A new era for children's privacy: FTC finalizes changes to COPPA

The Federal Trade Commission (FTC or Commission) recently finalized significant changes to the Children’s Online Privacy Protection Act (COPPA). The final amendments to the COPPA rule (Amended Rule) will take effect 60 days after the Amended Rule is published in the Federal Register. Entities will generally have one year after publication to come into compliance (though the amendments for safe harbor programs will take effect sooner).

Among other things, the Amended Rule introduces new consent requirements and retention obligations and imposes more granular security requirements on operators, including third-party due diligence, regular testing and monitoring of security controls, and annual risk assessments and security program evaluations. The Amended Rule also updates the requirements for COPPA safe harbor programs.

While the FTC periodically reviews the COPPA rule, these rule changes are the first amendment to COPPA since 2013.

The final Amended Rule reflects technological advancements since COPPA was last amended and is intended to enhance online safety for children, according to the FTC.

Key changes

• Opt-in consent for targeted advertising and other disclosures to third parties. One of the most notable changes is the requirement that parents provide separate, specific opt-in consent before companies can use children's data for targeted advertising or disclose it to third parties. Currently, certain companies must obtain verifiable parental consent before collecting, using, or disclosing children's personal information, and one consent could encompass all three. This update separates the consent for disclosure and targeted advertising and is designed to give parents more control over their children's online experiences. In particular, it addresses the growing concern over how children's data is used to create detailed profiles for advertising purposes, often without parental knowledge or consent.


• Parental consent methods. The Amended Rule includes some additional recognized parental verification methods, including the use of knowledge-based questions, and facial recognition technology that “matches” a parent’s image from an authentic government-issued ID with a selfie image from phone or webcam (which must be confirmed by trained personnel and promptly deleted after confirmation). In addition to “email plus” verification, the Amended Rule also recognizes a “text plus” verification option, provided the operator does not disclose the child’s personal information or enable the child to disclose or otherwise make available personal information publicly (eg, by posting, emailing, or chatting with other users). As with the current COPPA rule, the Amended Rule allows other methods provided they are “reasonably calculated” to ensure the person consenting is the parent and provides for the approval of other consent methods (and resulting safe harbor).


• Data retention. The Amended Rule requires operators to “establish, implement, and maintain a written data retention policy that sets forth the purposes for which children’s personal information is collected, the business need for retaining such information, and a timeframe for deletion of such information.” Notably, this retention policy must be provided in the operator’s COPPA notice of information practices. As with the current COPPA rule, the Amended Rule mandates that companies can only retain children's personal information for as long as necessary to fulfill the purpose for which it was collected. However, the Amended Rule goes to additional lengths to clarify the retention restrictions, reiterating that data must be securely deleted when it is no longer reasonably necessary for the purposes for which it was collected and explicitly prohibiting indefinite retention. In their joint-concurring statement, FTC Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter noted that companies have, in their view, unreasonably interpreted the "reasonably necessary" retention standard as permitting indefinite retention and emphasized the importance of the clarifications in the Amended Rule:
  
  

  A wave of companies now claim that it is ‘reasonably necessary’ to keep [children’s information] forever. Today, we clarify that’s not reasonable. This clarification is especially important at a time when the developers of large language models and other AI products are caught in a race to acquire ever-increasing amounts of training data.
  
  

• Enhanced security requirements. COPPA requires that operators must “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” The Amended Rule expands on this standard, expressly requiring operators to have a written information security program that includes “safeguards that are appropriate to the sensitivity of the personal information collected from children and the operator’s size, complexity, and nature and scope of activities” and further specifies that operators must:
• Designate one or more employees to coordinate their security program


• Identify and annually perform assessments to identify internal and external risks to the confidentiality, security, and integrity of personal information collected from children and the sufficiency of any safeguards in place to control such risks


• Design, implement, and maintain safeguards to control identified risks


• Regularly test and monitor their security program


• Annually evaluate and update their security program to address identified risks, results from regular testing and monitoring, new or more efficient technological or operational controls, and other material impacts to their security program, and


• Take reasonable steps to confirm that service providers, other operators, and third parties are capable of maintaining the confidentiality, security, and integrity of children’s information and obtain written assurances that they will maintain reasonable security measures, before allowing such entities to collect and maintain children’s personal information or before disclosing children’s personal information to such entities.


