FTC Amends COPPA Rule To Address Changes in Technology and Online Practices

On April 22, 2025, the Federal Trade Commission ("FTC") published in the Federal Register its first major update to the Children's Online Privacy Protection Act Rule (the "COPPA Rule" or "Rule") since 2013. The COPPA Rule, which the FTC promulgated in 2000, imposes requirements on operators of websites or online services that are directed to, or that operators have actual knowledge collect personal information from, children under 13 years of age (collectively, "operators"). Citing changes in technology and the way in which children use online services, the FTC initiated its second major review of the COPPA Rule in 2019, when it sought public comment about how the Rule operated with respect to education technology ("ed tech") providers, voice-enabled connected devices, and general audience platforms. The Biden administration considered the comments received and published proposed amendments to the Rule in January 2025. The final Rule adopts most of the proposed amendments, with some modifications. The FTC declined, however, to adopt amendments related to ed tech providers, citing concerns about imposing obligations that might conflict with updates to the Family Educational Rights and Privacy Act ("FERPA") that the Department of Education ("DOE") is expected to make. The FTC will "monitor and weigh future developments with respect to DOE's potential FERPA regulation amendments in deciding whether to pursue COPPA Rule amendments related to ed tech," and "continue to enforce COPPA in the ed tech context consistent with its existing guidance." The final Rule goes into effect on June 23, 2025, but provides operators until April 22, 2026, to comply with all provisions except certain annual reporting and notice requirements related to the COPPA safe harbor program that have earlier compliance dates.

The current COPPA Rule, among other things, requires operators to provide two notices to parents—a direct notice and an online notice—and to obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13 years of age. The Rule also prohibits operators from conditioning children's participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities, and imposes certain security, retention, and deletion requirements on personal information collected. In addition, the Rule provides certain methods for obtaining verifiable parental consent and includes a "safe harbor" provision that allows industry groups or others to submit to the FTC for approval self-regulatory guidelines that implement the Rule's protections.

The amendments to the Rule modify certain definitions to provide greater clarity, introduce a new definition for "mixed audience website or online service" to clarify requirements for these types of entities, and modify operators' obligations with respect to direct and online notices; information security, deletion, and retention protocols; and FTC-approved COPPA safe harbor programs' annual assessment, disclosure, and reporting requirements. Finally, the amendments modify parental consent requirements, methods of obtaining verifiable parental consent, and exceptions to the parental consent requirement.

Summary of Changes

We provide detailed explanations of the updated Rule below:

• New definition of "mixed audience website or online service." The FTC codified elements of its FAQs that relate to "mixed audience" websites and online services, which are general audience websites and online services that have a portion of the website or online service that is directed to children but that does not target children as its primary audience because it also targets adults or older teens.[i] A general audience website or online service does not become a "mixed audience" website or service just because some children use the site or service. The FTC's FAQs established that operators must treat all visitors to that portion of "mixed audience" websites and online services as children unless the operator age screens visitors and applies COPPA with respect to visitors who use the portion directed to children. To codify this requirement, the final Rule defines "mixed audience website or online service" as "a website or online service that is directed to children" under the Rule, "but that does not target children as its primary audience, and does not collect personal information from any visitor, other than for the limited purposes set forth in § 312.5(c), prior to collecting age information or using another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child." The final Rule also adopts the requirement that age gating must be done in a neutral way. Specifically, it provides that any method used to determine a visitor's age "must be done in a neutral manner that does not default to a set age or encourage visitors to falsify age information," suggesting questions like "How old are you?" or "What is your date of birth?" not "Are you over 13?"

  The FTC did not change the established two-step analysis used to determine a "mixed audience" website or online service. Under this analysis, the FTC will evaluate the intended, actual, and likely audience using multiple factors—such as child-oriented subject matter and activities—to determine whether the website or online service is "directed to children." If the FTC determines that this first prong of the test is met, then it will analyze whether the website or online service targets children as its "primary" audience. Operators should carefully analyze their intended audience, their actual audience, and, in many instances, their likely audience before concluding that they are not targeting children as the primary audience.

