The Federal Trade Commission (FTC) recently updated the Children's Online Privacy Protection Rule (the COPPA Rule) to address advances in technology and a heightened concern for children's online privacy. While these amendments became effective June 23, 2025, websites and online service operators subject to the COPPA Rule (commonly referred to as "operators") have until April 22, 2026, to comply with the new requirements.
History of the COPPA Statute and COPPA Rule
Following Congress's enactment of the Children's Online Privacy Protection Act (COPPA or COPPA statute) in 1998, the FTC first issued the COPPA Rule in 2000 which, among other things, requires operators to provide certain notices to parents and to obtain verifiable parental consent before collecting, using or disclosing personal information of children under the age of 13. Prior to this year, the FTC last updated the COPPA Rule in 2013. In January 2024, the FTC proposed new amendments to the COPPA Rule and unanimously approved them in January 2025. Some notable updates are summarized below.
Nine Notable Updates to the COPPA Rule:
- Broader Definition of Personal Information: The definition of personal information governed by COPPA has been expanded to include "biometric identifiers" (such as fingerprints, handprints, retina patterns, iris patterns and genetic data) as well as "government-issued identifiers" (such as social security numbers, passport numbers, state identification card numbers and birth certificate numbers).
- Expanded Identification of a Website or Online Service Operator Directed Towards Children: In categorizing what websites or online service operators are directed towards children, the FTC may now also consider marketing or promotional materials, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services.
- Additional Opt-In Consent for Targeted Advertising: Instead of allowing a single parental consent for all collection, use and disclosure of children's personal information, operators must obtain separate and additional parental consent to disclose personal information to third parties for targeted advertising (unless such disclosure is "integral to the website or online service").
- Notice of Disclosure to Third Parties: In their notices, operators must describe the identities and specific categories of third-party recipients of children's personal information, the purpose of such disclosure and the third party's data retention policy.
- Exception to Consent Requirement for Audio Files: Operators may collect audio files containing a child's voice recording, without parental consent, if they: (1) do not collect any other personal information; (2) use the audio files for the child's specific request and no other purpose; and (3) delete the audio file immediately after completion of the service.
- Comprehensive Information Security Programs: Operators must establish and maintain a written children's personal information security program with designated personnel overseeing it. As part of this program, operators must complete annual risk assessments, regularly test and monitor the effectiveness of applicable safeguards, and review and update the program at least annually. Before disclosing children's personal information to third parties, operators must obtain written assurances from such entities that they employ reasonable measures to maintain the confidentiality, security and integrity of the information.
- Strict Data Retention Limitations: Operators may not retain children's information indefinitely. Instead, they are only allowedto retain information for "as long as reasonably necessary" to achieve the purposes for which it was collected.
- Additional Methods for Verifiable Parental Consent: The following methods are now acceptable for obtaining verifiable parental consent: (1) knowledge-based authentication through dynamic multiple choice questions that a child would find difficult to answer; (2) submission of a government-issued photo identification; and (3) receipt of text messages with additional steps, such as a follow-up text, letter or phone call, confirming that the consenting individual is a parent.
- Greater Safe Harbor Program Transparency: COPPA "Safe Harbor" programs are now required to publicly disclose their membership lists and submit additional information to the FTC to increase accountability and transparency in the programs. Safe Harbor programs are self-regulatory, FTC-approved programs (such as industry groups) that implement substantially the same or greater protections for children as those contained in the COPPA Rule.
COPPA 2.0: Proposed Children and Teens' Online Privacy Protection Act
In addition to the recent COPPA Rule updates from the FTC, some lawmakers have reintroduced legislation, dubbed "COPPA 2.0," to expand the privacy protections to include teens and children under 17 years old (instead of under 13 years old as currently provided under COPPA). These protections would prohibit targeted advertisements to children and teens and create an "eraser button" that would require operators to allow users to delete personal information collected from children or teens. COPPA 2.0 made good progress last year, was reintroduced earlier this year, and will be sent to the Senate for further consideration.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.