On April 22, 2025, the Federal Trade Commission (“FTC” or “Commission”) published final amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”), marking the first comprehensive update since 2013. The 2025 COPPA Rule amendments represent a significant expansion of children’s privacy protections with substantial new compliance obligations. While enhancing protections for children, the amendments may create implementation challenges that organizations should carefully consider. The tensions highlighted by Chairman Ferguson may influence future interpretation or amendments to the Rule. Organizations should begin preparing for implementation well before the April 2026 deadline while monitoring for any further regulatory guidance. This advisory outlines key changes and compliance considerations and provides a suggested timeline to help businesses meet the compliance deadline.
EFFECTIVE DATES
- Effective Date: 60 days after Federal Register publication (approximately June 21, 2025)
- Compliance Date: 365 days from publication (April 22, 2026) for most provisions
- Safe Harbor Program Deadlines:
- 90 days for publicly posting member lists
- 6 months for submitting revised program guidelines and operator reports
KEY DEFINITIONAL CHANGES
The Rule expands the definition of “personal information” to include biometric identifiers such as fingerprints, retina patterns, genetic data, voiceprints, gait patterns, and facial templates. In addition, it adds government-issued identifiers beyond Social Security numbers, including state identification cards, birth certificates, and passport numbers. Second, the FTC revised its definition of “online contact information” to include mobile telephone numbers when sending text messages for parental consent. The FTC also added a new “mixed audience website definition, which defines sites directed to children but not primarily targeting them and requires neutral age-screening without defaulting to a particular age.
ENHANCED NOTICE REQUIREMENTS
The Rule’s amendments significantly expand disclosure obligations for operators collecting children’s personal information. Direct notices to parents must now provide comprehensive details, including how operators will use children’s personal information, specific identities and categories of third-party recipients, purposes for such third-party disclosures, and explicit notification that parents can consent to collection without consenting to third-party disclosure when such disclosure isn’t integral to the service.
Similarly, online privacy policies must disclose identities and categories of all third-party recipients along with specific purposes for these disclosures, include detailed data retention policies clarifying how long children’s information will be stored, and provide specialized disclosures based on functionality – specifically, operators using the “support for internal operations” exception must detail the specific operations for which persistent identifiers are collected and the safeguards preventing misuse. In contrast, those collecting audio files must describe precisely how such files will be used and confirm their prompt deletion after fulfilling their purpose.
NEW CONSENT REQUIREMENTS
The Rule introduces a pivotal change to parental consent requirements by mandating separate, explicit, verifiable parental consent specifically for third-party disclosures that aren’t integral to the service’s core functionality. This requirement distinguishes between essential data sharing necessary for service delivery and discretionary sharing for secondary purposes. Operators are explicitly prohibited from conditioning service access on consent to non-integral disclosures, with the Rule specifically defining “integral” disclosures as only those necessary to provide the requested service. Non-integral disclosures requiring separate consent include those made for monetary consideration, advertising purposes, or AI development.
The Rule expands the toolkit available to operators to obtain verifiable parental consent while creating a practical new exception for audio files. The Rule now recognizes knowledge-based authentication utilizing dynamic, multiple-choice questions of sufficient complexity that a child under 13 could not reasonably answer, as well as face-matching technology that compares a live image to verified photo identification (with mandatory prompt deletion of both images after verification).
For operators who do not disclose children’s personal information to third parties, the Rule introduces a streamlined “text plus” method, similar to the existing “email plus” approach, simplifying consent processes for lower-risk scenarios. Complementing these new consent methods, the Rule creates a pragmatic exception for audio files containing a child’s voice, eliminating the consent requirement when three conditions are simultaneously met: no other personal information is collected alongside the audio, the files are used exclusively to respond to the child’s specific request (such as voice commands or searches), and the files are deleted immediately after fulfilling their purpose—balancing privacy protection with the practical implementation of voice-enabled functionality.
DATA SECURITY AND RETENTION REQUIREMENTS
The amended Rule significantly strengthens data security and retention requirements through two interconnected mandates that create comprehensive obligations for operators handling children’s personal information. For the first time, operators must establish a formal, written information security program appropriately scaled to their size, complexity, and the sensitivity of children’s data they process, with explicit requirements to designate specific employees as program coordinators, conduct regular risk assessments, implement and test safeguards, perform annual program evaluations, and obtain written assurances from any third parties receiving children’s data.
Complementing these security measures, the Rule introduces strict data retention limitations that explicitly prohibit the indefinite storage of children’s personal information, requiring deletion when information is no longer reasonably necessary for its collection purpose, and mandating a comprehensive written retention policy that specifies collection purposes, business needs justifying retention, and concrete timeframes for deletion all of which must be published in the online privacy notice. However, as Chairman Ferguson pointedly observed in his concurring statement, the prohibition against “indefinite” retention lacks a clear definition. As a result, it may create unintended consequences for legitimate long-term data preservation, potentially eliminating adults’ ability to access their childhood content and creating ambiguity about compliance timelines that could make implementation challenging for operators.
