Companies that may have child users, or whose competitors have child users, take note. On January 16, 2025, the Federal Trade Commission (FTC) announced the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule). At a high level, the COPPA Rule requires websites or online services to provide notice and obtain verifiable parental consent before collecting information from children under the age of 13. The Rule’s amendments slightly expand the Rule’s scope, change the previous notice and consent provisions, and implement new data security requirements. Violations of the Rule would be subject to $53,088 in civil penalties per violation.

The rulemaking process for these amendments began in 2019, though the FTC did not publish a notice of proposed rulemaking until January 2024. The FTC unanimously voted to approve the final Rule, with newly appointed Chairman Andrew Ferguson issuing a separate concurrence outlining his reservations with the final package. Notably, the COPPA Rule amendments leave out some key concepts that were under consideration, signaling the potential course under the new administration.

The COPPA Rule’s key changes for operators, the FTC’s notable omissions, and next steps are below.

Scope of the Rule

The COPPA Rule applies to operators of websites or online services that are “directed to children” or have actual knowledge that they have collected information from a user under 13. In order to determine whether a website or online service is directed to children, the FTC will consider various factors.

The amendments to the Rule add additional factors to the test that could potentially expand the scope. Now, the FTC will also consider marketing materials or promotional plans, representations to third parties, reviews by users or third parties, and the age of users on similar websites and services. These new factors do not impose an obligation on services to monitor reviews and conduct competitor demographic analysis, but companies who already engage in these practices may now be considered “directed to children” if those practices put the company on notice that they may have children using their services.

The amendments also add a standalone definition of “mixed audience website or online service.” A mixed audience website or online service is one that is “directed to children” but does not have children as its primary audience. This concept was in the previous iteration of the COPPA Rule and was outlined in the FTC’s guidance. As such, this change to the COPPA Rule simply clarifies and codifies this concept.

Mixed audience websites may implement neutral age screens in order to determine which users need to be subject to COPPA’s requirements versus those that do not. While not stated explicitly in the Rule, the final rulemaking package makes clear that mixed audience websites that have child-directed portions of their website can limit the implementation of COPPA’s requirements to that portion of the website or online service.

Expanded Definition of Personal Information

The COPPA Rule requires notice and parental consent prior to collecting personal information from children, subject to limited exceptions. The amendments expand the list of government-issued identification considered personal information, such as state identification cards. Additionally, biometric identifiers that “can be used for the automated or semi-automated recognition of an individual” are now expressly considered personal information. Some examples provided in the rule include fingerprints, retina patterns, genetic data, and facial templates.

Changes to Notice and Consent Provisions

Operators already subject to the COPPA Rule will need to revise both their direct and online notices to account for new requirements:

  • Direct notice: Must now 1) explain how the business intends to use personal information collected from children; 2) disclose the identities or specific categories of third parties to whom personal information may be disclosed, including the public if information is publicly available; 3) state the purposes for such disclosure(s); 4) state that parents may consent to the collection and use of their child’s personal information without consenting to third-party disclosures unless such disclosure is “integral” to the website or online service; and 5) state that, if the parent does not consent within a reasonable time, the operator will delete the name and contact information of both the parent and child.
  • Online notice: Must now 1) disclose the identities and categories of third parties that receive personal information from the operator; 2) state the purposes for such disclosure(s); 3) if applicable, detail the specific internal operations for which the business collects persistent identifiers not subject to parental consent and the means by which the business ensures that such identifiers are not used or disclosed to contact individuals or for other purposes; 4) if applicable, if audio files are collected pursuant to the new audio file exception, disclose how those files are used and that the operator will delete the files after responding to the child’s request; and 5) disclose the operator’s data retention policy.

Additionally, operators must now obtain separate verifiable parental consent for the disclosure of a child’s personal information to third parties unless that disclosure is integral to the website or online service.

The FTC also codified its enforcement policy statement on audio files, permitting operators to collect and use audio files containing a child’s voice to respond to a child’s specific request without parental consent, so long as no other personal information is collected. The operator cannot use the audio file for any other purpose, cannot disclose the file, and must immediately delete the file after responding to the child’s request.

The FTC also expanded the ways in which operators may obtain verifiable parental consent. First, the FTC removed the word “monetary” from the existing monetary transaction method. Second, the amendments codify two previously approved methods submitted by the industry: knowledge-based authentication processes and facial recognition comparisons of government-issued photo IDs with device-taken photos. For the latter, this method must involve human review of the outputs. Finally, the Rule now includes a “text plus” method. This method mimics the existing “email plus” method but allows the notification to be sent via text message instead of email. If using the “text plus” method, operators must allow parents to revoke consent at any time by responding to the initial text message sent by the company.

