After a period of regulatory review under Chairman Andrew Ferguson, on Tuesday, April 22, 2025, the U.S. Federal Trade Commission (FTC) published amendments to the Children's Online Privacy Protection Act (COPPA) Rule (COPPA Rule or the Rule), which was last updated in 2013. As we reported earlier this year, the FTC finalized its most recent updates to the COPPA Rule on January 16, 2025. However, that version of the amended Rule was not published before President Trump took office on January 20, 2025, and ordered a freeze on “publishing any rule to the Office of the Federal Register until a new agency head appointed or designated by the President reviews and approves the rule.” Accordingly, the FTC, now under Chairman Ferguson, once again reviewed and approved amendments to the COPPA Rule with minor changes to the version approved during the Biden administration. The amended Rule will go into effect on June 23, 2025, although most of the substantive requirements are effective April 22, 2026.

The amended Rule published on April 22, 2025, remains substantively the same as the January 16, 2025, pre-publication version. The key revisions to the Rule we previously highlighted are unchanged. They include new parental notification requirements related to data shared with third-party vendors, a new definition for “mixed audience,” the addition of biometric and government identifiers to the list of “personal information,” more robust “reasonable security” provisions, and a requirement that operators adopt and provide notice of a data retention policy. Additionally, the published Rule retains new requirements for COPPA Safe Harbor programs.

In a concurring opinion supporting the January 16 version of the amended Rule, Chairman (then Commissioner) Ferguson identified a few areas where he felt clarification in the amended Rule language would be helpful, but those changes were not implemented. Issues he identified include:

1. The meaning of a “material” change requiring new parental consent remains undefined. Both the 2013 version of the Rule and the amended version require that operators obtain fresh parental consent for all “material” changes to privacy terms; however, “material” remains an undefined term in the amended Rule. This may raise several different compliance obstacles, but Ferguson took specific issue with the fact that the amended Rule also requires operators to disclose to parents the identities of third-party recipients of children’s data when obtaining parental consent. With no elaboration on what is meant by “material,” he speculated that all additions or changes to the identities of third-party vendors could require an operator to request new parental consent. This mandate would increase the costs of switching third-party vendors and thus discourage the use of upstart competitors, undermining business competition.
2. The meaning of “retained indefinitely” remains undefined. The 2013 version of the Rule made clear that children’s data should be retained only for “as long as is reasonably necessary to fulfill the purpose for which the information was collected.” The amended Rule retains this language with minor modifications but also specifies that “[p]ersonal information collected online from a child may not be retained indefinitely.” However, no time period is set for retention. In Ferguson’s concurring opinion, he stated that “it is unclear how the requirement is any different than the existing requirement to keep the information no longer than necessary to fulfill the purpose for which it was collected."
3. Collection of personal information for age verification continues to require parental consent. In his concurring opinion, Ferguson asserted that operators of mixed-audience websites or online services “wanting to use more accurate age verification techniques than self-declaration” would need information “such as photographs or copies of government-issued IDs.” Ferguson argued that the amended Rule contains “many exceptions to the general prohibition on the unconsented collection of children’s data, and these amendments should have added an exception for the collection of children’s personal information for the sole purpose of age verification, along with a requirement that such information be promptly deleted once that purpose is fulfilled.”

As of this writing, neither the Chairman nor the other sitting commissioners issued additional statements on the publication of the amended Rule. However, there are aspects of the Federal Register preamble and the Rule itself that appear to address the Chairman’s prior concerns. For example, the “material” change notification requirement is discussed in a footnote to the preamble to the Federal Register notice (and was also present in the January 16 pre-publication version), where the FTC explains that “the Commission is not likely to consider the addition of a new third-party to the already-disclosed category of third-party recipients to be a material change that requires new consent.” The amended Rule’s requirement for a written data retention policy requires reference to a time period, which appears to address Ferguson’s earlier concerns that the amended Rule does not adopt a specific temporal limit on data retention as long as data is not retained indefinitely. In addition, it appears that the Commission considered the option of allowing personal information, including photographs and biometric identifiers, to be used for age verification, but ultimately determined that the potential benefits of using this type of information for age verification were outweighed by the risks of this data being misused.

Given that this most recent round of amendments was initiated in 2019, it seems unlikely that any further amendments will be made in the near term absent further Congressional action to amend COPPA itself. However, children’s privacy continues to be an area of focus for the FTC, which will hold a workshop entitled “The Attention Economy: How Big Tech Firms Exploit Children and Hurt Families” at 9:00 a.m. ET on June 4, 2025. This workshop will cover a variety of topics, including strategies to protect children online, such as through age verification and parental consent requirements. Members of the public can register to attend in-person, and a link to the livestream will be posted to FTC.gov the morning of the event.