ARTICLE
27 January 2025

FTC Finalizes COPPA Rule

FK
Frankfurt Kurnit Klein & Selz

Contributor

Frankfurt Kurnit provides high quality legal services to clients in many industries and disciplines worldwide. With leading practices in entertainment, advertising, IP, technology, litigation, corporate, estate planning, charitable organizations, professional responsibility and other areas — Frankfurt Kurnit helps clients face challenging legal issues and meet their goals with efficient solutions.
The Federal Trade Commission (FTC) has finalized amendments to its Children's Online Privacy Protection Act (COPPA) Rule, effective 60 days after publication in the Federal Register.
United States Technology

The Federal Trade Commission (FTC) has finalized amendments to its Children's Online Privacy Protection Act (COPPA) Rule, effective 60 days after publication in the Federal Register. We expected an effective date in late March, although this date could be impacted by Trump's recent executive order. Key updates include:

  • Notice and Consent Requirements: The amendment requires separate notice and consent for the disclosure of children's data to third parties. Companies must disclose to parents the identities and specific categories of such third parties.
  • Data Retention Restrictions: Businesses are barred from retaining children's data indefinitely.
  • Expanded Definition of Personal Information: Biometric and government-issued identifiers are now explicitly covered under COPPA protections.
  • Safe Harbor Transparency: Self-certified compliance will be subject to enhanced transparency requirements including public disclosure of their membership lists.
  • New consent methods: Businesses may use approved text message and knowledge-based authentication methods to obtain verifiable parental consent.
  • New data security requirements: Businesses must designate employees to coordinate a security program, conduct risk assessments, and implement, test, and monitor safeguards. Note these do not have to be in a separate children's security program as originally proposed.

Dropped proposals limitations on educational technology providers' use of student data for commercial purposes and school-based (rather than parent-based) consent allowances. The FTC cited potential conflicts with future FERPA amendments as a reason for scaling back these provisions. It also dropped requirements for another separate parental consent to use children's data for purposes of maximizing engagement (e.g., sending push notifications to nudge user activity).

While the rule updates were approved by a 5-0 vote, their future remains uncertain as incoming Chair Andrew Ferguson raised concerns about the timing and scope of the amendments. For an overview of the proposed rules, see FKKS associate Andrew Folk's previous article at https://iapp.org/news/a/still-growing-up-top-takeaways-from-the-ftcs-proposed-coppa-rule-update. We will provide a more detailed analysis on the FKKS Technology Blog promptly.

www.fkks.com

This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More