The Interactive Advertising Bureau (IAB) has entered the heated debate over children’s and teens’ online privacy with a detailed policy blueprint. Released in July 2026, the white paper Protecting America’s Youth: A Balanced Framework for Modernizing Children’s Privacy Law argues for solutions that are “proportionate and tailored to risk” while preserving the benefits of an ad-supported internet.
Rather than endorsing blanket advertising bans or one-size-fits-all data prohibitions, IAB calls for distinctions based on developmental science, three distinct categories of risk, and practical compliance mechanisms. The framework directly addresses the current patchwork of COPPA and varying state laws that create overlapping, sometimes conflicting obligations for businesses.
For privacy and compliance professionals, this is more than industry positioning — it is a preview of potential federal legislation or harmonization efforts that could reshape how companies handle age signals, consent, targeted advertising, and youth data diligence.

The Core Problem: Fragmented Rules and Overbroad Remedies
Today, obligations for targeted advertising to minors vary significantly:
- COPPA and several states require verifiable parental consent for children under 13.
- Some states set teen consent thresholds at 16 (California, Minnesota) or impose outright prohibitions under 16 or 17 (Oregon, Arkansas, Maryland, New Jersey proposals, Colorado).
- Others extend restrictions to 18.
This inconsistency raises compliance costs and legal uncertainty, especially for platforms, publishers, ad tech providers, and brands operating nationally.
IAB contends that many proposed remedies conflate different harms, producing rules that are either over- or under-inclusive. The organization identifies three distinct risks that require three tailored responses:
1. Comprehension Risk
Younger children (especially under 8) may not recognize advertising or understand its persuasive intent.
2. Product Risk
Certain goods and services (tobacco, alcohol, gambling, sexually explicit content) are harmful regardless of how they are advertised.
3. Data Risk
Collection, profiling, tracking, and targeting based on minors’ personal data raise separate privacy and safety concerns (e.g., data breaches, location tracking).
Tailored remedies, according to IAB:
- Comprehension → Clear labeling, prominent just-in-time disclosures, visual/verbal cues (aligning with longstanding FTC staff recommendations on “blurred advertising”).
- Product → Category-specific advertising limits (industry practice for decades).
- Data → Restrictions on the use of personal data for targeted advertising, while still allowing contextual advertising that funds content without the same profiling risks.
A blanket ban on all advertising to children, IAB argues, would add nothing to disclosure or category rules while defunding much of the free educational, gaming, and creative content that families rely on — particularly harming smaller developers and publishers.
IAB’s Recommended Age-Based Protections for Targeted Advertising
IAB proposes a graduated model tied to developmental capacity:
- Under 13: Continue requiring verifiable parental consent before using personal data for targeted advertising (COPPA status quo). Most businesses already serve contextual ads in this cohort and invest in privacy-preserving technologies.
- Ages 13–15: Require opt-in consent from the teen, with parental notification.
- Ages 16–17: Require opt-in consent from the teen.
This structure reflects research showing that advertising literacy and capacity to understand data trade-offs increase through adolescence. A 16- or 17-year-old approaches adult-like understanding in many respects; treating them identically to a 6-year-old is neither developmentally sound nor necessary to mitigate identified risks.
The proposal explicitly calls for national standardization of these age bands to reduce the current compliance burden from inconsistent state thresholds.
Age-Based Comparison: Current Landscape vs. IAB Proposal
| Age Group | Current Landscape (Examples) | IAB Proposed Approach |
|---|---|---|
| Under 13 | Parental consent required (COPPA + aligned states) | Maintain verifiable parental consent for targeted advertising |
| 13–15 | Varies widely (some states require consent at 16; others prohibit targeted ads) | Opt-in consent from the teen + parental notification |
| 16–17 | Varies (consent or prohibition depending on state) | Opt-in consent from the teen |
| 18+ | Full adult privacy rules | Full adult privacy rules |
Knowledge Standards and Age Assurance: Practical Guardrails
Implementing age-based rules requires reliable ways to determine a user’s age band. IAB supports the “actual knowledge” standard (consistent with COPPA) paired with a “willful disregard” standard — provided clear, administrable definitions exist.
