COPPA Rule Amendments Finalized

The Federal Trade Commission (FTC) finalized amendments to the Children’s Online Privacy Protection Rule (COPPA). COPPA, a federal law that’s been in effect since 2000, imposes requirements on websites and online services to protect the privacy of minors. The COPPA Rule amendments are designed to give parents better control over their children’s data provided to third parties. This is the first time COPPA has been updated since 2013.

The Significant COPPA Changes

The key changes to COPPA in this round of updates include:

Opt-in Consent for Targeted Advertising

Website and online services must obtain separate verifiable parental consent to disclose children’s personal information to third-party companies for targeted advertising or other purposes.

Data Retention Limits

The rule requires covered operators to only retain personal information for as long as reasonably necessary to fulfill the purpose for which it was collected. This provision explicitly states that operators cannot retain the information indefinitely.

Increasing Safe Harbor Programs’ Transparency

The FTC-approved COPPA Safe Harbor programs, which are self-regulatory programs that implement the protections of the COPPA Rule, must publicly disclose their membership lists and report additional information to the FTC to achieve increased accountability and transparency in the programs.

Personal Information Definition

The personal information definition has been expanded to include biometric identifiers and government-issued identifiers.

Amendments That Didn’t Make the Cut

The rulemaking process for the COPPA amendments was one year long, beginning in January 2024. During that process, these proposed rule changes were dropped:

• A proposed rule that would have allowed schools and school districts to authorize ed tech providers to collect, use, and disclose students’ personal information but only for a school-authorized educational purpose and not for any commercial purpose was not adopted.
• A rule that would have prohibited push notifications to children to prompt or encourage them to spend more time on a website or with an online service was also removed from the amendments. The FTC did note in its press release that push notifications directed at keeping kids online remain a concern.

The new rules become effective 60 days after publication in the Federal Register, which sets a likely effective day for mid-March 2025. Entities subject to the final rule will have one year from the publication date to fully comply with amendments that do not specify earlier compliance dates.

How to Comply with the COPPA Rule Amendments

Before January 2026, businesses should take the following actions to ensure they are compliant with the new COPPA rules when they are enforceable.

Review Your Parental Consent Policies

• Provide Clear Consent Options: Ensure your websites and online services offer parents distinct options to give separate consent for specific activities, such as data collection, sharing, and targeted advertising. Clearly define what each consent covers.
• Verify Consent Mechanisms: Ensure that your platforms secure distinct parental consent specifically for disclosing children’s personal information to third parties, including for purposes like targeted advertising. This is a shift from previous requirements, emphasizing the need for explicit parental approval for such disclosures.
• Regularly Test Consent Procedures: Conduct regular audits of your parental consent processes to confirm they are functioning as intended and align with the latest FTC standards.

Data Retention Policy

• Establish a Data Retention Policy: Develop and implement a clear data retention policy that explicitly addresses the handling of children’s personal information. While a separate policy for children’s data isn’t mandated, your existing policy must specifically cover this aspect.

Assess the Data You Are Collecting

• Identify and Classify Personal Information: Review the types of personal information your organization collects from children, noting that the definition of “personal information” under COPPA has been expanded to include biometric identifiers (facial recognition data, voice data, etc.) and government-issued identifiers. This broader scope requires careful consideration of the data you collect.
• Evaluate Data Collection Necessity: Critically assess whether the collection of sensitive data, such as biometric or government-issued identifiers, is essential for your services. Given the expanded definitions, it’s crucial to determine if collecting such data is necessary and aligns with the new COPPA requirements.

CompliancePoint has a team of privacy experts that can help your organization comply with all applicable regulations, including COPPA, GDPR, CCPA, and all state laws. Contact us at connect@compliancepoint.com to learn more.