• Other amended definitions. The FTC also updated the following definitions:
  • Online contact information was amended to include "mobile telephone number," provided the operator uses it only to obtain verifiable parental consent, including by text message. Operators must take steps to reduce security risks to text recipients and to comply with the Telephone Consumer Protection Act.
  • Personal information was amended to include government-issued identifiers (e.g., Social Security Numbers, state identification card, birth certificate, or passport numbers) and "biometric identifiers" that can be used for the automated or semi-automated recognition of an individual.
    • Unlike most state privacy laws, the Rule does not limit the definition to biometric information that is used to identify individuals.
    • The FTC opted not to include "data derived from voice data, gait data, or facial data" in the definition of biometric identifiers but indicated that it still intends for the definition to include templates—e.g., facial and fingerprint templates—that are derived from such data and that can be used for the automated or semi-automated recognition of an individual.
    • The FTC also declined to include "screen or user names," "avatars," or "information concerning the child or the parents of that child" in the definition of "personal information," stating that they would only be considered "personal information" when combined with an identifier described in the definition of "personal information." The FTC indicated that it will continue to monitor marketplace and technological developments and may revisit amendments related to "avatars" in the future.
  • Support for the internal operations of the website or online service was amended to clarify that personal information collected for the seven enumerated activities in the definition may be used or disclosed as necessary to carry out those activities (e.g., necessary to maintain or analyze the functioning of the website or online service). The FTC declined to expressly prohibit the use or disclosure of personal information to "encourage or prompt use" of a website or online service, finding that this would "constrain beneficial prompts and notifications." The FTC warned operators, however, that it could bring enforcement actions under Section 5 of the FTC Act "to address unfair or deceptive acts or practices encouraging prolonged use of websites and online services that increase risks of harm to children."
  • Website or online service directed to children was amended to provide the following additional examples of evidence that the FTC may consider in analyzing audience composition and intended audience: marketing or promotional materials or plans, representations made to consumers or third parties, reviews by users or third parties, and the ages of users on similar websites or services. The FTC also adjusted the definition to align with the new definition of mixed audience website or online service.
• Modifications to Operators' Obligations.
  • Content of the Direct Notice for Obtaining Parental Consent. The COPPA Rule requires operators to provide a "direct notice" to parents when seeking their verifiable consent that must now include the following: a description of how the operator intends to use the personal information the operator seeks consent to collect from the child as well as a description of whether the operator discloses it to one or more third parties, the identities or specific categories of such third parties (including to the public, if making the information publicly available), and the purposes for such disclosure. The FTC gave operators the option to use either the actual identities or specific categories of third parties, although the categories must be "meaningful and specific," and made clear that it does not expect operators to provide a one-to-one correlation between items of personal information and specific uses of such information. The FTC helpfully noted that if an operator chooses to provide a roster of the specific identities of third parties, it is not likely to find any subsequent changes to the list without prior consumer consent to be "deceptive."
  • Content of Online Notice. The FTC made several changes to the required content for online notices that operators must post.
    • Specifically, operators must now include both the identities and specific categories of any third parties to which the operator discloses personal information and the purposes for such disclosures. Operators may include a hyperlinked cross-reference from the direct notice to the section in the online notice where operators can provide more detail regarding third parties to whom they disclose personal information.
    • The final Rule also requires operators to include their data retention policy for children's personal information and a description of the purposes for which the operator will use any audio files containing a child's voice that the operator collects, as well as a statement that it will delete such files immediately after responding to the request for which they were collected. Provided that the operator collects the audio file—and no other personal information—for use in responding to a specific request and for no other purpose, the operator has no obligation to obtain verifiable parental consent or provide direct notice, so long as the operator also deletes such files immediately.
    • Finally, operators also must disclose in general terms how they use any "persistent identifiers" that they collect for "support for internal operations of the website or online service," including the specific internal operations and the means used to ensure that the operator does not use the persistent identifiers to contact a specific individual (including through behavioral advertising), to amass a profile, or for any purpose other than the seven categories of activities listed in the Rule. By way of example, the FTC noted that an operator might disclose that it uses persistent identifiers for ad attribution, website maintenance, data security, or user authentication. Operators also must explain what policies or practices are in place to avoid using persistent identifiers for unauthorized purposes.
  • Parental Consent. The final Rule requires operators to obtain separate consent to disclose a child's personal information to third parties, unless such disclosures are "integral" to the website or online service. Operators should consider the type of service provided when determining which disclosures are "integral" and for which consent is not needed. The FTC makes clear that disclosures to third parties for monetary or other consideration, for advertising purposes, or to train or otherwise develop artificial intelligence technologies would not be "integral" to a website or online service.
