Privacy & Information Security Law Blog

On April 22, 2025, the Federal Trade Commission published in the Federal Register final amendments to the Children’s Online Privacy Protection Act Rule (the “Rule”). The Rule will go into effect 60 days from publication, on or about June 21, 2025, with a compliance deadline of April 22, 2026. The Rule retains many of the proposed amendments first announced in January 2025 as a result of a Notice of Proposed Rulemaking issued by the FTC in 2024 (the “2024 NPRM”), with certain differences.

Key updates to the Rule include:

• Updated definitions: The Rule adds or updates several defined terms, including:
  • Contact information: The Rule adds to the definition of “online contact information”: mobile phone numbers, “provided the operator uses it only to send a text message.” Under COPPA, operators can use a child or parent’s contact information to provide notice and obtain parental consent without first obtaining consent to the collection of the contact information. According to the FTC, the amendment was intended to give operators another way to initiate the process of seeking parental consent quickly and effectively.
  • Personal information: The Rule updates the definition of “personal information” to include:
    • Biometric identifier: The Rule adds to the definition of “personal information”: “a biometric identifier that can be used for the automated or semi-automated recognition of an individual, such as fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints[.]” Notably, the Rule does not include “data derived from voice data, gait data, or facial data,” which is language that was proposed in the 2024 NPRM.
    • Government-issued identifier: The Rule adds to the definition of “personal information”: “[a] government-issued identifier, such as a Social Security, [S]tate identification card, birth certificate, or passport number[.]”
  • Mixed audience website or online service: The FTC first developed this category in the 2013 COPPA Rule amendments, as a subset of “child-directed” websites and online services, but did not define the term. The Rule defines the term as “a website or online service that is directed to children under the criteria set forth in paragraph (1) of the definition of website or online service directed to children, but that does not target children as its primary audience, and does not collect personal information from any visitor prior to collecting age information or using another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child.” The updated definition further requires that “[a]ny collection of age information, or other means of determining whether a visitor is a child, must be done in a neutral manner that does not default to a set age or encourage visitors to falsify age information.”
  • Website or online service directed to children: The Rule expands the factors the FTC will consider with respect to whether a website or service is “directed to children,” to include marketing or promotional materials or plans, representations to consumers or third parties, reviews by users or third parties and the ages of users on similar websites or services.
• Enhanced direct notice content requirements: The Rule expands the content required in an operator’s direct notice to parents for the purpose of obtaining parental consent where required under COPPA.
  • Use of personal information: The direct notice must disclose how the operator intends to use the child’s personal information (in addition to the existing requirements to include the categories of the child’s personal information to be collected and the potential opportunities for the disclosure of the child’s personal information).
  • Third-party disclosures: Where the operator discloses children’s personal information to third parties, the direct notice must specify: (1) the identities or specific categories of the third parties (including the public, if such data is made publicly available), (2) the purposes for such disclosure, and (3) that the parent can consent to the collection and use of the child’s personal information without consenting to the disclosure of such personal information to third parties, except to the extent such disclosure is integral to the website or online service.
• Enhanced privacy notice content requirements: The Rule also expands the content required in an operator’s privacy notice displayed on the operator’s website.
  • Internal operations: The privacy notice must disclose: (1) the specific internal operations for which the operator has collected a persistent identifier and (2) how the operator ensures that such identifier is not used or disclosed to contact a specific individual or for any other purpose not permitted under COPPA’s “support for the internal operations” consent exception.
  • Audio files: If applicable, a description of how the operator collects audio files containing a child’s voice solely to respond to the child’s specific request and not for any other purpose, and a statement that the operator immediately deletes such audio files thereafter.
• Verifiable parental consent methods: The Rule adds three approved methods for verifying a parent’s identity for purposes of obtaining parental consent:
  • Knowledge-based authentication, provided that (1) the authentication process uses dynamic, multiple-choice questions with an adequate number of possible answers and (2) the questions are difficult enough that a child under 13 could not reasonably accurately answer them.
  • Government-issued identification, provided that the photo ID is verified to be authentic against an image of the parent’s face using facial recognition technology (and provided that the ID and images are promptly deleted after the match is confirmed).
  • Text message to the parent coupled with additional steps to confirm the parent’s identity (e.g., a confirmation text to the parent following receipt of consent). (Note that this option is available only under certain enumerated circumstances).
• Limited exception to parental consent for the collection of audio files containing a child’s voice: The Rule allows operators to collect audio files containing a child’s voice (and no other personal information) solely to respond to a child’s request without providing direct notice or obtaining parental consent. This exception applies only if the operator does not use the information for any other purpose, does not disclose it, and deletes the data immediately after responding to the request. This amendment codifies a 2017 FTC enforcement policy statement regarding the collection and use of children’s voice recordings.
• Limits on data retention and publication of data retention policy: The Rule prevents operators from retaining children’s personal information indefinitely. The Rule specifies that operators may not retain children’s personal information for longer than necessary to fulfill the specific documented purposes for which the data was collected, after which the data must be deleted. Operators also must establish, implement and maintain a written data retention policy that specifies (1) the purposes for which children’s personal information is collected, (2) the specific business need for retaining such data, and (3) a timeline for deleting the data. The data retention policy must be published in the operator’s privacy notice required under COPPA.
• Written information security program: The Rule requires operators to establish, implement and maintain a written information security program that contains safeguards appropriate to the sensitivity of the children’s personal information collected and the operator’s size, complexity, and nature and scope of activities. Specifically, operators must, in connection with the written information security program, (1) designate personnel to coordinate the program, (2) at least annually, identify and assess internal and external risks to the security of children’s personal information, (3) implement safeguards to address such identified risks, (4) regularly test and monitor the effectiveness of such safeguards, and (5) at least annually, evaluate and modify the information security program accordingly.
• Vendor and third-party due diligence requirements: Before disclosing children’s personal information to other operators, service providers or third parties, the Rule requires operators to “take reasonable steps” to ensure that such entities are “capable of maintaining the confidentiality, security, and integrity” of such data. Operators also must obtain written assurances that such entities will use “reasonable measures to maintain the confidentiality, security, and integrity” of the information.
• Increased Safe Harbor transparency: By October 22, 2025, and annually thereafter, FTC-approved COPPA Safe Harbor programs are required to identify in their annual reports to the Commission each operator subject to the self-regulatory program (“subject operator”) and all approved websites or online services, as well as any subject operator that left the program during the time period covered by the annual report. The Safe Harbor programs also must outline their business models in greater detail and provide copies of each consumer complaint related to a member’s violation of the program’s guidelines. The report also must describe each disciplinary action taken against a subject operator and a description of the process for determining whether a subject operator is subject to discipline. In addition, by July 21, 2025, Safe Harbor programs must publicly post (and update every six months thereafter) a list of all current subject operators and, for each such operator, list each certified website or online service. Further, by April 22, 2028, and every three years thereafter, Safe Harbor programs must submit to the FTC a report detailing the program’s technological capabilities and mechanisms for assessing subject operators’ fitness for membership in the program.