Businesses that collect children's online information will now be subject to new, stricter rules under the federal Children's Online Privacy Protection Act (COPPA or the Act), following the Federal Trade Commission (FTC)'s adoption of final rule changes to COPPA on January 16, 2025.
Effective in 2000 and last revised in 2013, COPPA regulates how businesses that operate websites and online services "directed to children" under 13 can collect and use their personal information. Importantly, COPPA requires that regulated businesses provide direct and online notice to parents and obtain verifiable parental consent before collecting, using, or disclosing the personal information of children under 13 years of age. COPPA also imposes additional limits on the business practices of these companies and gives parents a greater ability to control what personal information about their children is made available to businesses and how it is used.
The new COPPA rules were scheduled to go into effect 60 days after publication in the Federal Register; however, President Trump has put a hold on finalizing all pending rules, and it is possible that the new FTC Chairman could still withdraw them.1
Key Changes and New Rules
Below is an overview of the key changes contained in the new rules
under COPPA:
Additional Opt-In to Serve Online Ads to Children
COPPA requires online businesses to obtain parental consent before
collecting the personal information of children under 13. Under the
new COPPA rules, these businesses will now be required to take a
further step when serving online ads to children under 13;
specifically, they must first obtain separate and verifiable
consent from parents to disclose children's personal
information for targeted advertising directed at their children and
other purposes.
New Data Retention Limits
The current COPPA rule provides a seemingly open-ended requirement
for how long children's personal information can be retained by
a business.2 The new rule explicitly states that
children's personal information collected online may not be
retained indefinitely. The FTC also clarified that businesses need
not have a separate written retention policy for children's
personal information if the business has a written retention policy
that also addresses children's personal information and meets
COPPA's other requirements. At a minimum, the new rules require
companies to have a data retention policy that is available via an
online link to its information practices with regard to children on
either the homepage, landing page or other screen of the
business's website or online service; and that describes:
- the purposes for which children's personal information is collected,
- the business need for retention, and
- a timeframe for its deletion.
Safe Harbor Programs' Transparency
COPPA enables industry groups and others to seek FTC approval for
self-regulatory programs to implement the Act. To date, the FTC has
approved six Safe Harbor Programs. The current COPPA rules require
that these programs meet certain performance standards, as well as
annual reports to the FTC that independently confirm their
members' compliance. Under the updated COPPA rules, these
programs must now publicly disclose their membership list
(including the certified website or online service of each member),
as well as include additional information in their annual reports
to the FTC.
Verifiable Parental Consent – The FTC also updated the approved methods by which a business can obtain "verifiable parental consent" before they can collect their children's personal information. Specifically, the new rules:
- remove the requirement that businesses using a parent's debit card, credit card or other online payment to obtain verifiable parental consent must charge the parent a fee;
- approve the use of a "knowledge-based authentication process" (sufficient number of questions and difficulty that a child under 13 could not answer) to obtain verifiable parental consent;
- allow businesses to match a parent's face to a verifiable photo ID (so long as the image and record of photo ID are immediately deleted); and
- permit parents to provide consent via text message to their mobile phone number (called "text plus" consent method).
Expanded Information in Direct Privacy Notices
The new COPPA rules require businesses to include in their
"direct notice" provided to parents (i) how they intend
to use the children's personal information, (ii) the categories
of third parties to which the children's personal information
is to be disclosed, and (iii) a note advising parents that they can
consent to the collection of their child's personal information
without also consenting to third party disclosures (except if the
disclosure is "integral" to the business's website or
online services).
Expanded Information in Online Privacy Notices
Similarly, the FTC added new information that businesses must now
include in their online privacy notices to parents,
specifically:
- the identities or specific categories of any third parties to which the business discloses personal information;
- the business's data retention policy (as described above);
- how the business uses persistent identifiers for support for internal operations purposes; and
- if the business collects audio files with a child's voice, how the business uses the data files and will delete the audio files upon request.
New Security Requirements
The new COPPA rules require businesses to implement additional
elements in their written information security programs to help
protect the children's personal information they collect,
including the following requirements to:
- designate one or more employees to coordinate the business's information security program;
- at least annually, perform additional assessments to identify internal and external risks to the confidentiality, security, and integrity of personal information collected from children and the sufficiency of any safeguards in place to control such risks;
- design, implement, and maintain safeguards to control identified risks;
- regularly test and monitor the effectiveness of the safeguards in place to control identified risks; and
- at least annually, evaluate and modify the information security program to address identified risks, results of required testing and monitoring, new or more efficient technological or operational methods to control for identified risks, or any other circumstances that an operator knows or has reason to know may have a material impact on its information security program or other safeguards the business has put in place to protect personal information collected from children.
Updated Definitions
A few significant changes to COPPA's statutory definitions were
also adopted under the new rules, including:
- "Personal Information" was expanded to include "biometric identifiers" and "government-issued identifiers."
- "Website or online service directed to children" was clarified by adding that the FTC may consider extraneous evidence, such as marketing or promotional materials, representations made by the business to consumers or third parties, reviews by consumers or third parties and the age of users on similar websites or online services.
- A new definition for "Mixed audience website or online service" was adopted, which refers to a website or online service that is directed to children, but where children are not its primary audience. The new rule allows businesses that operate a "mixed audience website or online service" to implement procedures to determine which of their visitors are under 13 and, thus, subject to COPPA and then apply COPPA's protections only to those visitors.
Proposed Changes Not Adopted in the Final
Rules
Notably, the FTC also decided not to take certain actions,
including:
- Limiting the use of "push notifications" and other "engagement techniques" to children without parental consent;
- Applying COPPA to children's personal information collected in schools or codifying a school authorization exception to obtaining verifiable parental consent; or
- Considering whether businesses can use children's personal information prior to parental consent for age verification or age assurance.
While the status of the new COPPA rules remains in flux, it is recommended that businesses subject to COPPA should nonetheless consider steps to comply with the updated rules. Civil penalties now can be as much as $53,000 per violation.
Footnotes
1 On January 20, 2025, President Trump issued an Executive Order implementing a freeze on all new rules and ordered that pending rules (including those not yet published in the Federal Register) be withdrawn so that the department or agency can review and approve –or not. The incoming chairman of the FTC, Andrew Ferguson, who earlier voted in favor of the new COPPA rules, has not yet indicated whether he will withdraw them for reconsideration or approve them as is.
2 Per COPPA, businesses must "retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
