FTC’s Strengthened Children’s Online Privacy Rules Now in Effect

Read Time: 8 minutes

Key Takeaways: On June 23, 2025, the Federal Trade Commission's (“FTC's”) latest set of amendments to the Children’s Online Privacy Protection Act (“COPPA”) went into effect, marking the first time since 2013 that the seminal federal privacy law governing children’s online privacy practices has been updated. The final rules include definitional updates, additional requirements for the content of privacy notices, and mandate operators to create a written information security program dedicated to addressing data privacy and security risks and safeguards. As updated, COPPA will require organizations subject to the law to make operational and informational changes to their privacy practices, contributing to the increasingly complex web of state and federal privacy regulations in the United States. Continue reading for a breakdown of the key provisions of the updated law and what it may mean for your business.

Introduction

On Monday, June 23, 2025, a set of final rules promulgated by the Federal Trade Commission (“FTC”) amending the Children’s Online Privacy Protection Act (“COPPA”) went into effect. This update marks the FTC’s first rulemaking effort since 2013, and just the second overall rule since COPPA went into effect in 2000.

COPPA is a federal law designed to protect the online privacy of children under 13 by placing specific requirements on website and online services operators with respect to the collection, use, and disclosure of children’s personal information. The goal of COPPA is to provide parents with greater control over what information is collected from their children online and how such information is used. Among other provisions, the COPPA amendments feature updated definitions, expanded methods of obtaining parental consent, and prescriptions for the content of parental notices.

Key Elements of the COPPA Final Rule

Updated definitions

The COPPA amendments expand the definition of “personal information” to include biometric identifiers that can be used for the automated or semi-automated recognition of an individual (such as fingerprints, iris scans, voiceprints, genetic data, and more).

The final rules also amend the calculus for determining whether a website or online service is “directed to children” within the meaning of the law. The amendments add that, in making this determination, the FTC may consider (along with its existing multi-factor analysis), the marketing materials or plans issued by the operator, representations made to consumers or third parties, peer reviews by consumers or third parties, and the age of users on similar websites or services.  

Content of notices

The COPPA amendments make changes to what is required in disclosures from the website operator to parents. Under the current law, operators are required to provide both a direct notice to parents and an online notice when collecting personal information from children under 13. Generally, the direct notice is sent to the parents prior to information collection, while the online notice comes in the form of a website privacy policy with COPPA-specific disclosures.

Under the final rules, operators must identify the categories of third parties they plan to share personal information with and explain the purpose of such sharing.  This information must be provided in the direct notice to the parents. The direct parental notice also must explain that parents have the option to consent to the collection and use of their child’s personal information without consenting to disclosures of that information to third parties, unless such disclosure is necessary for the purpose for which it is provided.

The amendments also impose additional requirements for the content of online notices (i.e., privacy policies). Such notices must also identify the specific categories of third parties with whom children’s personal information is shared, the purposes for which persistent identifiers (i.e., pieces of information that can be used to recognize a unique user over time and across different websites or online services) are collected (and how the operator prevents such identifiers from being used for unauthorized purposes), and, to the extent applicable, how operators use and dispose of audio files containing a child’s voice.

Methods of parental consent

COPPA requires operators to obtain verifiable parental consent in order to collect, use, or disclose personal information about a child and outlines specific methods by which this consent may be obtained. The final rules expand on this requirement by adding three additional methods of consent:

  • Knowledge-based authentication process: this process entails verifying a parent’s identity using dynamic, multiple-choice questions that are sufficiently sophisticated to prevent random correct guessing and children under 13 from answering correctly.
  • Photo identification: consent may also be obtained by phone or web facial recognition technology. Operators using this method to obtain consent must delete the parent’s identification and image after the match is confirmed.
  • Text-plus verification: This method involves an operator using a text message coupled with additional steps to provide assurances that the person providing consent is the parent (e.g., sending a confirmatory text message; obtaining a postal address and confirming consent via letter or call). Importantly, this method of consent is only available for operators who do not disclose the personal information of children to third parties, under the rationale that this method of obtaining consent carries a higher risk that a child may impersonate their parent than do other methods of obtaining verifiable parental consent.

Data retention limits

The final rules prohibit operators from indefinite retention of children’s personal information by requiring retention only for as long as is reasonably necessary to fulfill the specific purpose for which it was collected.

Heightened requirements for safe harbor programs

COPPA includes a provision that enables industry groups or others to submit to the FTC for approval self-regulatory guidelines that meet or exceed the protections of COPPA and final rules promulgated thereunder by the FTC. Under this safe harbor, if an operator complies with an approved set of guidelines, it is deemed to be in compliance with COPPA itself.

The final rules require approved safe harbor programs to publicly disclose their membership lists and submit periodic reports to the FTC that include an independent assessment of member-operators’ compliance with the program’s guidelines.

Information security program

The amendments follow in the steps of data security laws in several other states by requiring operators to implement a written children’s information security program, including safeguards appropriate to the sensitivity of the personal information collected from children and taking into account the size, complexity, nature, and scope of the operator’s activities.

At a minimum, the operator must: (i) designate one or more employees to coordinate the operator’s information security program; (ii) perform assessments on at least an annual basis to identify internal and external risks to the confidentiality, security, and integrity of personal information collected from children, as well as the sufficiency of its security safeguards; (iii) design, implement, and maintain appropriate safeguards to control the risks identified in such assessments; (iv) regularly test and monitor the effectiveness of the safeguards in place; and (v) at least annually, evaluate and modify the information security program to address identified risks, results of testing and monitoring, and new or more efficient technological or operational capabilities that may have a material impact on the information security program or established safeguards.

Business Considerations for COPPA Compliance

As a general matter, given the FTC’s continued focus on children’s personal information and data privacy, companies should prioritize data collection and retention policies, disclosure practices, content of notices, and data security to remain in compliance with COPPA.

Marketing review

Online service providers and websites should conduct an internal audit incorporating the FTC’s latest determination criteria to evaluate whether they remain or are newly subject to COPPA. Such audits should include a comprehensive review of the marketing materials, plans, and communicative representations made to the public, as well as a review of similar websites within the operator’s domain.

Evaluate disclosures and notices

Organizations that collect and disclose personal information from children online should evaluate their existing website privacy policies and parental notices and update them, as needed, to incorporate the new requirements related to disclosures of third-party information sharing and use. Affected online operators should also consider updating their verifiable consent procedures to incorporate the newly-added methods accepted by the FTC.

Information security program

Organizations that collect personal data from children should establish and implement a written information security program, including all elements identified above, appropriate to the nature and scope of the volume of information the entity collects from children. As part of this program, organizations subject to COPPA should adopt a formal data retention schedule and data management policy that outlines retention timelines and deletion procedures. All personnel responsible for maintaining children’s information should be trained on such policies and legal updates.

Conclusion:

The amended COPPA rules reflect the FTC’s commitment to safeguarding children’s privacy and represent further development in the ever-growing patchwork of privacy law in the United States. Now that the amendments have entered effect, organizations should take proactive steps to evaluate their current practices to ensure transparency and compliance with federal law. For additional guidance regarding your company’s data privacy and security governance or compliance efforts, feel free to contact one of the specialists in our Data Privacy and Security Practice Area, and we will be happy to assist. 

* Special thanks to Summer Associate Emalie Wightman for her contributions to this article.

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

View All Insights
A close-up view of a modern bridge against a clear sky. The bridge features a sleek, curved design with an underside illuminated by warm sunlight, creating a contrast of light and shadow. The railing and cables are visible, adding to the architectural det
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.