On April 22, 2025, the Federal Trade Commission (FTC or Commission) published the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule)Children’s Online Privacy Protection Rule, 64 Fed. Reg. 16918 (April 22, 2025) (codified at 16 C.F.R. Part 312). in the Federal Register. The published amendments will become effective on June 23, 2025, and operators will have until April 22, 2026, to come into full compliance (except for FTC-approved COPPA safe harbor programs, which must comply with certain amendments that specify earlier compliance dates).
The FTC issued a Notice of Proposed Rulemaking (Notice) on December 20, 2023 (summarized in this Client Alert), recommending revisions to amend certain definitions (including “personal information” and “website or online service directed to children”). The Notice also included recommendations to clarify the COPPA Rule’s application to education technology and implement new restrictions on the use and disclosure of children’s personal information, including a separate parental consent requirement for disclosures to third parties.
On January 16, 2025, after receiving about 300 comments in response to the Notice, the FTC accepted most of the Notice’s proposed amendments and unanimously agreed 5-0 to publish the final amendments (Final Rule). The Commission stated that these amendments, the first updates to the COPPA Rule since 2013, were prompted by changes in how children use online services.
This Client Alert summarizes key updates from the Final Rule and the proposed changes that the FTC declined to adopt.
The FTC adopted a number of changes to the COPPA Rule. Many of the amendments were accepted as they were proposed in the Notice, but others were accepted with slight modifications. The FTC also clarified operators’ responsibilities with respect to certain proposed amendments in response to commenters’ concerns. Below is a summary of key changes implemented by the Final Rule, differences between the Final Rule and the proposed amendments, and clarifications the FTC provided to help operators comply with the Final Rule. In addition to the changes summarized below, the Commission also accepted the Notice’s proposals to create new requirements for FTC-approved COPPA safe harbor programs.
The FTC modified the multifactor test for determining whether an operator’s actual or intended audience is child-directed. The Final Rule adds examples of certain kinds of evidence that the FTC may consider, including “marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services.”Id. at 16978 (§ 312.2 of the Final Rule). The FTC accepted the Notice’s proposed amendment, but clarified that these changes are not intended to substantively change how the FTC applies the multifactor test. Rather, the added language is “intended to provide additional insight and clarity regarding how the Commission currently interprets and applies the definition” (emphasis added).Id. at 16936.
Furthermore, in response to commenters’ concerns, the FTC recognized that certain kinds of third-party evidence, including reviews, may not always be accurate representations of a service’s audience and noted that it will consider this when determining whether to rely on such evidence. The FTC also clarified that these additional examples of evidence the FTC can consider in evaluating whether a website or online service is directed to children are “not intended to impose a burdensome requirement that operators identify and continuously monitor” such information.Id. at 16938.
The Notice requested comment on whether the COPPA Rule should exempt operators from being considered directed to children if they conduct “an analysis of [the operator’s] audience composition” and determine that no more than a specific percentage of its users are under 13.Id. The FTC noted that it is not moving forward with this exemption, reasoning that such an exemption may be inconsistent with the multifactor test and disadvantage small businesses.
The FTC accepted the Notice’s proposal to create a stand-alone definition for “mixed audience website or online service,” which is a subset of child-directed services.Id. at 16978 (§ 312.2 of the Final Rule). The Commission noted that this definition is not intended to expand the scope of child-directed services. The FTC also added new language not proposed in the Notice to clarify that mixed-audience services can take advantage of the Final Rule’s exceptions to the parental consent requirement in § 312.5(c) prior to collecting age information from its users.
The Notice proposed adding more prescriptive data security requirements for operators subject to the COPPA Rule, including requirements to “establish, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of personal information collected from children and the operator’s size, complexity, and nature and scope of activities.”Id. at 16960. The Final Rule largely adopts this amendment as proposed, but the FTC clarified that an operator does not need to implement a separate children’s personal information security program if the operator already has an information security program that applies both to children’s personal information and other information.
The Final Rule accepts the Notice’s proposed amendment requiring operators to obtain separate parental consent before disclosing children’s personal information to any third party.Id. at 16980 (§ 312.5(a)(2) of the Final Rule). The FTC noted that this requirement enhances transparency and enables parents to make more meaningful choices around the use of their children’s data. Further, the FTC clarified that it is not prescribing “rigid requirements” as to how and when separate consent must be sought, explaining that operators of child-directed websites could obtain parental consent during the initial verifiable parental consent flow or at a later time, such as when a child seeks to interact with a feature that implicates third-party sharing.Id. at 16948. The FTC clarified that disclosures of children’s personal information for the purposes of receiving monetary compensation, advertising, or developing or training artificial intelligence technology are never integral to a website or online service, and the separate consent requirement applies.
