On January 16, 2025, the Federal Trade Commission (FTC) finalized long-awaited amendments to the Children’s Online Privacy Protection Act (COPPA) Rule. These updates mark the first significant changes to the rule since 2013 and aim to better protect children’s privacy in today’s digital landscape. Businesses operating child-directed websites, apps, and services will need to adjust their practices to comply with these new requirements.
Here’s a breakdown of the key changes, what the FTC opted not to include, and actionable steps businesses can take to ensure compliance.
Key Amendments to the COPPA Rule
- Opt-In Consent for Targeted Advertising and Third-Party Disclosures
- Websites and online services directed at children must now obtain verifiable parental consent (VPC) before sharing children’s personal information with third parties for targeted advertising or other purposes.
- Parents must also be notified of the specific third parties or categories of third parties receiving their child’s data and the purposes for such disclosures.
- Expanded Definition of Personal Information
- Biometric identifiers, such as fingerprints, facial templates, retina patterns, and genetic data, are now considered personal information under COPPA, as well as government-issued identifiers.
- New Requirements for “Mixed Audience” Sites
- The Final Rule formally defines “mixed audience” sites as those directed at children but not targeting them as their primary audience.
- Mixed audience sites may collect personal information neutrally to determine a user’s age. However, they cannot incentivize users 13 or over with additional benefits or a better experience.
- Updated Privacy Notice and Consent Requirements
- Direct notices to parents must explicitly state how children’s personal information will be used.
- Privacy policies must now include a data retention policy detailing how long children’s personal information will be kept and the reasons for retention.
- Approved Methods for Initiating and Obtaining Verifiable Parental Consent (VPC)
- Facial recognition technology to match a parent’s selfie with their photo ID.
- Knowledge-based questions designed to verify a parent’s identity.
- New “text plus” method for obtaining verifiable parental consent that contains requirements similar to those for the “email plus” method. As with the “email plus” method, the new “text plus” method can only be utilized when an operator does not “disclose” children’s personal information and must be coupled with additional steps to provide assurances that the person providing the consent is the parent.
- Data Retention and Security
- Operators must establish a written data retention policy specifying why children’s personal information is collected and how long it will be retained.
- Indefinite data retention is prohibited.
- A written information security program must be implemented to protect children’s personal information, including regular testing and monitoring.
- Transparency in Safe Harbor Programs
- FTC-approved Safe Harbor programs must now publicly disclose their membership lists and submit additional reporting to the FTC to improve accountability.
- PRIVO, as a long-standing COPPA Safe Harbor since 2004, supports the Commission’s modification and has called for more transparency for years. Safe Harbors should provide a robust and comprehensive program that meets or exceeds requirements. The tools required to do so are integral to running such a program. Safe Harbors that fail to run robust programs undermine the self-regulatory framework that provides an essential tool in the box that supports companies and the FTC to build a privacy safe online environment for younger children.
Amendments Excluded from the Final Rule
After reviewing nearly 300 public comments, the FTC decided against adopting certain proposed changes, including:
- Limitations on persistent identifiers for engagement: The FTC declined to prohibit the use of persistent identifiers to encourage children to stay on a site, such as through in-game prompts or pop-ups.
- Educational technology: The agency did not revise rules on how schools can act on behalf of parents to provide VPC in educational settings. It deferred to forthcoming Department of Education updates to related regulations such as FERPA.
- Avatars and push notifications: Proposed changes to classify avatars as personal information and restrict push notifications to children without parental consent were not adopted. However, the FTC expressed concerns about engagement techniques that could harm children’s mental health.
Effective Date:
The final rule will become effective 60 days* after its publication in the Federal Register. Entities subject to the final rule will have one year from that publication date to come into full compliance with amendments that do not specify earlier compliance dates.
*We will update this blog once we have the official effective date.
Next Steps for Businesses
The updated COPPA Rule represents a significant step forward in protecting children’s privacy in an increasingly complex digital world. Businesses operating child-directed websites, services, or mixed-audience platforms must take proactive steps to align with the new requirements. By doing so, they can not only ensure compliance but also demonstrate a commitment to safeguarding children’s privacy—building trust with families and communities in the process.
To get in compliance, explore working with a COPPA Safe Harbor. A COPPA Safe Harbor membership supports online services to meet the requirements of the regulation and stay compliant. Companies that comply avoid exposure to heavy fines and brand damage. Certification helps to build brand trust and integrity with users, parents, regulators and industry.
Learn more on how to comply with COPPA and the new amendments by speaking with one of our experts.