Privacy & Information Security Law Blog

On January 16, 2025, the FTC announced the issuance of updates to the FTC’s Children’s Online Privacy Protection Rule (the “Rule”), which implements the federal Children's Online Privacy Protection Act of 1998 (“COPPA”). The updates to the Rule come more than five years after the FTC initiated a rule review. The Commission vote on the Rule was 5-0, with various Commissioners filing separate statements. The updated Rule, which will be published in the Federal Register, contains several significant changes, but also stops short of the version proposed by the FTC in January 2024. The Rule will go into effect 60 days after its publication in the Federal Register; most entities subject to the Rule will have one year after publication to comply.

Key updates to the Rule include:

• Requirement to obtain opt-in consent for targeted advertising to children and other disclosures of children’s personal information to third parties: The Rule will require operators of child-directed websites or online services to obtain separate verifiable parental consent before disclosing children’s personal information to third parties. According to a statement filed by outgoing FTC Chair Lina Khan, this means that operators will be prohibited from selling children’s personal information or disclosing it for targeted advertising purposes unless parents separately agree and opt in to these uses.
• Limits on data retention: The Rule will prevent operators from retaining children’s personal information for longer than necessary than the specific documented purposes for which the data was collected. Operators also must maintain a written data retention policy that (1) details the specific business need for retaining children’s personal information and (2) sets forth a timeline for deleting this data. Operators may not retain children’s personal information indefinitely.
• Changes to key definitions: The Rule also makes several changes to the definitions that govern its application. For example, the definition of “personal information” now includes biometric identifiers that can be used for the automated or semi-automated recognition of a child (e.g., fingerprints, handprints, retina patterns, iris patterns, genetic data - including a DNA sequence, voiceprints, gait patterns, facial templates, or faceprints). In addition, the factors the Commission will take into account in considering whether a website or service is “directed to children” will be expanded to include marketing or promotional materials or plans, representations to consumers or third parties, reviews by users or third parties and the ages of users on similar websites or services.
• Increased Safe Harbor transparency: FTC-approved COPPA Safe Harbor programs are required to identify in their annual reports to the Commission each operator subject to the self-regulatory program (“subject operator”) and all approved websites or online services, as well as any subject operator that left the program during the time period covered by the annual report. The Safe Harbor programs also must outline their business models in greater detail and provide copies of each consumer complaint related to a member’s violation of the program’s guidelines. In addition, Safe Harbor programs must publicly post a list of all current subject operators and, for each such operator, list each certified website or online service.

Importantly, the Rule is notable for what it does not contain.

• No EdTech changes: Despite having proposed imposing a wide range of obligations on EdTech companies operating in the education space, the Rule avoids incorporating any education-related requirements. According to the FTC, because the Department of Education has indicated its intention to update its FERPA regulations (34 C.F.R. 99), the Commission sought to avoid changing COPPA in any way that might conflict with the DOE’s eventual amendments. Instead, the Commission states it will continue to enforce COPPA in the EdTech context consistent with its existing guidance.
• No coverage of user engagement techniques: The Rule does not incorporate the proposal to require parental notification and consent for the collection of data used to encourage or prompt children’s prolonged use of a website or online service. The Commission indicated that, after reviewing the public comments, it believes the proposed use restriction “was overly broad and would constrain beneficial prompts and notifications.” The FTC cautioned, however, that it nevertheless may pursue enforcement under Section 5 of the FTC Act in appropriate cases to address unfair or deceptive acts or practices encouraging prolonged use of websites and online services that increase risks of harm to children.
• Personalization and contextual advertising still exempted: The Rule does not limit the “support for the internal operations” exemption under COPPA to exclude operator-driven personalization or contextual advertising.
• No need to tie personal information collected to specific uses: The Rule will not require that operators correlate each data element collected online from children to the particular use(s) of such data element.

In voting in support of the revised Rule, incoming FTC Chair Andrew Ferguson filed a separate statement expressing what he termed “serious problems” with the Rule, which he blamed on “the result of the outgoing administration’s irresponsible rush to issue last-minute rules.” Ferguson would have required the Rule to clarify instances in which an operator’s addition of third parties to whom they provide children’s personal information would trigger a need for updated notice and refreshed consent. He also took issue with the prohibition on indefinite retention of children’s personal information, predicting that it “is likely to generate outcomes hostile to users.” Finally, he indicated his belief that the FTC missed an opportunity to make clear the Rule is not an obstacle to the use of children’s personal information solely for the purpose of age verification.