments favorably.
Committee Action
Mar 4, 2025
Read twice and referred to the Committee on Commerce, Science, and Transportation.
This bill has 21 cosponsors: 13 Democrats, 7 Republicans, 1 Independent, reflecting bipartisan support. Cosponsors represent 19 states: Alabama, Arizona, Connecticut, and 16 more.
BSA THE SOFTWARE ALLIANCE (FORMERLY BSA BUSINESS SOFTWARE ALLIANCE INC)
Law Enforcement/Crime/Criminal Justice +6
6
CTIA: THE WIRELESS ASSOCIATION
Defense +5
4
NATIONAL ASSOCIATION OF PEDIATRIC NURSE PRACTITIONERS
Immigration +9
4
NCTA - THE INTERNET & TELEVISION ASSOCIATION
Telecommunications
2
YAHOO INC, AND VAR. SUBS/AFFILIATES (FKA COLLEGE PARENT, L.P. DBA "YAHOO")
Advertising +3
2
Showing 1-10 of 12 organizations
S. 836 Common Questions
What age counts as a "teen" under S. 836?
A teen is anyone at least 13 but not yet 17 — so ages 13 through 16. The original 1998 law only protected kids under 13, so this group had no federal online privacy rights until now.
Can apps still target ads at kids and teens?
Not ads aimed at a specific minor. Companies can't use a kid's or teen's personal data, profile, or device ID to target them. Contextual ads matched to the page's content are still allowed, as are ads aimed at an adult's profile on a shared family device.
Does S. 836 require age verification or ID checks?
No. The bill explicitly says companies don't have to add age-gates or collect birthdates they aren't already gathering. Instead, the rules kick in when a company knew, or reasonably should have known, that a user was a kid or teen.
Can teens delete data an app collected about them?
Yes. Teens can ask to see what's been collected, delete it, correct anything inaccurate, and get a copy. For kids under 13, parents hold those rights. A company can't shut off service just because someone asks to delete their data.
What kinds of data does S. 836 protect?
More than the old law did. Beyond names and addresses, it now covers IP addresses and device IDs, geolocation down to your street, photos and voice recordings, and biometrics — fingerprints, facial scans, iris scans, DNA, even the way you walk.
Has S. 836 become law yet?
Not yet. The Senate passed it by unanimous consent on March 5, 2026, with 21 bipartisan cosponsors. It still has to pass the House and be signed before any of it takes effect.
Does the bill cover mobile apps, or just websites?
Both. S. 836 updates the old website-focused law to name mobile apps, online applications, and services delivered through connected devices — so a game on a phone is treated the same as a website.
Does an app have to tell you before sending data overseas?
Yes. If a company stores or moves a minor's data outside the United States, it has to give direct notice — to a parent for kids under 13, or to the teen directly for ages 13 through 16.
“To amend the Children’s Online Privacy Protection Act of 1998 to strengthen protections relating to the online collection, use, and disclosure of personal information of children and teens, and for other purposes.”
Source: U.S. Government Publishing Office
Bill Alerts
Get notified when S. 836 moves
Committee votes, floor action, cosponsor changes — straight to your inbox.
Bill alerts + Legisletter's monthly briefing. Unsubscribe anytime.
