New FTC Final Rule Changes COPPA Obligations for Online Services Collecting Data from Children

On January 16, 2025, the Federal Trade Commission (FTC) issued a Final Rule updating the Children’s Online Privacy Protection (COPPA) Rule, significantly expanding compliance obligations for online services that collect, use, or disclose personal information from children under 13.¹ The amendments impose new restrictions on targeted advertising, add data security requirements, refine parental consent mechanisms, and introduce additional compliance measures.

The Final Rule is set to take effect 60 days after publication in the Federal Register (which has not happened yet as of the time of this writing), with most provisions requiring compliance within one year of publication, aside from certain Safe Harbor provisions.²

Background of COPPA

COPPA was originally enacted in 1998 and became effective in 2000 to protect the online privacy of children under 13. The rule requires operators of websites and online services directed at children under 13, or that have actual knowledge that a user is under 13, to obtain verifiable parental consent before collecting, using, or disclosing children’s personal information. Over the years, technological advancements have prompted updates to the rule, including a significant revision in 2013 that expanded the definition of personal information to include persistent identifiers such as cookies, and geolocation data, among other changes. The FTC’s new update addresses evolving digital business models and data collection practices over the past decade.

Key Changes to COPPA

The Final Rule introduces several critical modifications to the existing regulatory framework:

• Restrictions on Targeted Advertising: The Final Rule expands limitations on behavioral advertising by stating that online services must obtain separate verifiable parental consent before disclosing children’s online activity to third parties for targeted ads. This separate consent requirement applies to non-integral third-party disclosures, such as third-party advertising, and prohibits operators from conditioning access on providing this consent.³
• Data Security and Retention Requirements: Online service providers must now implement specific data security measures to protect personal information collected from children, including annual assessments and designated employees for overseeing cybersecurity programs.⁴ Under the Final Rule, companies must establish a written data retention policy, with the purpose of collecting children’s personal information, and the timeframe for deletion.⁵ Companies may not retain children’s personal information beyond reasonably necessary for the purpose for which it was collected.⁶
• Expanded Definition of ‘Personal Information’: The Final Rule broadens the scope of covered data to include biometric identifiers that can be used for automated or semi-automated recognition of individuals, such as fingerprints, handprints, genetic data, retina patterns, voiceprints, gait patterns, or facial templates.⁷ The new definition will also include government-issued identifiers that are not Social Security numbers, such as passport numbers, state ID cards and birth certificates.⁸
• Clarification on Support for Internal Operations: The Final Rule clarifies that for the “support for internal operations” exception where no prior parental consent is required, the collection of persistent identifiers used for supporting internal operations may be used for the activities listed in the definition of “support for the internal operations of the website or online service.”⁹
• Changes to Parental Notice and Online Notice Requirements: To request parental consent for collecting or using a child’s personal information, companies must provide direct notice to parents. According to the Final Rule, this direct notice must be provided every time a company seeks parental consent, and must include: (i) information on the operator’s intent for the child’s personal information; (ii) the identity of third parties with whom the company shares personal information; (iii) the purposes for sharing with those third parties; and (iv) the fact that parents may consent to the collection and use of the child’s personal information without consenting to the company disclosing the information.¹⁰ Links to an online notice must be present at each area of a website where children’s personal information is collected. The Final Rule adds new requirements for these online notices, including: (i) identities and categories of third parties to which the website operator discloses personal information; (ii) the purpose of said disclosures, and the specific internal operations for which persistent identifiers are used, if applicable; (iii) a description of the use of audio files of children’s voices, if applicable; and (iv) the operator’s data retention policy for the personal information of children.¹¹
• Adjustments to Parental Consent Mechanisms: In the Final Rule, the FTC added more methods of obtaining verifiable parental consent to collect, use or disclose children’s personal information. These new methods include: (i) requiring parents to use a credit card or other online payment system that provides notifications of transactions, regardless of whether or not it is a monetary transaction; (ii) using a knowledge-based authentication process, such as verification of a parent’s identity with dynamic multiple choice questions designed to be difficult to correctly guess; (iii) matching facial images to verified authentication photos, such as government-issued ID; and (iv) subject to certain conditions, using text messages paired with steps to verify that the person providing consent is the parent.¹²
• Third-Party Data Sharing Restrictions: The Final Rule clarifies restrictions on sharing children’s data with third parties, requiring operators to give parents the option to consent to collection and use of the child’s personal information without also consenting to disclosure to third parties, unless that disclosure is integral to the website or online service. The FTC also stated that operators will not be able to condition a child’s participation in any online activity on obtaining parental consent to disclosure to third parties.¹³
• Clarification of ‘Website or Online Service Directed to Children’ and ‘Mixed Audience Website or Online Service’: The Final Rule provides additional guidance on what constitutes a “website or online service directed to children”, including factors such as the subject matter, visual content, use of animated characters, or “child-oriented” activities and incentives.¹⁴ The Final Rule also clarifies the obligations of mixed audience platforms, which are child-directed yet do not target children as the primary audience. These platforms may age screen visitors in order to apply COPPA protections only to visitors who identify as under 13 and may not collect personal information from any visitor until they collect age information from the visitor or through another reasonable means, to determine whether the visitor is under 13.¹⁵
• Revisions to Safe Harbor Program Requirements: The COPPA Rule enables industry groups and others to submit self-regulatory guidelines for FTC approval, called Safe Harbor programs, that implement the same or greater protections for children under the Rule. Under the Final Rule, these FTC-approved COPPA Safe Harbor programs are now subject to enhanced requirements, including independent annual assessment of member privacy and security policies and practices, as well as reporting requirements regarding complaints or discipline against members.¹⁶

