COPPA Rule Updates Are Here (for Now): What Businesses Need to Know About New Children’s Privacy Requirements

The FTC finalized its long-awaited updates to the COPPA Rule amidst the flurry of closing actions by the Biden administration, but the fate of the Rule remains uncertain under the new Trump administration following its executive action to freeze pending federal regulations.

In a 5–0 vote, the U.S. Federal Trade Commission (FTC) issued a final rule (Final Rule) to modify the Children’s Online Privacy Protection Rule (COPPA Rule) in an effort to keep pace with technology advancements and the way in which children utilize online services today. The COPPA Rule originally went into effect in 2000 and had not been updated since 2013. The Final Rule memorializes certain aspects of the FTC’s existing COPPA guidelines and imposes new obligations on the collection and use of personal information obtained online from children under the age of 13. The Final Rule includes meaningful changes from the notice of proposed rulemaking the FTC released in January 2024 (2024 NPRM), as detailed below.

Key provisions of the Final Rule include:

• Updated and new definitions.
• Mixed audience website or online service. The Final Rule adds a new definition of “mixed audience website or online service” that did not appear in the 2024 NPRM and memorializes long-standing FTC guidance regarding “mixed audience” websites:
  
  [A] website or online service that is directed to children . . . but that does not target children as its primary audience[,] and does not collect personal information from any visitor, other than for the limited purposes [set forth in the rule], prior to collecting age information or using another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child.
  
  A “mixed audience website or online service” will not be deemed “directed to children” (i.e., not subject to relevant COPPA requirements) with regard to any individual not identified as being under age 13.
• Personal information. The Final Rule expands the definition of “personal information” to explicitly include: (1) biometric identifiers that can be used for the automated or semi-automated recognition of an individual (including fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints); and (2) government-issued identifiers (such as Social Security numbers, state identification cards, birth certificates, and passport numbers).
• Website or online service directed to children. The Final Rule introduces additional types of evidence that the FTC will consider in analyzing “audience composition” and “intended audience” when conducting the multi-factor test to determine whether a website or service is directed to children: marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services.

• Additional direct parental notice requirements. The Final Rule requires that operators must now identify in the direct notice to parents how the operator intends to use information collected from children and which third parties (by name or category) may receive personal information and for what purpose. Making personal information publicly available is considered a third-party disclosure for purposes of this requirement. Further, operators must tell parents that they can choose not to consent to the disclosure of personal information to third parties, except if that disclosure is “integral to the website or online service.”
• Separate parental consent for non-integral disclosures to third parties, including targeted advertising. Instead of permitting a single parental consent for the collection, use, and disclosure of a child’s personal information, the operator must obtain a separate opt-in consent for the disclosure of personal information to third parties, including to ad networks for targeted advertising, unless the disclosure is “integral to the website or online service.” The FTC commentary noted that it is a fact-specific inquiry to determine whether a disclosure is “integral” but acknowledged integral disclosures include those that are necessary to provide the product or service requested by the consumer, and non-integral disclosures include those for monetary or other consideration, for advertising purposes, or for training or otherwise developing AI technologies. The Final Rule provides operators flexibility as to how and when such separate consent must be sought, though it remains unclear whether a separate consent is required every time a non-integral disclosure is added or changed.
• Exception to consent requirement for audio files. The Final Rule allows an operator to collect a child’s voice recording without obtaining prior parental consent, provided that the operator: (1) does not collect any other personal information; (2) only uses the audio file to respond to a child’s specific request and for no other purpose; and (3) deletes the recording immediately after responding to the request.
• Alternative methods for verifiable parental consent. The Final Rule provides three (3) alternative methods for obtaining verifiable parental consent, in addition to currently authorized methods:
• Knowledge-based authentication using dynamic multiple-choice questions, where there is a reasonable number of questions and answers such that the probability of correctly guessing the answers is low and the questions are sufficiently difficult such that a child aged 12 or younger in the parent’s household could not reasonably ascertain the answers;
• Facial recognition authentication of a government-issued photographic identification compared against an image of the parent’s face taken with a phone camera or webcam (and subsequently confirmed by trained personnel), provided that the operator promptly deletes the identification and images after the match is confirmed; and
• Text message coupled with additional steps to provide assurances that the person providing the consent is the parent, so long as the operator does not “disclose” children’s personal information. The additional steps include: (1) sending a confirmatory text to the parent following consent; or (2) obtaining a postal address or phone number from the parent and confirming consent by letter or phone call. Operators that use the text message method must provide notice that the parent can revoke any consent given in response to the earlier text message.
• Expanded online notice requirements. The Final Rule requires that an operator’s online notice include the following additional disclosures:
• the identities and the specific categories of any third party to which the operator discloses children’s personal information and the purpose for such disclosures;
• the operator’s data retention policy;
• the internal operations for which the operator has collected a persistent identifier in cases where no consent is required, and how the operator ensures that such identifiers are not used or disclosed (a) to contact a specific individual (including through behavioral advertising), (b) to amass a profile on a specific individual, or (c) for any other purpose outside of support for internal operations; and
• (if applicable) a description of how audio files containing a child’s voice are used and that the operator deletes the audio files immediately after responding to the request for which they were collected.
• Requirement to maintain a written information security program. The existing COPPA Rule included a high-level requirement that operators establish and maintain reasonable procedures to protect children’s personal information. Under the Final Rule, an operator is required to create and implement a written information security program appropriate to the operator’s size, complexity, and nature and scope of activities and the sensitivity of the personal information the operator collects. The requirements are modeled on the FTC’s Safeguards Rule for financial institutions and include designating an employee or employees to coordinate the information security program, annual risk assessments, regular testing and monitoring of safeguards, and annual evaluation and updates. The FTC noted that an operator need not maintain a separate children’s information security program if it maintains an information security program that applies both to children’s information and other information and otherwise meets the requirements under the law.
  