New Data Security Requirements

The COPPA Rule now requires that operators establish, implement, and maintain a written data retention policy that sets forth the purposes for collection, the need for retention, and timeframe for deletion. As noted above, this policy must be included in the online notice. Personal information can only be retained for as long as reasonably necessary for the “specific purpose(s)” for which it was collected and must be deleted when no longer reasonably necessary for said purpose(s). Per the final rulemaking package, the FTC emphasized that timeframes for deletion must be reasonable and stated that they cannot be indefinite.

Additionally, operators must establish, implement, and maintain a written information security program. Businesses can rely on existing information security programs that apply to the whole business, so long as the program applies to children’s data and satisfies the COPPA Rule’s requirements.

As part of the information security program, an operator must:

  • designate one or more employees to coordinate the program;
  • identify and perform assessments annually, at a minimum, to identify internal and external security risks and the sufficiency of any safeguards;
  • design, implement, and maintain safeguards to control risks identified through the program;
  • regularly test and monitor the effectiveness of safeguards; and
  • evaluate and modify the program on an annual basis, at a minimum, to address identified risks, results of tests and monitoring, new or more efficient technological or operational controls; or any other circumstances that the operator knows or has reason to know may have a material impact on the program or safeguards.

Finally, before providing or releasing personal information from children to third parties who collect or maintain personal information on the operator’s behalf, including service providers, the operator must take “reasonable steps to determine” that the entities can maintain the confidentiality, security, and integrity of the information. Additionally, the operator must obtain written assurances that such entities will employ reasonable security measures.

Notable Omissions in Final Rule

There are three notable omissions in the final rulemaking package.

First, the FTC declined to codify the existing Ed-Tech exception articulated in FTC guidance. Such an exception allows schools to step into the shoes of parents to provide consent for the collection and use of children’s personal information and has been heavily relied upon by the Ed-Tech industry. The FTC stated that they declined to codify the exception due to a potential student privacy rulemaking initiated by the U.S. Department of Education and that the FTC would continue to enforce consistent with the COPPA FAQs. However, Chairman Ferguson has previously expressed skepticism regarding the Ed-Tech exception, which could be the motivating factor behind the lack of codification. Since the exception was not codified in the amendments to the COPPA Rule, the FTC could now revoke this exception by simply revising the COPPA FAQs.

Second, the FTC declined to add any language restricting techniques to increase or drive engagement as a permitted internal operation for which parental consent is not required. Due to the range of perspectives articulated in comments, the FTC declined to address this issue at this time. However, the rulemaking package makes clear that the FTC may continue to pursue enforcement under Section 5 of the FTC Act in appropriate cases to address unfair or deceptive acts or practices that encourage prolonged use of websites and increase the risk of harm to children.

Third, the FTC declined to address whether operators can use certain personal information for purposes of age assurance or age verification prior to obtaining parental consent. The FTC stated that most of the comments did not specify the type of information that operators would collect in order to determine age or what identifiers such information might be combined with. Notably, the FTC said that determining whether a visitor is a child from sources other than the child, such as reliable third-party platforms, would not be considered collection of “personal information” under the COPPA Rule.

What Happens Next?

The COPPA Rule will become effective 60 days after publication in the Federal Register, and the compliance dates for all provisions except certain safe harbor program amendments will be 365 days after publication.

That being said, President Trump issued an executive order on January 20, 2025, that initiates a freeze on any rules pending review or publication. Notably, the order requires that executive departments and agencies immediately withdraw any rules that have been sent to the Office of the Federal Register for publication but have not yet been published so that the head of the department or agency can review and approve the rule.

Since the COPPA Rule has not been published in the Federal Register, it is likely that the FTC will now withdraw the rule in order for Chairman Ferguson to review and approve it. While the Chairman voted in favor of issuing the COPPA Rule, he expressed concerns about three issues: 1) ambiguity regarding whether changing the list of third parties that receive personal information constitutes a material change for which operators must re-obtain parental consent; 2) the COPPA Rule’s prohibition on indefinite retention; and 3) the FTC’s declination to allow mixed audience websites or online services to use personal information for age verification processes prior to obtaining parental consent. It is unclear whether the Chairman will withdraw the COPPA Rule as announced to address these concerns, or whether he will approve the Rule as written.

Even absent the amendments, the FTC will likely continue to focus on children’s privacy as a key enforcement area during this administration.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and specializes in issues pertaining to children’s privacy, including compliance with the COPPA Rule. For more information or assistance with your compliance program, please contact Libby WeingartenTracy ShapiroRebecca Weitzel Garcia, or another member of the firm’s data, privacy, and cybersecurity practice.