The FTC announced amendments to the Children’s Online Privacy Protection Rule (COPPA) on January 16, 2025, the first updates to the rule since 2013. The new rules address various aspects of children’s online privacy to keep pace with technological advancements and evolving online practices. State and federal legislators and regulators continue to make child privacy a key priority.
Rule changes will become effective 60 days after being published in the Federal Register. Covered operators will then have one year from the publication date to comply with the new requirements.
COPPA generally requires covered website and online service operators to include notices about their information collection practices for children under 13, obtain “verifiable parental consent” before collecting, using, or disclosing children’s personal information, and not require more personal information than necessary for participation in an online activity. Key changes under the new rule include:
- Expanded Definitions: Broadened definitions of key terms, such as “personal information,” which now includes biometric data, such as fingerprints, retina patterns, and voiceprints.
- Opt-In Consent: Operators must obtain verifiable parental consent before disclosing children’s personal information to third parties for targeted advertising or non-integral purposes.
- Additional Disclosures: Operators must expand certain notice disclosures to include additional information, such as the identities or specific categories of third parties with whom they may share personal data and the purposes for sharing that data.
- Written Information Security Program (WISP): Operators must establish, implement, and maintain a WISP with safeguards appropriate to the sensitivity of collected information and the operator’s size, complexity, and activities. The WISP can be part of a broader policy that applies both to children’s personal information and other information and otherwise meets COPPA requirements.
- Data Retention Limits and Policy: Operators may only retain children’s personal information for as long as it is reasonably necessary to fulfill the specific purpose for which it was collected and must provide on their website or service a written data retention policy that specifically or separately addresses children’s personal data.
The COPPA updates reflect a growing recognition of the importance of protecting children’s privacy in an increasingly digital world. Child privacy laws continue to expand, generally imposing similar obligations, but nuanced requirements are emerging within the patchwork laws. Covered operators should review existing compliance programs and start thinking through how data collection and retention practices may need to be adjusted to comply with the new child privacy laws like the new COPPA requirements.
* Tori Geller contributed to this article.
Aaron works across numerous highly-regulated industries, helping them comply with state and federal laws related to privacy and data security, cannabis, marketing, teleservices, and other consumer protection matters.