    • When drafting direct notices to parents to obtain their consent, operators therefore should determine whether consent for certain disclosures to third parties is even required. Consent will not be required if such disclosures are "integral" to the website or online service or are to a person or entity who provides "support for the internal operations of the website or online service" and who does not use or further disclose the information for any other purpose.
• Methods of Obtaining Verifiable Parental Consent.
  • Text Messaging. The final Rule permits operators to obtain verifiable parental consent by text message coupled with additional steps to ensure that the person providing the consent is the parent, so long as the operator does not disclose children's personal information when doing so. Additional steps for verification via text message include confirming by text message to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call. An operator that uses this method must provide notice that the parent can revoke any consent given in response to the earlier text message.
  • Knowledge-Based Authentication (KBA). Alternatively, operators may verify a parent's identity using knowledge-based authentication, provided that (1) the verification process uses dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low; and (2) the questions are of sufficient difficulty that a child age 12 or younger in the parent's household could not reasonably determine the answers.
  • Photographic Identification. In addition, parents may verify their identity by submitting a government-issued photographic identification that is determined to be authentic and is compared against an image of the parent's face taken with a phone camera or webcam using facial recognition technology. The operator must "promptly" delete such information after confirming the match. While human review of the information is not required, the FTC stated that it could find the absence of such review "unfair" if the deployment of facial recognition technology results in demonstrably inaccurate outcomes and the operator either ignored red flags or failed to conduct a prior risk assessment.
• Security, Deletion, and Retention Requirements.
  • Operator Security. The final Rule increases operators' security obligations by requiring operators to establish, implement, and maintain a written information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children and the operator's size, complexity, and nature and scope of their activities. The updated Rule also requires operators to take the following additional measures: (1) appoint employees to manage the information security program; (2) annually assess internal and external risks to children's personal information and evaluate existing safeguards; (3) implement safeguards based on risk assessments, considering the volume and sensitivity of the data that is at risk, and the likelihood that the risk could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information; (4) regularly test and monitor the effectiveness of these safeguards; and (5) annually review and update the security program to address risks, testing results, and new methods or circumstances impacting data protection.
  • Service Provider and Third-Party Security. Operators also must take "reasonable steps" to determine that other operators, service providers, or third parties are "capable of maintaining the confidentiality, security, and integrity" of personal information collected from children prior to disclosing the information or permitting them to collect or maintain personal information from children on the operator's behalf. Operators cannot rely on oral assurances; they must obtain "written assurances" that such entities will employ reasonable measures to do so. Such written assurances could be provided through a written contract, an email, or terms and conditions.
  • Retention and Deletion. The final Rule prohibits indefinite retention of personal information and clarifies deletion requirements for when personal information collected from a child is no longer reasonably necessary for the purposes for which it was collected. The Rule requires operators to include a written data retention policy in their online notice on the websites or online services. Operators can rely on an overall data retention policy so long as they distinguish the personal information that is collected from children.
• FTC-approved COPPA Safe Harbor Programs. The updated provisions governing approved self-regulatory program guidelines ("safe harbor programs") require operators to identify each subject operator and all approved websites or online services, as well as any subject operators that have left the safe harbor program. In addition to existing requirements, the report provided by approved safe harbor programs must now also contain, at a minimum: (1) a narrative description of the safe harbor program's business model, including whether it provides additional services such as training to subject operators; (2) copies of each consumer complaint related to each subject operator's violation of a safe harbor program's guidelines; and (3) a description of the process for determining whether a subject operator is subject to discipline. The report must be submitted by October 22, 2025 (and annually, thereafter) but operators making use of the safe harbor provisions must also publicly post on each of the approved safe harbor program's websites and online services a list of all current subject operators and, for each such operator, list each certified website or online service no later than July 21, 2025. Approved safe harbor programs will be required to update this list every six months thereafter to reflect any changes to the approved safe harbor programs' subject operators or their applicable websites and online services. Approved safe harbor programs will also be required to submit to the FTC by April 22, 2028 (and every three years, thereafter) a report detailing the safe harbor program's technological capabilities and mechanisms for assessing subject operators' fitness for membership in the safe harbor program. Modifications to safe harbor programs must also be submitted to the FTC by October 22, 2025.

What's Next

Operators should review their COPPA compliance programs to ensure practices related to collection, use, disclosure, maintenance, retention, and deletion are in line with the new requirements. The final Rule is effective June 23, 2025, and regulated entities have until April 22, 2026, to comply with most of the updated provisions. Approved safe harbor programs should review (and update if necessary) their website and online service public notices by July 21 of this year and update their safe harbor reporting practices for submission by October 22 of this year.

+++

For assistance with compliance, please contact one of the authors of this alert or the Davis Wright Tremaine attorney with whom you work.