Amendments to the FTC COPPA Rule Now in Effect

On June 23, 2025, amendments to the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule became effective.  The amended COPPA Rule (or, “Final Rule”) enhances obligations on many operators of websites and online services.  The FTC previously amended COPPA in 2013 to address emerging technologies.

What is the FTC Children’s Online Privacy Protection (COPPA) Rule?

Congress enacted the Children’s Online Privacy Protection Act in 1998 with the intent to protect children’s privacy online and to provide parents with a mechanism to control how their children’s personal information is collected and used.  COPPA applies to “Operators” of websites and online services that target children of knowingly collect personal information from children under 13 years of age.

The FTC’s original COPPA Rule became effective on April 21, 2000.  The Commission published an amended Rule on January 17, 2013.  The amended Rule took effect on July 1, 2013.

The primary goal of COPPA is to place parents in control over what information is collected from their young children online.  The COPPA Rule was designed to protect children under age 13, while accounting for the dynamic nature of the Internet.

The Rule applies to operators of commercial websites and online services (including mobile apps and IoT devices, such as smart toys) directed to children under 13 that collect, use, or disclose personal information from children, or on whose behalf such information is collected or maintained (such as when personal information is collected by an ad network to serve targeted advertising).  The COPPA Rule also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13, and to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.

Operators covered by the Rule must:

• Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children
• Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children
• Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents)
• Provide parents access to their child’s personal information to review and/or have the information deleted
• Give parents the opportunity to prevent further use or online collection of a child’s personal information
• Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security
• Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use, and
• Not condition a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.

Who is covered by the FTC COPPA Rule?

The Rule applies to operators of commercial websites and online services (including mobile apps and IoT devices) directed to children under 13 that collect, use, or disclose personal information from children.  It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.  The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.

What are Key Changes to the Final COPPA Rule?

Key chanages to the COPPA Rule include, without limiation:

• Additionaly examples of issues to consider with respect to whether an online platform is “directed to children”
• Revisions to COPPA’s existing consent requirements
• Additional methods by which verifiable parental consent may be obtained
• New notice obligations for Operators
• New requirements governinng information security programs and data retention policies.

There are 4 examples of the type of evidence that the FTC will consider when evaluating the “intended audience” of an online property to assess whether it meets the definition of “website or online service directed to children.”  The foregoing include marketing or promotional materials; representations to consumers or to third-parties; reviews by users or third-parties; and the age of users on similar websites or services.

The Final Rule amends COPPA’s existing parental consent requirements, adding that Operators must obtain a “separate” consent for the disclosure of personal information to third-parties, with a narrow exception regarding the nature of the online service.  It does not, however, set forth details regarding how and when Operators should obtain such parental consent.  FTC commentary in this regarding is instructive.

There are 3 new methods that Operators can employ to obtain verifiable parental consent.  The Final Rule also revises one of the COPPA Rule’s existing methods of obtaining verifiable consent.

Similar to the existing “email plus” method, the Final Rule contemplates a “text plus” mechanism of obtaining verfiable parental consent.  Consult with an FTC defense lawyer to discuss when and how the “text plus” method may be employed.  Operators may also utilize a knowledge-based authenticaton method (multiple choice questions), facial recognition technology and qualifying online payments to obtain verifiable parental consent.

The Final Rule imposes on Operators two new notice requirements.  The first is for Operators that rely on the “support for internal operations” exception to obtaining verifiable parental consent.  The second pertains to a requirements that Operators identify third-parties that receive children’s data (in a clear and conspicous privacy policy and via direct notice to parents).

Operators are also required pursuant to the Final Rule to establish, implement and maintain a “written information security program” for personal information subject to the COPPA Rule.  Operators must designate at least one employee as the program coordinator; conduct an annual risk assessment pertaining to the “confidentiality, security and integrity” of personal information collected from children and safeguards that have been implemented; design, implement and maintain safeguards to control risks; test and monitor the safeguards; and evaluate and modify the program to address risks on an annual basis.

Pursuant to the Amended Rule, Operators are also required to establish and publish online a “written data retention policy” that discloses the purposes of collecting personal information from children; the business justification for retention of such information; and a deletion time frame for that information.  Personal information may not be retained indefinitely.

Why did the FTC Amend the COPPA Rule?

Following public comments,the Federal Trade Commission decided upon amendments designed to increase transparency with respect to data collection and usage of children’s information, and to increase the obligations and restrictions related to the security and sharing of such data.  Following a Notice of Proposed Rulemaking in January 2024, the final rule was published on January 16, 2025.

Notably, the amended COPPA Rule was published following a regulatory freeze policy announced by President Trump.

FTC Declines to Implement Numerous Advertising-Related Proposals

While the Final Rule illustrates the FTC’s commitment to safeguarding the use of children’s data for advertising purposes, the FTC declined to implement a number of proposals that would have further restricted advertising under the amended COPPA Rule, including, but not limited to, limits on contextual advertising and personalization.

What is the Effective Date of the Amended FTC COPPA Rule?

The amended COPPA Rule went into effect on June 23, 2025 and those subject to the amended COPPA are required to fully comply therewith by April 22, 2026.  Contact a seasoned FTC Children’s Online Protection Act (COPPA) Rule lawyer with questions about how the amended COPPA Rule may apply to your business, or if you are the subject of an FTC invesitgation or enforcement inquiry.

What is the COPPA Safe Harbor Program?

The COPPA Rule’s Safe Harbor provision allows industry groups or others to submit self-regulatory guidelines to the FTC for approval.  However, in order to do so, the COPPA Rule’s protections. must be met or exceeded.  Now, the COPPA Safe Harbor program requires the public disclosure of membership lists and provision of disciplinary actions.  Safe Harbor programs have until  October 22, 2025 to comply with applicable disclosure requirements.

Richard B. Newman is an FTC investigation attorney at Hinch Newman LLP. Follow FTC defense attorney on National Law Review.

Informational purposes only. Not legal advice. This article is not intended to and should not be construed as legal advice. May be considered attorney advertising.