On January 16, 2025, the Federal Trade Commission (FTC) issued a press release stating, “The updated [Children’s Online Privacy Protection Act (COPPA)] rule strengthens key protections for kids’ privacy online. By requiring parents to opt [into] targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission. The FTC is using all its tools to keep kids safe online.”

These changes are the first major updates to the rule since its inception in 2013. COPPA protects the online privacy of children under the age of 13. It imposes specific requirements on operators of websites or online services directed to children or that knowingly collect personal information from children. COPPA requires operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13 and to provide clear and comprehensive notice of their information practices regarding children, including a link to their children’s privacy policy on their website or online service. The rule also requires operators to take reasonable steps to disclose children’s personal information only to third parties capable of maintaining its confidentiality, security, and integrity. COPPA also mandates that operators retain collected children’s personal information for only as long as necessary to fulfill the purpose of its collection and delete such information using reasonable measures to protect against unauthorized access or use.

COPPA also includes provisions related to the FTC’s ability to approve self-regulatory guidelines (known as Safe Harbor Programs), which allow operators to use alternative methods for obtaining parental consent, provided they meet the requirements of COPPA.

The amendments to the COPPA rule include:

• An Expanded Definition of Personal Information: Now includes biometric and government-issued identifiers.
• A New Definition of Mixed Audience Website or Online Service: These are websites or services directed to children, but do not target them as the primary audience and do not collect personal information from any visitor before determining if the visitor is a child.
• Required Parental Consent for Data Disclosure: Operators must now obtain separate verifiable parental consent for disclosing a child’s personal information to third parties, such as for targeted advertising purposes.
• New Methods for Verifiable Parental Consent: Expands the permissible methods, including knowledge-based authentications, submitting government-issued photographic identification, and using text messages with additional safeguards.
• A Required Information Security Program: Operators are required to establish and maintain a written information security program appropriate to the sensitivity of the personal information collected from children. This program must be regularly tested and monitored.
• Strengthened Data Retention Limitations: Operators must retain children’s personal information for only as long as necessary to fulfill a specific purpose and must maintain a publicly available written data retention policy.
• More Accountability for Safe Harbor Programs: Comprehensive reviews of the operator’s privacy and security policies now required.

The FTC did not adopt proposed amendments to the rule related to limitations on using push notifications to children without parental consent or requirements for educational technology in schools. The changes to the rule will take effect 60 days after publication in the Federal Register (which has not yet occurred or been scheduled). Organizations subject to the final rule have one year to comply with the changes; however, compliance is required earlier in relation to COPPA Safe Harbor programs. To review the amendments, click here.