- Enhanced Privacy Definitions: The amendments to COPPA now include biometric identifiers such as fingerprints, iris patterns, and voiceprints, alongside government-issued identifiers like passport numbers, as "personal information," significantly widening the scope of data subject to regulation.
- Stricter Consent Requirements: Operators must now obtain separate parental consent specifically for third-party data disclosures unless those disclosures are integral to the service provided, promoting greater specificity and autonomy in consent practices.
- Comprehensive Security Measures: The revised rules mandate operators to establish written information security programs and require written assurances from third parties on maintaining appropriate safeguards, emphasizing stronger operational security and accountability.
In an effort to strengthen children's online privacy protections, the Federal Trade Commission (FTC) finalized comprehensive amendments to the Children's Online Privacy Protection Act (COPPA) on January 16, 2025, and published them in the Federal Register on April 22, 2025. These amendments represent the first major overhaul since 2013 and reflect the rapidly evolving digital ecosystem and increased concerns over the monetization of children's data. Following the FTC's 2024 Notice of Proposed Rulemaking issued in January 2024 and a review of 279 comments, the Commission unanimously adopted changes that significantly expand protections for children under the age of 13 while simultaneously imposing new compliance obligations on businesses interacting with children online.
Understanding these new requirements is critical to maintaining compliance and avoiding potentially costly enforcement actions. The amendments became effective June 23, 2025, with most compliance obligations set to take effect by April 22, 2026.
Expanded Definition of "Personal Information"
Biometric Identifiers
"Personal information" means individually identifiable information about an individual collected online and includes a list of data elements encompassed in the definition. The most significant definitional change expands "personal information" under § 312.2 to include biometric identifiers that can be used for automated or semi-automated recognition of an individual. This encompasses fingerprints and handprints, retina and iris patterns, genetic data including DNA sequences, voiceprints and facial templates, and gait patterns and faceprints. This expansion reflects the increasing prevalence of biometric technology in children's digital experiences, ranging from fingerprint authentication on devices to facial recognition technology in gaming and virtual reality applications. Notably, the FTC narrowed its original proposal by declining to include the broader "data derived from voice data, gait data, or facial data" language, responding to concerns about potential overreach while still addressing the core biometric identifiers of concern.
Government-Issued Identifiers
While the previous rule only specifically mentioned Social Security numbers, the updated Rule under § 312.2 explicitly includes state identification cards, birth certificates, and passport numbers. This clarification eliminates uncertainty about which government identifiers trigger COPPA compliance requirements.
Expanded Definition of "Online Contact Information"
Mobile Phone Numbers
Recognizing the ubiquity of mobile communication, the updated Rule under § 312.2 treats mobile telephone numbers as "online contact information" when operators use them only to send text messages to parents in connection with obtaining parental consent. This is a change from the previous rule which did not specifically address mobile numbers in this context and represents an adaptation to modern communication preferences while maintaining oversight of children requiring parental consent online.
Separate Consent Requirements for Third-Party Disclosures
Mandatory Opt-In for Third-Party Disclosures
The Rule under § 312.5(a)(2) introduces an operationally significant change by requiring operators to obtain separate verifiable parental consent before disclosing children's personal information to third parties, unless such disclosure is "integral to the website or online service." This represents a fundamental departure from previous practices that allowed bundled consent for collection, use, and third-party disclosure in a single agreement.
Operators must now obtain consent that is clearly distinguished between (1) collecting and using children's information internally from (2) consent for disclosing information to third parties for non-integral purposes. The Rule provides flexibility in timing, as operators may seek both consents simultaneously or separately, but each must be clearly distinguished and obtained through unambiguous affirmative parental action.
Defining "Integral" Disclosures
The Rule under § 312.4(c)(1)(iv) and § 312.5(a)(2) clarifies that disclosures considered integral to the service include those necessary to provide the specific product or service requested by the consumer, such as payment processing, content delivery, and safety monitoring functions. However, disclosures for advertising purposes, data broker relationships, or artificial intelligence training are not considered integral and thus require separate parental consent. Operators must clearly identify in their notices disclosures that are not integral to their service.
Enhanced Security and Data Management Requirements
Mandatory Written Information Security Programs
Operators must establish, implement, and maintain written information security programs under § 312.8(b) that contain safeguards that are appropriate to the sensitivity of children's personal information and the operator's size, complexity, and scope of activities. These programs must include designated employees to coordinate the security program, annual risk assessments identifying internal and external threats, safeguards designed to control identified risks, regular testing and monitoring of security measures, and annual program evaluation and modification.
Third-Party Security Assurances
Before sharing children's personal information with service providers or other third parties, operators must obtain written assurances that such entities will maintain appropriate security, integrity, and confidentiality safeguards. This requirement is outlined in § 312.8(c) and extends accountability of data protection by eliminating reliance on mere oral assurances by third parties.
Written Data Retention Policies
Building on previous requirements, the new Rule under § 312.10 mandates that companies develop written data retention policies that specify the purposes for which children's personal information is collected, the business need for retaining such information, and specific timeframes for deletion. Retention policies also must be included in the operator's online privacy notice in order to provide transparency about data lifecycle management practices.
