The FTC Issues Final COPPA Rule Amendment

By Susan Hintze and Emily Litka

This is Part 1 in a series of blog posts about the 2025 COPPA Final Rule. It provides a high-level overview of the Final Rule. Subsequent posts in the coming days will delve more deeply into individual aspects of the Final Rule and FTC comments, the issues raised, and implications for specific industry sectors. Our unofficial redlined copy of the Final Rule can be found here. 

On January 11, 2025, the Federal Trade Commission, under its authority to issue regulations under the Children’s Online Privacy Protection Act (COPPA), issued its final amendments to the COPPA rule (the Final Rule – note link is to unofficial version pending publication to the Federal Register). The FTC also published a related Press Release on January 16, 2025. The FTC stated that its changes are intended “to ensure it keeps pace with changes in the marketplace since the rule was last updated in 2013.” A statement issued by Chair Lina Khan describes the Final Rule as addressing changing online risks to children including rising smartphone usage, screentime, increased monetization of data, and heightened social media harms.  

The Final Rule will be effective 60 days following the publication in the Federal Register. Entities subject to the Final Rule will have one year from that publication date to come into full compliance with amendments that do not specify earlier compliance dates. 

Many of the changes under the Final Rule are mere clarifications of what were already in existing guidelines from the COPPA’s FAQs, however, a number of the changes require new documentation and procedural tasks that will require significant resources from organizations covered by COPPA. The following summarizes the notable changes in the Final Rule applicable to websites or online services subject to COPPA (Operators): 

Definitions  

Personal Information. Clarifications that personal information includes government identifiers and “biometric identifiers that can be used for the automated or semi-automated recognition of an individual”, but that avatars (to the extent not combined with other personal information) are not treated as personal information.  

Support for Internal Operations of the Website or Online Service. Clarifications that the internal operations exception covers use and disclosures of personal information to carry out an internal operation. Declines adoption of its initial proposal that would have prohibited efforts to contact a specific individual “with processes that encourage or prompt use of a website or online service” (criticized by many as creating Age Appropriate Design Code like requirements outside the scope COPPA). This would have restricted use of push notifications for these purposes, although prior FAQs already had a limitation on use of push notifications so it will be interesting to see how these changes play out in updates to the COPPA FAQs. 

Website or online service directed to children. Additions of the types of evidence the FTC considers under its factor of audience composition, including reviews by users and third parties (factors which many commentators felt could be inaccurate or not genuine) and the age of users on similar websites or services (which commenters also criticized as suggesting a level of due diligence that would be burdensome and difficult to determine).  Removal of the definition “websites and services that do not target children as the primary audience” as this is now covered under the new mixed audience definition.

Mixed audience. Addition of “mixed audience” as a defined term under the Rule consistent with its prior guidance in its COPPA FAQs. Clarifications that mixed-audience sites are considered directed to children (but not primarily directed to children). But provides an effective exception that such sites are no longer child-directed if they do not collect personal information prior to collecting age information (presumably for age verification purposes) and either (i) does not collect personal information from under age 13 visitors (other than under exceptions to parental consent) or (ii) uses age verification to determine if a user is a child. The definition also includes requirements that age verification use be conducted in a neutral manner to avoid children falsifying information. 

Notice 

  • Requirements to describe in its online notice the purposes for disclosing personal information to third parties (including the public in the case of publicly available disclosures) as well as the specific identities and categories of the third parties.  

  • Where an Operator relies on the internal operations exception, requirements to describe in its online notice the specific purposes for which an Operator collects persistent identifiers and the means it uses to protect the identifier from use for purposes outside the exception. 

  • Obligations to disclose in direct notices to parents how an Operator plans to use personal information.  

  • Other notice obligations described in the Parental Consent and Retention sections below. 

Parental Consent 

  • Restrictions requiring site Operators to obtain separate parental consent for “non-integral” disclosures to third parties, including to ad networks for targeted advertising and any other third-party disclosures for monetary and other consideration which could include some disclosures to develop third party artificial intelligence.  It is unclear if this restriction would require additional separate consent every time a new third party non-integral to services is added or changed.

  • Changes allowing use of mobile phone numbers to initiate obtaining verifiable parental content through texting.  

  • New exceptions to the Rule’s verifiable parental consent (and direct notice) requirement allowing collection of an audio file of a child’s voice to respond to a child’s specific request. Use of audio files for this process will also trigger a requirement for an Operator to include in their online notice the purpose for use and a statement that the audio files are immediately deleted following their use. 

Deletion & Retention  

  • Obligations to maintain and publish a written data retention policy describing the purpose for collection of personal information, business needs for retention, and the timeline for deletion.  

  • Prohibitions on indefinite retention of personal information.  

  • Additional requirements to delete the parent’s or child’s name if the parent does not provide consent as part of verified parental consent.  

Security  

  • Responsibilities to implement a written data security program with annual updates. 

  • Requirements to designate one or more employees to coordinate the security program. 

  • Duties to perform annual security assessments to identify risks to children’s personal information and evaluate the effectiveness of safeguards in place to control those risks.  

  • Preconditions to conduct due diligence and get written security assurances from third-party recipients of personal information prior to disclosure. 

In addition to the above amendments, the FTC also updated the COPPA Safe Harbor Program (allowing submissions to the Commission of self-regulatory processes that meet or exceed COPPA Rule requirements) to include more transparency and recordkeeping obligations. The FTC chose to delay finalizing rules applicable to ed-tech and student data to ensure consistency with the U.S. Department of Education’s planned amendments to the Family Educational Rights and Privacy Act (FERPA).  

We note that more changes may be in store for the maybe not-so-final Final Rule.  A concurring opinion by the recently appointed FTC Chair Andrew Ferguson included criticism of "serious problems” with many of the changes and suggestions that there could be a rollback of some requirements under the new administration. Requirements under scrutiny include the requirement to name third party vendors, the prohibition on indefinite retention of personal information, and the lack of clarity on exceptions for collecting personal information solely for age verification purposes. 

We will continue to keep an eye on developments as they occur. 

Key Takeaways 

Companies subject to COPPA should plan to: 

  • Review their practices in light of new definitions and requirements 

  • Plan to update their direct notices and online notices 

  • Assess their consent processes 

  • Establish documentation and publication of their data retention practices and consider limitations to avoid indefinite retention of data 

  • Ensure their security programs cover personal information of children 

  • Compile lists of vendors used to process personal information of children including names and categories. Confirm their vendors are compliant prior to collection of personal information  

Susan Hintze is Co-Managing Partner at Hintze Law PLLC and a Westin Emeritus Fellow with the International Association of Privacy Professionals. She is also co-chair of the firm’s Regulatory Defense Group.

Emily Litka is a Senior Associate at Hintze Law PLLC, focusing her practice on global privacy and emerging AI laws and regulations and regularly counselling on risk during product development.

 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.