Time for a Refresh: The FTC Issues COPPA Amendments

On January 16, 2025, the Federal Trade Commission (“FTC”) finalized changes to the Children’s Online Privacy Protection (“COPPA”) rule (“Final Rule”). This Final Rule represents a long awaited update to COPPA, which first went into effect in 2000 and was last updated in 2013. The Final Rule will go into effect 60 days after publication in the Federal Register, and entities generally will have one year to comply with the Final Rule.

COPPA imposes requirements on website and online service operators, including mobile applications, directed to, or with actual knowledge that they are collecting, using, or disclosing personal information from, individuals under 13 years of age (“children”). COPPA is designed to protect children’s personal information and give parents increased control over the collection and use of information about their children. Importantly, COPPA applies to personal information collected from children. It does not necessarily cover personal information about children that is online as a result of someone other than the child providing the personal information.

Key Amendments in the Final Rule

The Final Rule’s substantive update to COPPA tracks several of the protections included in the recently passed and enacted U.S. state comprehensive privacy laws, such as consent for targeted advertising, increased transparency, and data limitation principles. In particular, the Final Rule strengthened the protections for children under COPPA by:

1. Requiring Separate Consent for Disclosure to Third Parties: Currently under COPPA, operators must obtain verifiable parental consent before any “collection, use or disclosure” of personal information from children. Under the Final Rule, the FTC split that consent requirement. Now, operators must obtain separate consent for the “disclosure” of a child’s personal information to third-parties, including related to targeted advertising or other purposes.

2. Limiting of Data Retention: Under the Final Rule, operators must have a “business need” for retaining a child’s personal information and must only retain the personal information for the specific purpose for which it was collected. An operator must maintain a written data retention policy and include such policy in the notice required to be posted on its website or online service. The Final Rule expressly prohibits operators from retaining such personal information indefinitely.

3. Expanding Flexibility for Mixed Audience Websites: Under COPPA, operators of a “mixed audience website or online service” can use an age gate to determine whether a user is a child and then treat children differently than adult users to ensure it does not collect personal information from children without the necessary consent. However, COPPA currently requires that a mixed audience operator not collect personal information from any visitor prior to collecting age information. The Final Rule allows a mixed audience operator to collect personal information for certain limited purposes prior to determining the user’s age, such as collection of a persistent identifier (like a cookie) used for the sole purpose of providing support for the internal operations of the website or online service.

4. Increasing Restrictions on the Safe Harbor Program: COPPA’s safe harbor program allows industry groups to create “self-regulatory” guidelines to implement the same or greater protections afforded under COPPA and, once approved by the FTC, deems members of the group to be in compliance with COPPA. The Final Rule introduces additional requirements under the COPPA safe harbor program with an intent to promote transparency. For example, the Final Rule requires each safe harbor program to publicly disclose a list of all operators subject to the safe harbor program and update it every six months. The Final Rule also expands the information that a safe harbor program must include in its annual report to the FTC, such as a list of all operators who have left the program and copies of each consumer complaint related to an operator’s violation of a safe harbor program’s guidelines. Of note, some of the amended provisions relating to safe harbor programs will take effect earlier than the rest of the Final Rule (between three and six months after publication of the Final Rule in the Federal Register).

Notably, the Final Rule did not make changes to the ed-tech and student data industry, citing to a comment by the U.S. Department of Education (“ED”) made in the Fall of 2024 saying it intends to propose amendments to the Family Educational Rights and Privacy Act (FERPA). The FTC argued that making amendments to COPPA related to student data may conflict with the ED’s forthcoming FERPA amendments.

While operators subject to COPPA will have a year after the Final Rule’s publication in the Federal Register to comply, the changes in the Final Rule may significantly alter an operator’s compliance procedures. Operators should review their practices and prepare for the necessary changes now, especially given the potential for steep penalties under COPPA, which allows for up to $53,088 per violation.

If you would like assistance with, or have any questions about, complying with COPPA or the Final Rule, or need assistance reviewing your data privacy practices, please contact one of our Data Protection attorneys. Check out our Data Protection page for more information.