FTC’s Updated COPPA Rule Is Here: What Business Should Know About Children’s Online Privacy

On Jan. 16, the Federal Trade Commission (FTC) announced long-awaited and significant updates to the Children’s Online Privacy Protection Act (COPPA) Rule, the first revisions since 2013. These updates apply to online operators of child-directed websites and services, as well as those running general audience sites or services who are aware they are collecting personal information from children. The changes aim to enhance privacy protections for children under 13, addressing both technological advancements and concerns raised by privacy advocates.

The updated rule will take effect 60 days after its imminent publication in the Federal Register. Entities subject to the rule generally have one year to comply with its provisions.

Key Changes to COPPA Rule

Key updates to the COPPA Rule include introducing opt-in consent requirements for parents before their children’s personal data can be shared with third parties for targeted advertising. This change prohibits platforms and service providers from monetizing or sharing children’s data to third parties without verifiable parental consent. Additionally, the updated COPPA Rule specifies that children’s data can only be retained as long as necessary to fulfill the specific purpose for which it was collected and that it cannot be kept indefinitely.

The FTC also expanded the definition of “personal information” to include biometric identifiers as well as government-issued identifiers to cover newer forms of data collection. According to the amendments, the full definition of personal information is individually identifiable information about an individual collected online including:

• A first and last name
• A home or other physical address including street name and name of a city or town
• Online contact information as defined in this section
• A screen or user name where it functions in the same manner as online contact information, as defined in this section
• A telephone number
• A government-issued identifier, such as a Social Security, state identification card, birth certificate, or passport number
• A persistent identifier that can be used to recognize a user over time and across different websites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or a unique device identifier
• A photograph, video, or audio file where such file contains a child’s image or voice
• Geolocation information sufficient to identify the street name and name of a city or town
• A biometric identifier that can be used for the automated or semi-automated recognition of an individual, such as fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints; or
• Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.

Another notable change to the COPPA Rule highlighted by the FTC in its announcement is increased transparency requirements for FTC-approved Safe Harbor programs, which are self-regulatory programs that allow covered companies to demonstrate compliance with COPPA by adhering to guidelines set by industry groups approved by the FTC for this purpose. The current six COPPA Safe Harbor programs will now be required to disclose their membership lists and report additional information to the FTC to improve accountability.

The final rule, which was adopted by a unanimous 5-0 vote from the Commission, addresses evolving online risks to children, such as the increased use of smartphones, rising screen time, greater monetization of data, and the growing harms associated with social media.

Push Notifications Get Partial Reprieve

The rule also omits a proposal to outright restrict push notifications, which had raised concerns from stakeholders, including the potential impact on children’s ability to receive notifications related to schoolwork. The Commission, while not adopting specific restrictions on push notifications, acknowledged concerns about their potential to harm children’s mental health. The FTC emphasized that it may pursue enforcement actions against operators engaging in practices that unfairly manipulate children’s engagement with online services.

Indefinite Data Retention Is Not Reasonable

The new amendments explicitly prohibit operators from retaining information indefinitely, requiring them to keep personal data only for as long as necessary to fulfill the specific purpose for which it was collected, and not for any secondary purposes. In a strongly worded concurring statement, Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter emphasized that COPPA prohibits businesses from retaining children’s data indefinitely. They noted that following the 2013 COPPA Rule update, companies often interpreted the “reasonably necessary” retention period as indefinite, which they described as “unreasonable.” This concern is particularly relevant today, as businesses increasingly use data to train algorithms, large language models (LLMs), and AI systems. According to the Commissioners, claims that data must be retained indefinitely to improve algorithms do not override legal prohibitions on indefinite data retention. They assert that the COPPA update makes this requirement even clearer.

The amended rule also clarifies that operators are not required to create a separate written data retention policy for children’s information if they already have a comprehensive data retention policy that meets the Commission’s proposed requirements.

EdTech Not Addressed in Final Rule

While the rule introduces significant changes promoted by children’s privacy advocates, some proposed changes were not included in the final version. Notably, the Commission decided not to finalize provisions addressing educational technology (EdTech) companies’ data collection practices in school settings, deferring to the Department of Education’s ongoing efforts to update regulations under the Family Educational Rights and Privacy Act (FERPA).

Overall, these updates strengthen the COPPA Rule to more robustly address children’s online privacy, especially in light of new technologies like artificial intelligence that may involve the collection and use of children’s data.

As stated by FTC Chair Lina M. Khan when announcing the Final Rule, the Commission’s actions reflect its commitment to “using all its tools to keep kids safe online.” This new action cements the FTC’s role as the primary and most active federal agency responsible for consumer and children’s privacy protections in the United States while reserving children’s privacy protections for EdTech and other school-led initiatives impacting children’s privacy to the Department of Education.

Organizations that work with or collect children’s qualifying information should evaluate whether and how the COPPA Update may apply to their online operations.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.