Prohibition on Indefinite Retention
The Rule explicitly prohibits indefinite retention of children's personal information obtained by companies. Under § 312.10, operators are required to delete such information when it is no longer reasonably necessary for the specific purposes for which it was collected. This establishes clear limits on data preservation practices and functions to prevent speculative future use of children's data.
Enhanced Notice and Transparency Requirements
Comprehensive Online Privacy Notices
Under § 312.4(d), online privacy notices must now include significantly more detail than before. For example, operators must disclose: specific identities and categories of third parties receiving children's information and the purposes for such disclosures; complete data retention policies addressing children's personal information; and for operators using persistent identifiers under the "support for internal operations" exception under § 312.4(d)(3), there must be disclosure of specific operations and protective measures against unauthorized use.
New and Enhanced Parental Consent Methods
"Text Plus" Verification Method
The Rule formally approves a new "text plus" verification method under § 312.5(b)(2)(ix) that allows operators to obtain parental consent via text message and additional verification steps, provided that the operator does not disclose children's personal information. Additional verification steps include confirmatory messages texted to parents following receipt of consent, as well as postal and telephone confirmation. This method was not available under the previous Rule and provides parents with additional consent options.
Face-Matching Technology
Under § 312.5(b)(2)(vii), the Rule now codifies operators' use of facial recognition technology that compares a parent's government-issued photo identification with a live selfie image that is then confirmed by trained personnel. The parent's identification and images must be promptly deleted after verification, providing a reliable method of consent verification while protecting the parent's privacy. While this technology previously existed, its formal inclusion in the Rule provides an added layer of regulation and protection to parental consent.
Knowledge-Based Authentication
Section 312.5(b)(2)(vi) of the Rule now formally recognizes knowledge-based authentication using "dynamic, multiple-choice questions" of sufficient difficulty that children in the household "could not reasonably ascertain the answers" as an approved consent method. This provides operators with additional verification options suited to different operational contexts in which parental consent is required.
Audio File Exception
The updated Rule introduces a new exception allowing operators to collect audio files containing a child's voice without obtaining verifiable parental consent, provided that specific conditions are met under § 312.5(c)(9). Operators may collect such audio files solely to respond to a child's specific request but must not collect any other personal information and must immediately delete the audio file after responding. The operator cannot use the information for any other purpose or disclose it to third parties. While no direct notice to parents is required under this exception, operators must still provide disclosure in their online privacy notices describing how they use such audio files and confirming immediate deletion practices.
"Mixed Audience Website" Clarification
The amendments formalized the definition for "mixed audience website or online service" under § 312.2 to clarify an existing regulatory category that applies to platforms meeting the child-directed criteria but that serve children as a secondary user base rather than the primary user base. These platforms must follow a two-step framework to determine (1) whether the platform qualifies as child-directed under the Rule's "multi-factor test" (which considers factors like subject matter, visual content, and intended audience), and (2) whether children constitute the platform's primary target audience. Unlike purely child-directed services, mixed audience operators can implement age-screening mechanisms before applying COPPA protections. This allows for minimal personal information collection for purposes of age verification, which in turn helps deter individuals from providing false age representation.
Data Use and Disclosure Limitations
Scope Restrictions
The Rule reinforces that operators are prohibited from using or disclosing children's personal information for any purpose other than those for which verifiable parental consent has been obtained. This includes internal uses such as personalization or analytics, as well as external disclosures to third parties. If an operator wishes to use information for a new purpose not previously disclosed to parents, it must obtain new, specific parental consent.
Safe Harbor Program Enhancements
Increased Public Transparency Requirements
FTC-approved Safe Harbor programs, which allow industry groups to create self-regulatory guidelines as alternatives to direct COPPA compliance, now face significantly enhanced oversight requirements under § 312.11. These programs must publicly identify their participating operators and certified services on their websites, with lists updated every six months to reflect membership changes. Additionally, programs must provide enhanced annual reporting to the FTC, including detailed explanations of compliance monitoring and enforcement mechanisms. This public disclosure is designed to enable parents and businesses to easily verify which platforms participate in approved self-regulatory frameworks.
By October 22, 2025, all approved Safe Harbor programs must submit revised guidelines to the FTC that reflect the updated COPPA requirements. These submissions must include a detailed explanation of how the program will monitor compliance and enforce its standards. Failure to meet this deadline may result in suspension or revocation of the program's approved status.
Moving Forward: Compliance Planning for Your Company
The 2025 COPPA amendments establish the most comprehensive children's online privacy framework in over a decade, fundamentally altering compliance expectations for operators serving young users. The changes provide clarity about regulatory expectations and address concerns about sophisticated data monetization practices targeting children.
Beyond immediate compliance planning, organizations should conduct comprehensive audits of their current data practices, particularly focusing on amended sections of the Rule addressing biometric data collection, third-party sharing arrangements, and security protocols. Legal teams should work closely alongside technical experts and business stakeholders to monitor data sharing and retention, identify gaps in current consent mechanisms, and develop implementation strategies that address both the April 22, 2026, compliance deadline and the enhanced ongoing obligations under the robust new framework.
Companies should also monitor state-level children's privacy legislation and potential federal privacy law developments that may further impact compliance obligations, as the regulatory landscape continues to evolve rapidly in response to growing concerns about children's digital privacy and safety.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