SAFE HARBOR PROGRAM CHANGES
Enhanced Transparency Requirements
The Rule significantly strengthens oversight of Safe Harbor programs through comprehensive transparency requirements designed to increase accountability in children’s privacy protection. Safe Harbor programs must now submit detailed annual reports identifying all subject operators and certified websites or services under their purview. They must also maintain public-facing postings of all current subject operators to enable greater scrutiny from parents and privacy advocates.
The Rule institutes a new triennial reporting requirement on technological capabilities and assessment mechanisms, ensuring Safe Harbor programs remain current with evolving digital environments. Additionally, annual reports must now include consumer complaints, creating visibility into real-world implementation challenges. At the same time, the scope of reviews has expanded beyond mere privacy policies to include a comprehensive assessment of operators’ security practices and procedures, substantially increasing the compliance burden for Safe Harbor participants. Several Safe Harbor provisions are adequate in June 2025, while the rest of the Rule will not be adequate until April 2026.
PRACTICAL IMPLEMENTATION CONSIDERATIONS
Record-Keeping
The Rule creates substantial new record-keeping obligations for covered operators. Organizations must develop and maintain comprehensive written information security programs with regular updates and evaluations, implement detailed written data retention policies that specify legitimate purposes and deletion timelines, maintain meticulous records of all third-party disclosures, including recipient identities and purposes, and preserve documentation of verifiable parental consent for all applicable data collection activities. These requirements serve both compliance and defensive purposes, enabling organizations to demonstrate good-faith efforts to protect children’s privacy in the event of regulatory inquiry.
Accommodations for Small Entities
Recognizing the disproportionate burden regulatory requirements can place on smaller organizations, the Rule incorporates flexibility mechanisms for entities with limited resources. Security and retention requirements are explicitly designed to be scalable based on the operator’s size, complexity, and scope of operations, allowing smaller entities to implement appropriately scaled protections. Organizations may maintain general information security programs and data retention policies that address children’s data alongside other information, rather than developing separate children-specific versions. Additionally, the rule pragmatically acknowledges operational constraints by permitting designated security program coordinators to maintain other job responsibilities, enabling resource-constrained organizations to meet compliance requirements without dedicated privacy personnel.
RECOMMENDED COMPLIANCE ACTIONS
Implementing the Rule requires a structured approach to meet the compliance deadline. Below is a road map for businesses to help implement changes by the Rule’s effective date.
|
Timeline |
Required Action |
|
Immediately |
Map all data flows involving children’s data; flag biometric, government‑ID, and audio inputs. |
|
60 days after FR publication |
Begin revising privacy policies, direct notices, and age‑screening flows. |
|
90 days |
If you run a Safe Harbor program, publish your member list. |
|
6 months |
Submit revised Safe Harbor guidelines and operator audit reports. |
|
9 months |
Deploy separate parental‑consent flows for all non‑integral third-party disclosures. |
|
By April 22, 2026 |
Full compliance certification, complete security‑program testing, and data‑retention purge. |
REGULATORY PERSPECTIVES AND CONCERNS
In a concurring statement dated January 16, 2025, FTC Chairman Andrew N. Ferguson supported the Rule while highlighting three key areas of concern that may impact implementation strategies. Regarding third-party disclosure requirements and competition, Chairman Ferguson, while supporting enhanced disclosure requirements, expressed significant concern that requiring new parental consent for every addition or change of third-party service providers could impede market competition, particularly as the Rule does not clearly define what constitutes a “material change” requiring fresh consent—potentially locking operators into existing vendor relationships by making switching costs prohibitively high.
On the indefinite data retention prohibition, Ferguson criticized the ambiguity and potential unintended consequences, noting the Rule fails to define “indefinite” and could lead to problematic outcomes such as deletion of childhood content that adults might want preserved, suggesting organizations develop clear retention timelines that balance compliance with consumer expectations.
Finally, Ferguson noted that the Rule missed a critical opportunity to create an exception for collecting personal information solely for age verification purposes. This creates a practical compliance challenge for mixed-audience websites that need to verify age before knowing whether COPPA applies, a consideration that organizations operating such sites should carefully evaluate in their compliance strategies. It is unclear if the agency’s efforts to trim regulations will impact these sections of the Rule.
The CommLaw Group Can Help!
Navigating the changes to the COPPA rule requires experienced legal counsel. The CommLaw Group specializes in data privacy and consumer protection and helps businesses interpret regulations and develop pragmatic compliance plans to mitigate risk and meet legal obligations.
Contact Us
Susan Duarte: 703-714-1318 | sfd@commlawgroup.com
Diana James: 703-663-6757 | daj@commlawgroup.com