  The Final Rule also requires that operators take reasonable steps to ensure that other operators, service providers, and third parties will implement reasonable security measures to protect children’s personal information—and obtain written assurances that the recipients will do so—before allowing the third parties to collect or maintain children’s personal information on the operator’s behalf or otherwise releasing children’s personal information to such entities.

• Enhanced data deletion and retention requirements. While the existing COPPA Rule required that an operator retain personal information for only as long as reasonably necessary to fulfill the purpose for which the information was collected, the Final Rule narrows this requirement to the “specific” purpose(s) for which the information was collected and makes clear that operators: (1) may not retain the information indefinitely; and (2) must delete the information when it is no longer required. In addition, the Final Rule requires an operator to develop and maintain a written document retention policy and post the policy in the online notice.
• Increased accountability and transparency for the safe harbor program. The Final Rule requires COPPA safe harbor programs to publicly post their member operator lists and to report certain information to the FTC, such as the program’s business model, copies of consumer complaints related to violations of the program’s guidelines, and technological capabilities and mechanisms for assessing fitness for membership in the program.

Notable Provisions Deleted from 2024 NPRM

Significantly, the Final Rule dropped the following provisions from the 2024 NPRM:

• Limiting push notifications directed to children without parental consent. The 2024 NPRM prohibited contacting users “with processes that encourage or prompt use of a website or online service,” which would have restricted the use of push notifications for such purposes. The FTC declined to include this language in the Final Rule, acknowledging it would be overly broad; however, the FTC’s current COPPA guidelines include restrictions on the use of push notifications. The FTC also noted that it remains concerned about the use of engagement techniques to keep kids online in ways that could harm their physical or mental health. The Commission made clear it may exercise its Section 5 enforcement authority to address unfair or deceptive acts or practices that encourage prolonged use of websites and online services that increase risks of harms to children.
• Formalizing educational technology (EdTech) school authorizations. The Final Rule also omits provisions related to the use of EdTech by schools and students. The 2024 NPRM included provisions governing the collection of information from children in schools and codified a school authorization exception to obtaining verifiable parental consent, all of which the FTC declined to include in the Final Rule. The FTC noted that it did not include these provisions in the Final Rule to avoid possible conflicts with potential amendments to the U.S. Department of Education’s Family Educational Rights and Privacy Act (FERPA) regulations, which the Department of Education indicated are forthcoming.

Potential Delays and Changes

The Final Rule is scheduled to take effect 60 days after it is published in the Federal Register, and operators will have one year from the publication date to comply with the regulation. Currently, the Final Rule has only been informally published by the FTC.

Importantly, President Trump recently issued a memorandum imposing a government-wide regulatory freeze on, among other things, proposing or issuing any rule to the Office of the Federal Register (OFR) until a new department or agency head appointed or designated by the president reviews and approves the rule. The memorandum also requires the withdrawal of any rules sent to the OFR but not yet published in the Federal Registrar pending review and approval by the department or agency head. As a result, publication of the Final Rule may be delayed while undergoing such review.

Although now-FTC Chair Andrew Ferguson voted in favor of the Final Rule before President Trump took office, he took issue with certain aspects of the rule in his concurring statement, noting that the Final Rule was part of “the Biden-Harris FTC’s frantic rush to finalize rules on their way out the door.” In light of Chair Ferguson’s stance, it is unclear whether the Final Rule will move forward in its current form, if at all.

Moving Ahead

The Final Rule highlights the FTC’s continued focus on protecting children’s data, as evidenced through its recent enforcement actions against companies for COPPA violations. While the ultimate fate of the Final Rule remains uncertain, children’s privacy continues to be an area of focus among state and federal regulators and legislators. Thus, businesses should consider evaluating whether material changes to their current practices would be required to align with the Final Rule’s requirements as we await updates from the new administration.