The Federal Trade Commission (“FTC”) has published amendments to the Children's Online Privacy Protection Rule (the “Rule” or “COPPA”). The amendments to the Rule, which are based on the FTC's review of public comments and its enforcement experience, include one new definition and modifications to several others, as well as updates to key provisions to respond to changes in technology and online practices. The amendments are intended to strengthen protection of personal information collected from children, and, where appropriate, to clarify and streamline the Rule.
The Rule is effective June 23, 2025, with a compliance deadline of April 22, 2026 for most provisions.
I. Background
The FTC adopted the Rule in 2000, pursuant to rulemaking authority under the Children’s Online Privacy Protection Act of 1998. The Rule imposes certain requirements on operators of websites and apps that are directed to children under 13 and/or have actual knowledge that they collect personal information from children under 13. The Rule requires that operators provide direct and online notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13 years of age. Additionally, the Rule requires operators to provide parents the opportunity to review the types of personal information collected from their child, delete the collected information, and prevent further use or future collection of personal information from their child.
The FTC last updated the Rule in 2013 to address the increasing use of mobile devices and social networking. The latest amendments, first proposed in January 2024, reflect the evolving landscape of online services and data privacy concerns.
II. Key Amendments to the Rule
Key amendments to the Rule include:
- A new definition for “mixed audience website or online service,” which permits operators of mixed audience websites and online services to collect personal information without first obtaining parental consent for the limited purposes set forth in § 312.5(c) of the Rule, prior to determining visitor age. These purposes include to provide parental notice, respond directly to a specific request from the child, and to protect the safety of a child, provided the operator does not otherwise use or disclose such personal information for any other purpose.
- An update to the definition of “online contact information” to include a mobile telephone number “provided the operator uses it only to send text messages to a parent in connection with obtaining parental consent.”
- An update to the definition of “personal information” to include biometric data and government-issued identifiers. The definition will now include “biometric identifier[s] that can be used for the automated or semi-automated recognition of an individual” (e.g., fingerprints, handprints, retina and iris patterns, genetic data), as well as government-issued identifiers beyond Social Security numbers (e.g., state identification card, birth certificate, passport number).
- Enhanced direct notice content requirements. Direct notices to parents must now provide comprehensive details, including how operators will use children’s personal information, specific identities and categories of third-party recipients, purposes for such third-party disclosures, and explicit notification that parents can consent to collection without consenting to third-party disclosure when such disclosure is not integral to the service. Additionally, operators are required to identify third-party recipients by name and category in their online notices and include their data retention policies.
- Enhanced privacy notice content requirements. The Rule expands the content required in an operator’s privacy notice displayed on the operator’s website. The privacy notice must disclose the specific internal operations for which the operator has collected a persistent identifier and how the operator ensures that such identifier is not used or disclosed to contact a specific individual or for any other purpose not permitted under the Rule’s “support for the internal operations” consent exception.
- New methods for verifying parental identity. In addition to previously approved methods for verifying parental identity, like telephone or video calling, written consent forms and credit card verification, operators may also use the following methods for verifying a parent’s identity for purposes of obtaining parental consent:
- Knowledge-based multiple-choice questions that are of sufficient difficulty that a child “could not reasonably ascertain the answers,”
- Facial recognition technology that uses an authorized “government-issued photographic identification,” or
- The “text plus” method, whereby the operator sends a text message to the parent followed by an additional step to ensure the recipient is in fact the parent (e.g., a confirmatory text message, letter or telephone call).
- Operators must establish and maintain a written data retention policy that addresses the retention of children’s personal information and implement comprehensive information security programs.
- Operators must establish, implement and maintain a written information security program that contains safeguards appropriate to the sensitivity of the children’s personal information collected and the operator’s size, complexity, and nature and scope of activities.
- Increased Transparency for FTC-Approved COPPA Safe Harbor Programs. FTC-approved COPPA Safe Harbor programs must now provide records of disciplinary actions taken and publicly disclose their membership lists.
III. Conclusion
Companies subject to COPPA should begin reviewing their current practices against COPPA’s new requirements to identify and remedy any compliance gaps.
This advisory is a general overview of the Rule’s amendments and is not intended as legal advice. If you have any questions about the amendments or COPPA in general, please feel free to contact Joseph D. Simon at (516) 357-3710 or via email at jsimon@cullenllp.com, Elizabeth A. Murphy at (516) 296-9154, or via email at emurphy@cullenllp.com, David Curatolo at (516) 357-3733 or via email at dcuratolo@cullenllp.com, or Gabriela Morales at (516) 357-3850 or via email at gmorales@cullenllp.com.