In brief: COPPA Amendments

The Federal Trade Commission (FTC) has finalized significant amendments to the Children’s Online Privacy Protection Act (COPPA) Rule, introducing stricter requirements for website and online service operators that collect personal information from children under 13.

These new rules will officially take effect on June 23, 2025.

"Compliance Deadline:With the exception of provisions under § 312.11(d)(1), (d)(4), and (g), regulated entities have until April 22, 2026 to achieve full compliance."

Gentle reminder for non-US lawyers:

The COPPA Rule, originally implemented in 2000, establishes key requirements for the online collection, use, and disclosure of personal information from children under 13 years old.

A core feature of the rule is its mandate that child-directed websites and online services must provide clear privacy notices and obtain verifiable parental consent before collecting, using, or sharing a child's personal data. In addition to consent obligations, the rule outlines requirements around privacy notices, parental rights, data minimization, and data retention. 

COPPA also applies to general-audience websites and online services that have actual knowledge they are gathering information from users under the age of 13, holding them to similar compliance standards.

1️⃣ Expanded scope of definition of personal information

The definition now explicitly includes biometric identifiers (such as fingerprints and facial recognition data), reflecting heightened privacy risks linked to emerging technologies.

"The COPPA statute and the COPPA Rule define ‘‘personal information’’ as individually identifiable information about an individual collected online, including, for example, a first and last name, an email address, or a Social Security number."

Now

"In the 2024 NPRM, the Commission proposed using its statutory authority to expand the Rule’s coverage by amending the definition of personal information to include ‘‘[a] biometric identifier that can be used for the automated or semi-automated recognition of an individual, including fingerprints or handprints; retina and iris patterns; genetic data, including a DNA sequence; or data derived from voice data, gait data, or facial data."

"The Commission notes that the proposed expansion of the definition of personal information to include biometric identifiers appropriately responds to marketplace developments such as the increasingly common use of technologies relying on facial recognition, retina or iris imagery, or fingerprints to allow individuals to unlock mobile devices and to access accounts or facilities,91 and that enable companies to identify and contact a specific individual."

2️⃣ Stricter parental consent

Operators must obtain separate verifiable parental consent before disclosing children's personal data for purposes that are not integral to their website’s or service’s core functions—ensuring stronger parental control over how children’s data is shared.

3️⃣ Mandatory security & Retention policies

Operators are required to establish, implement, and maintain:

• A written information security program to protect collected data

• A written data retention policy that specifies data storage periods and deletion timelines to prevent unnecessary data retention

4️⃣ Updated notices

Operators must revise their direct and online privacy notices to reflect these new obligations, enhancing transparency around data collection, use, and disclosure.

5️⃣ Stronger data protection standards

The amendments strengthen requirements around data security, deletion, and retention—ensuring operators adopt a proactive approach to safeguarding children’s data throughout its lifecycle.

6️⃣ Tighter standards for safe harbor programs

Organizations offering COPPA Safe Harbor programs must now comply with stricter requirements, including:

• More rigorous annual assessments

• Detailed disclosures

• Enhanced reporting obligations

Operators and service providers should begin reviewing their policies, parental consent mechanisms, data security programs, and notices now to ensure readiness before the compliance deadline.

We’ll continue monitoring developments and provide further guidance to help you navigate these important changes.