It explicitly rejects broad “constructive knowledge” (“should have known”) or strict liability approaches as unworkable. These could force overly conservative implementations that burden adult users or chill lawful speech, raising First Amendment concerns.
On age assurance mechanisms (increasingly required or proposed in state “social media safety” and app store laws), IAB advocates a risk-based approach:
- Robust verification should be reserved for higher-risk contexts.
- Lighter signals or self-declaration may suffice for lower-risk services.
- This is more privacy-protective (data minimization), constitutionally resilient, and adaptable as technology and harms evolve.
The FTC’s February 2026 policy statement clarifying that it will not pursue COPPA enforcement solely for collecting data to determine age via verification technologies is viewed positively in the framework.
Heightened Diligence, Transparency, and Accountability
Beyond consent and knowledge rules, IAB outlines operational safeguards companies should implement when handling children’s and teens’ data:
- Written, implemented policies covering collection methods, business purposes, disclosures/sales/sharing for targeted advertising, and jurisdictional variations.
- Reviews of whether services are reasonably likely to be accessed by minors (based on functionality, content, and design).
- Data minimization, retention/deletion practices, and safeguards (default privacy settings, visibility controls, parental tools).
- Monitoring of algorithmic systems that recommend or deliver content to minors.
- Prompt honoring of deletion requests with downstream propagation to processors and feasible third parties (IAB Tech Lab has already released a Data Deletion Request Framework).
- Clear, conspicuous, age-appropriate plain-language notices and consent mechanisms.
- Contractual flow-down of heightened diligence obligations to third parties.
These obligations build on — but go beyond — many existing state privacy law requirements (data protection assessments, vendor diligence, etc.).
Business and Compliance Implications
For companies in the digital advertising ecosystem, publishers, app developers, and brands, the IAB framework signals several practical priorities:
- Consent orchestration and age signals — Update CMPs and technical signals (IAB’s Global Privacy Protocol/GPP is well-positioned) to support graduated teen consent flows and parental notification where required.
- Age determination processes — Document “actual knowledge” assessments and willful disregard evaluations with clear factors (drawing from Colorado’s proposed rulemaking as a starting point).
- Contextual vs. targeted advertising — Accelerate investment in contextual and privacy-preserving ad technologies as the compliant default for younger cohorts.
- Youth data diligence programs — Conduct gap analyses against the expanded list of review areas (algorithmic targeting, indirect collection, minimization, retention, complaints escalation, etc.).
- Vendor and partner management — Strengthen contractual requirements and ongoing monitoring for entities handling minors’ data.
A harmonized national approach along these lines could reduce the current fragmentation and provide clearer safe harbors for good-faith implementation — something many businesses have long sought.
Captain Compliance Perspective
The IAB white paper is a constructive, evidence-based contribution that acknowledges legitimate risks to minors while defending the economic model that keeps vast amounts of educational, creative, and social content accessible at little or no direct cost to families. Its emphasis on proportionality, developmental science, and workable standards mirrors how effective privacy programs should be designed: meaningful protections that do not collapse under their own operational weight or produce unintended consequences for innovation and access.
Compliance teams should treat this document as a valuable stress-test for existing COPPA and teen privacy programs. Even if not enacted verbatim, it is likely to influence federal proposals and state-level discussions. Companies that proactively align with its core principles — clear age-appropriate notices, tailored consent, risk-based age assurance, robust diligence, and data minimization — will be better positioned regardless of the precise legislative outcome.
Protecting minors online is essential. The harder question is how to do so without undermining the ad-supported infrastructure that delivers free or low-cost value to the very families policymakers aim to protect. IAB’s graduated, risk-tailored framework offers one detailed, industry-informed path forward — focused on the specific harms tied to digital advertising rather than attempting to solve every online safety issue through advertising rules alone.
Businesses should review the full white paper, map their current controls against the recommendations, and monitor for legislative movement. The window to shape or prepare for the next generation of children’s privacy rules is open now.