As we reported early last year, the Federal Trade Commission (FTC) issued a notice of proposed rulemaking to the Children’s Online Privacy Protection Act rule (COPPA). On April 22, 2025, over a year after the notice of proposed rulemaking was issued, the FTC has finalized its amendments to the COPPA rule and are set to go into effect on June 23, 2025.
To note, while the amendments will be effective on June 23, 2025, regulated entities under COPPA have until April 22, 2026 to comply.
The amendments to the COPPA rule include, but are not limited to:
- Opt-in consent for targeted advertising. Operators of a website that process information of children under 13 will be required to obtain separate verifiable parental consent to disclose children’s personal information to third-party companies related to targeted advertising or other purposes.
- Data retention. Operators are required to only retain children’s personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected. The amendments explicitly state that the information cannot be retained indefinitely.
- Safe Harbor programs. The FTC has certain COPPA Safe Harbor programs. The FTC defines these as self-regulatory programs that implement the protections of the COPPA Rule. The amendments will now require these Safe Harbor programs to publicly disclose their membership lists and report additional information to the FTC. The FTC states that this is part of its efforts to increase accountability and transparency in the programs.
- Personal information definition amended. The definition of “Personal Information” under COPPA will now include “A biometric identifier that can be used for the automated or semi-automated recognition of an individual, such as fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints.”
The amendments to the COPPA rule ended up not including the following requirements that were originally in the notice of proposed rulemaking in 2023:
- Limits on nudging kids to stay online. The amendments ended up not including any limitations on how an operator can provide prompts and notifications to encourage children to stay online and continue using its services. The FTC noted that it found “commenters’ concerns about inconsistency between the proposal and the COPPA statute and some of the First Amendment concerns related to the breadth of the proposed restriction persuasive.” Due to this, the FTC did not include any push notification or nudging limitations.
- Education Technology Restrictions. In the notice of proposed rulemaking, the new proposal would have allowed schools and districts to authorize educational technology providers to collect, use, and disclose personal information but only for a school-authorized educational purpose and not for any commercial purpose. However, the FTC ended up not including any new restrictions on education technology. The FTC’s reasoning is as follows: “To avoid making amendments to the COPPA Rule that may conflict with potential amendments to DOE’s [(Department of Education’s)] FERPA regulations, the Commission is not finalizing the proposed amendments to the Rule related to ed tech and the role of schools at this time.”
Taft will continue to monitor developments in this area and will provide updates here and on all our Taft platforms. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and our LinkedIn page.