• Increased transparency for safe harbor programs. The FTC has also introduced measures to enhance the transparency of COPPA safe harbor programs. Self-regulatory programs must now publicly disclose their membership lists and report additional information to the FTC. This increased transparency is intended to promote greater accountability and ensure that these programs are effectively protecting children's privacy and adhering to COPPA standards.

Additional significant changes include restricting the exchange of children's data between businesses and revising key definitions, such as "personal information," to include biometric and government-issued identifiers, and "mixed audience website or online service,” to provide greater clarity regarding an existing subcategory of child-directed websites and online services.

The Amended Rule permits collecting personal information for "limited purposes…prior to determining the visitor age” to provide operators with flexibility to select age assurance methodologies. It states, "the Commission agrees with commenters expressing the view that it is important to allow operators to innovate and develop alternative, improved mechanisms to determine age that do not rely on a visitor’s self-declaration and finds that the proposed language best accomplishes this."

These changes address the evolving ways in which children's data is collected, used, and disclosed, particularly in the context of sophisticated digital tools and platforms, and highlights the FTC’s firm stance against the exploitation of children's personal information.

State initiatives for strengthening children's online privacy

These federal changes are part of a broader trend towards enhanced children's privacy protections across the US. In recent years, several states have introduced and enacted their own privacy laws aimed at safeguarding children's data. For instance, California's Age-Appropriate Design Code Act (CAADC), modeled after the UK's Age-Appropriate Design Code, sets stringent requirements for online services likely to be accessed by children. Although currently facing legal challenges, the CAADC underscores the state's commitment to children's privacy.

Maryland also recently enacted the Maryland Online Data Privacy Act (MODPA) and the Maryland Age-Appropriate Design Code (AADC). The MODPA, effective October 2025, requires companies to provide certain protections for personal data of children under 18 years old, including completing data protection impact assessments. Notably, the age threshold applies where a business knows or “should have known” the consumer is under 18 years old, which broadens the threshold from the “known child” standard to apply regardless of whether consent was obtained. The Maryland AADC, effective October 2024, builds on these protections by expanding the definition of "child" to include individuals under 18 years old and imposing additional requirements on covered entities such as default privacy settings, age-appropriate privacy information, and data processing restrictions.

New York has also made significant strides with the passage of the Stop Addictive Feeds Exploitation (SAFE) for Kids Act and the New York Child Data Protection Act (CDPA). The SAFE Act, effective June 2025, prohibits social media platforms from providing addictive feeds to minors without verifiable parental consent. The CDPA bars online operators from collecting, using, sharing, and selling personal data of minors ages 13 to 17 years old without their informed consent and requires parental consent for processing data of minors 12 years old and younger.

Other states, such as Arkansas, Colorado, Connecticut, Georgia, Florida, Louisiana, Utah, and Virginia, have also passed laws focusing on children's data privacy, particularly in the context of social media, reflecting a growing recognition of the need for robust protections at the state level. Likewise, the comprehensive state privacy laws provide protections for children’s personal data, which vary by state. These laws often require parental consent before processing the personal data or sensitive personal data of children under 13 years old and parental and/or the minor’s consent before selling children’s personal information or using it for targeted advertising or profiling. These state laws often incorporate elements of COPPA, such as parental consent requirements and restrictions on data processing, further strengthening the overall framework for children's online privacy.

As these new regulations come into effect, it is crucial for parents, educators, and companies to stay informed and compliant. The combined efforts of federal and state lawmakers are intended to pave the way for a safer digital landscape and ensure that children's privacy is prioritized in an increasingly connected world.