The amendments did not alter the COPPA Rule’s existing “support for internal operations” exception, which excepts operators from obtaining verifiable parental consent when the operator collects a persistent identifier and no other personal information for the sole purpose of providing support for the internal operations of the website or service. However, the FTC adopted the Notice’s proposal to impose additional notice requirements for operators that rely on this exception. The Final Rule now requires operators to provide users with a notice that specifies the internal operations for which data is collected and discloses the policies and practices in place to ensure persistent identifiers are not used for unauthorized purposes, such as behavioral advertising.Id. at 16981 (§ 312.5(c)(7) of the Final Rule). The FTC clarified that the Final Rule does not require the notice to be a “detailed description of sensitive business or technical information” and can be accomplished through a “succinct” statement with the categories of activity that the data collection supports.Id. at 16955.
The Commission added a non-exhaustive list of biometric identifiers to the definition of “personal information,” including fingerprints, voiceprints, handprints, retina patterns, iris patterns, and genetic data. The Final Rule omits language from the Notice’s proposed amendment that also included “data derived from voice data, gait data, or facial data” as part of this list.Id. at 16928. The FTC agreed with commenters’ concerns that this language may be overly broad and covers data that cannot currently be used to identify and contact a specific individual. However, the FTC stated that it still intends for the Final Rule to apply to situations where “imagery of a biometric characteristic (e.g., a fingerprint or a photograph) is converted” into templates that can be used to identify or contact an individual.Id.
The Final Rule adds a requirement that operators can only retain children’s personal information for as long as is reasonably necessary to fulfill the specific purposes for which it was collected.Id. at 16982 (§ 312.10 of the Final Rule). Although the Notice’s proposed amendment included language specifying that operators may not retain the information “for any secondary purpose,” the FTC omitted the “secondary purpose” language from the Final Rule, explaining that the language was unnecessary and generated significant confusion among commenters. The Final Rule also prohibits operators from retaining such information indefinitely.
The FTC also added language requiring operators to establish and maintain a written data retention policy, which must be provided in operators’ online notices.Id. In a parallel to the written security program requirement, the FTC clarified that an operator is not required to establish a separate written children’s data retention policy if the operator has a policy that covers children’s personal information as well as other information.
The Final Rule, adopting the Notice’s proposed amendment, adds other mechanisms through which operators can obtain parental consent, including knowledge-based authentication (asking questions of sufficient difficulty that only an adult could answer) and facial recognition technology (this method also requires human review).Id. at 16980 (§ 312.5(b) of the Final Rule). The FTC addressed commenters’ concerns regarding the cost of human review but emphasized that facial recognition is just one option that operators can choose from to obtain verifiable parental consent.
The FTC adopted the Notice’s proposal requiring operators to make additional disclosures in their online notices, including the “identities and specific categories of any third parties to which the operator discloses personal information and the purposes for such disclosures.”Id. at 16979 (§ 312.4 of the Final Rule). An operator must also include its data retention policy (described above). In response to commenters’ concerns that including a data retention policy will lead to long and unruly online notices, the FTC clarified that operators may use different design features, such as expandable sections or intra-notice hyperlinks, to comply with the Final Rule.
Although the FTC accepted most of the Notice’s proposed amendments, the FTC notably declined to adopt two changes related to push notifications and education technology.
The Notice proposed changes limiting the ability of operators to send push notifications or other communications designed to enhance user engagement. Specifically, the Notice proposed additional language prohibiting operators from taking advantage of the “support for internal operations” exception in connection with practices that “encourage or prompt use of a website or online service.”Id. at 16933. The FTC was persuaded by commenters’ arguments that the proposed amendment conflicted with language in the COPPA statute, raised First Amendment concerns, and was overly broad and could constrain beneficial notifications (such as features in educational products designed to help children remain focused on their studies). Although the FTC declined to adopt these proposed changes, it emphasized that it “remains deeply concerned about the use of push notifications and other engagement techniques that are designed to prolong children’s time online.”Id. at 16954. Furthermore, the FTC stated that it may pursue enforcement actions under Section 5 of the FTC Act to address “practices encouraging prolonged use of websites and online services.”Id. at 16935.
The Notice proposed an amendment allowing educational institutions to provide consent for the collection and use of personal information, but only for school-authorized educational purposes. However, the FTC decided not to adopt these changes to avoid creating potentially conflicting amendments with the Family Education Rights and Privacy Act (FERPA), since the Department of Education affirmed its intention to propose amendments and clarify provisions governing non-consensual disclosures of personal information to third parties.
Although the FTC declined to adopt amendments related to push notifications and other measures designed to enhance engagement, it clarified that such tactics remain in its purview, signaling potential amendments around these practices in the future. Overall, the Final Rule underscores the Commission’s continued focus on children’s online privacy and safety. Although companies subject to the Final Rule do not need to fully comply until April 2026, operators should begin evaluating the sufficiency of their current data collection, disclosure, and security practices to ensure compliance with the Final Rule’s robust requirements.