FTC Finalizes Its First Updates to Children’s Privacy Rule Since 2013

On January 16, 2025, the Federal Trade Commission (“FTC”) announced its Final Rule amendments to the Children’s Online Privacy Protection Act (“COPPA”) Rule, which imposes requirements on website and online service operators that collect personal information from children under the age of 13. The FTC last updated the rule in 2013, made a request for comment to the rule in 2019, and issued a notice of proposed rulemaking to amend COPPA in January 2024. Citing its efforts to ensure children’s safety online in a rapidly changing marketplace, the FTC’s finalized amendments address areas that children’s privacy proponents have increasingly highlighted in recent years. The FTC’s Final Rule becomes effective 60 days after publication in the Federal Register and gives companies subject to the rule one year after date of publication to comply — however, its publication and implementation may be uncertain due to President Trump’s temporary agency regulatory freeze. Below, we highlight some of the key changes found in the Final Rule.

Key Takeaways

1. Definition changes in the Final Rule include, among other things, clarification of the term “mixed audience website or online service” to provide steps for operators that fall under that designation to determine age and application of COPPA protections. The Final Rule also amends the definition of “personal information” to expressly include biometric identifiers.
2. The FTC now requires companies offering services directed to children to provide additional notices and obtain multiple layers of verifiable parental consent (“VPC”) for the use and disclosure of children’s data — indicating a trend toward the EU General Data Protection Regulation’s (“GDPR”) emphasis on specific, rather than general, consent.
3. If a website operator uses persistent identifiers for internal operations, it must include information in its online privacy notice about how persistent identifiers are used to support internal operations and its methods to prevent unauthorized use of such identifiers.
4. Companies covered by COPPA must update retention policies and practices to reflect specific purposes for retention and to comply with the FTC’s legal ban on indefinite retention.
5. Data security requirements under COPPA now require each business subject to the act to tailor its policies and practices to address “the sensitivity of children’s information” and to consider its “size, complexity, and nature and scope of activities.”

Definitions

Mixed Audience: The FTC’s addition of a stand-alone definition for “mixed audience website or online service” under its Final Rule does not change the scope of the entities that may fall under the designation of “mixed audience” sites. Rather, it clarifies the category as it already existed and provides a means for companies that fall within that category to determine users’ ages and collect personal information.

The term is defined as a website or online service that (1) is directed to children based on the FTC’s multi-factor test contained in the rule; (2) does not target children as its primary audience; and (3) does not collect personal information from any user of the site before collecting age-related information or otherwise reasonably determining the users’ age. The definition additionally provides that the operator must utilize neutral means to determine age that do not encourage falsifying information. Once the operator determines whether users are children, it may decide to apply COPPA protections only to those users.

Biometrics: In light of developments in technology and their various applications, the FTC added biometric identifiers (such as fingerprints, handprints, retina and iris patterns, and DNA sequences) as enumerated examples of personal information.

Notice, Consent, and VPC

Prior to the FTC’s Final Rule, operators with websites or online services directed to children could meet their privacy obligations by obtaining a single parental consent. Now, however, the FTC requires such entities to obtain additional consent for disclosure to third parties (1) generally; and (2) for commercial purposes, such as target advertising or developing artificial intelligence models.

When obtaining such VPC, the FTC’s Final Rule expands the disclosures required in operators’ direct notice. Specifically, in each instance where direct notice is provided, the operator must disclose to the parent the nature of the personal information it collects about the child and its intentions with respect to using that information.

Additionally, the FTC now requires that, operators’ online privacy notices contain both the name and category of any potential third-party recipients of children’s information. Direct notice for VPC must also identify the third parties and state the purpose for disclosure, but operators are permitted to hyperlink to their online privacy notices to meet this requirement. Parents must be informed that they have the right to consent to the collection and use of their child’s information without consenting to its disclosure to third parties (outside of those necessary for the website’s functionality).

Lastly, where a website operator uses persistent identifiers for support for its internal operations, it must provide in its online privacy notice the general reasons for doing so and a statement regarding how it prevents misuse of such data.

Retention and Protection of Children’s Data

Retention: Emphasizing its recent COPPA enforcement actions, the FTC clarified that there is a strict prohibition under COPPA against operators retaining children’s personal information indefinitely. Businesses subject to the rule may only retain such information for as long as is reasonably necessary for the purpose it was collected and must delete it thereafter. Such businesses must also establish and maintain written data retention policies specifying purposes for collection, retention, and timeframe for deletion.

Security: Lastly, the Final Rule requires website operators to ensure that, if they do not already meet the FTC’s minimum requirements for children’s information security, they establish, implement, and maintain a program that accounts for the sensitivity of children’s personal information and the nature of their own operations and activities.

Next Steps for Companies Subject to COPPA

1. Review notice requirements in the FTC’s Final Rule and, if applicable, update online privacy notices and direct notices to parents when seeking VPC to include the proper content disclosures.
2. If persistent identifiers are used to support internal operations, update online privacy notices to indicate how such identifiers are used and practices employed to prevent misuse.
3. Update practices related to obtaining VPC to comply with the Final Rule’s requirements for consent layers when disclosing a child’s information to third parties.
4. Either review or implement data retention policies that include information regarding the purpose and business need for retaining children’s personal information, and when such information will be deleted.
5. Either review or implement a data security program, considering business complexity, nature of processing of children’s information, and the sensitivity of children’s information. Maintain and audit the data security program on a regular basis.