How to Comply

The Final Rule’s updates create new compliance challenges for companies collecting personal information from children, including online platforms, mobile applications and digital advertisers catering to children’s audiences. Companies operating in this space would be well advised to:

1. Review and update privacy policies to reflect the new data collection and parental consent requirements. Include separate mechanisms for disclosures to third parties that are for non-integral purposes, along with the option to consent to collection and use of children’s personal information without consenting to disclosure of the information.
2. Adjust data security controls protecting children’s information. Check that the safeguards in place are appropriate for the company’s size and complexity, the information’s sensitivity, and the nature of the activities being conducted.
3. Evaluate advertising practices to ensure compliance with new restrictions on targeted advertising, ensuring that access to the website or service is not conditioned on parental consent to targeted advertising.
4. Monitor third-party relationships to confirm that partners adhere to COPPA’s mandates. Examine whether disclosures to these third parties are integral to the service or disclosed for another purpose and apply this information to online and direct notices to parents.
5. Implement data retention policies that comply with the new requirements, including clear written policies that feature deletion schedules for children’s data.

Enforcement and Penalties

The FTC has signaled aggressive enforcement of COPPA under the updates of the Final Rule,¹⁷ highlighting a bipartisan commitment to protecting children’s online privacy, however the incoming new leadership of the agency may still opt for a different approach or seek further adjustments. Noncompliance will be treated as a violation of rules against unfair or deceptive acts and practices, potentially resulting in civil penalties of over $50,000 per violation.

Looking Forward

COPPA’s Final Rule marks a pivotal shift in the regulatory landscape for online services engaging with children. Despite the uncertainty around how the new FTC leadership will handle the rule, companies should take proactive steps toward compliance, especially given the heightened focus on digital privacy protections from both the agency and lawmakers. Companies operating in this space will face many hurdles navigating these new obligations and mitigating potential enforcement risk.

Note that on January 20, 2025, President Trump issued a Regulatory Freeze Pending Review Memorandum directing relevant departments to consider delaying by 60 days rules that have not yet taken effect and to consider reopening the public comment period for such rules.¹⁸ This could potentially result in the FTC modifying the Final Rule or postponing its effective date.

For further guidance on COPPA compliance or to assess your company’s readiness for these regulatory changes, please contact a member of the Akin cybersecurity, privacy and data protection team.

¹ Children’s Online Privacy Protection Rule, 89 Fed. Reg. 2034 (Jan. 11, 2024) (to be codified at 16 C.F.R. pt. 312).

² Id. at 1.

³ Id. at 97-107, § 312.5(a)(2).

⁴ Id. at § 312.8(b).

⁵ Id. at § 312.10.

⁶ Id.

⁷ Id. at 48.

⁸ Id. at § 312.2, 21-22, 38.

⁹ Id. at § 312.2, 55-56.

¹⁰ Id. at § 312.4(b)(c), 76-79.

¹¹ Id. at § 312.4(d).

¹² Id. at § 312.5(b)(2), 108, 110, 112, 126.

¹³ Id. at § 312.5(a)(2), 107.

¹⁴ Id. at 205.

¹⁵ Id. at 9.

¹⁶ Id. at § 312.11(b).

¹⁷ See Press Release, Fed. Trade Comm’n, FTC Finalizes Changes to Children’s Privacy Rule Limiting Companies’ Ability to Monetize Kids’ Data (Jan. 16, 2025), available at https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-finalizes-changes-childrens-privacy-rule-limiting-companies-ability-monetize-kids-data; see also Lina M. Khan, Chair, Fed. Trade Comm’n, Statement of Chair Lina M. Khan Regarding the Final Rule Amending the Children’s Online Privacy Protection Rule Commission File No. P195404 (Jan. 16, 2025).

¹⁸ White House, Regulatory Freeze Pending Review (Jan. 20, 2025).