Listen to this post

Update: On April 22, 2025 the FTC published the COPPA Rule amendments in the federal register. This post has been modified to reflect the most current status.

In the waning days of the Biden administration, the FTC published an update to its COPPA Privacy Rule. Back in February, the status of this update was unclear. On April 22, 2025 the FTC published the amendments in the Federal Register, marking the most significant update to COPPA since 2013. The effective date of the provisions will be June 23, 2025 and the compliance deadline April 22, 2026.

 Here are key changes that businesses should keep in mind:

  • Direct Notice to Parent Changes. Direct notice to parents will now need to include the identities or specific categories of third parties with whom children’s personal information is shared. Additionally, such direct notice must also explain why the information is shared. In addition, website operators have to tell parents that they have the option to allow the site to collect and use their kids’ personal information without sharing it with third parties.
  • Website Notice (Privacy Policy) Changes. The content of website notice for those subject to COPPA under the rule as revised will require new content. As revised, covered website operators will also need to disclose the identities and specific categories of any third parties to whom they are sharing information, the purposes for such disclosures, and the data retention policy of the website operator. Additionally, the privacy policy must explain the purposes for collecting persistent identifiers and how the website operator will prevent use of this identifier to contact children, including targeted advertising. The policy will have to also explain the steps the site takes to make sure persistent identifiers used for operating the site will not be used for behavioral advertising. Additionally, for sites collecting audio files, the privacy policy must indicate how such files will be used and confirm their prompt deletion after fulfilling their purpose.
  • Verifiable parental consent. As revised, website operators will need to get separate parental consent whenever they plan to share children’s information with new third parties. This is required unless the disclosure is necessary to run the website or online service. The revised rules also provide for new methods of parental verification. This includes comparing a parent’s authenticated government ID against their face (using a camera app, for example). It also includes a “dynamic, multiple-choice” question approach, if the questions would be too hard for a child 12 or under to complete. The revision also permits texting for what has been traditionally known as the “email-plus” verification process, which can be used when children’s information is not disclosed. Also added is another “one time use” exception to parental consent. Namely collecting and responding to a question submitted by a child through an audio file.
  • Security. As revised, the rule introduces new security requirements. Namely, covered entities will need to have a written information security program. This goes beyond the current obligation to have “reasonable measures” in place. The security obligations are detailed, and mirror security obligations that exist under various state data security laws. For example, site operators must appoint someone in charge of the security program and the program must be updated regularly. These obligations also includes providing vendor oversight by ensuring that vendors are capable of safeguarding information and obtain written assurances that vendors will adhere to such obligations.
  • Data retention. The Rule mandates that children’s data be retained only “as long as necessary” for its original purpose. Indefinite storage or “lingering” retention without a clear need is no longer allowed.
  • Definitions. As revised the rule will add “biometric identifiers” to the list of personally identifiable information. These are elements like fingerprints or voiceprints that can be used to identify someone. The definition also includes someone’s “gait.” The rule includes definition of “mixed audience” site, a term currently used by the FTC in its COPPA FAQs. A mixed audience service is directed at children but not primarily targeting children and requires age screening before collecting personal information. Mixed audience sites requires the same consent required of child-directed website operators.
  • Safe Harbor Programs. Website operators self-certifying under the Safe Harbor program will need make some changes as well. As revised, the Rule imposes stricter oversight on Safe Harbor programs by requiring more detailed annual reports, public lists of covered operators, and broader assessments that now address security practices and consumer complaints. It also introduces a new triennial reporting requirement on technology and assessment methods, further increasing compliance responsibilities.

Putting it into Practice: Companies that operate websites subject to COPPA have until April of next year to review and revise their notices and security programs, among other things, to address these new obligations.