On April 22, 2025, the Federal Trade Commission (FTC) published its final amendments ("the Amendments") to the Children's Online Privacy Protection Act (COPPA) Rule in the Federal Register. The Amendments expand the requirements for website and online service operators that collect personal information from children under 13 years of age and provide parents with greater control over how their children's data is used and shared. The Amendments will take effect on June 23, 2025—60 days after their publication in the Federal Register. Operators subject to the COPPA Rule will have until April 22, 2026 to comply. However, organizations that offer FTC-approved safe harbor programs have different compliance deadlines based on applicable requirements.
Background
The COPPA Rule, as adopted by the FTC in 2000 and updated in 2013, requires businesses to obtain verifiable parental consent before collecting, using or disclosing personal information from children under the age of 13. It also mandates that businesses provide notice on their websites or online services about this data collection and directly notify parents regarding the information gathered from these children.
Since the COPPA Rule's last revision in 2013, children's online privacy and safety have remained top priorities for federal regulators and lawmakers. For example, last year senators introduced COPPA 2.0, which aimed to expand privacy protections to teens under 17 and ban interest-based advertising. Although the bill passed the U.S. Senate, it failed to pass in the House. An effort to include it in the comprehensive privacy bill proposal, the American Privacy Rights Act (APRA), also failed.
Nevertheless, on January 16, 2025, the FTC unanimously agreed to amend the COPPA Rule. However, publication of the Amendments in the Federal Register was delayed pursuant to an executive order issued by the new administration. The Amendments were eventually published on April 22, 2025 and will take effect on June 23, 2025.
Key Amendments to the COPPA Rule
Updated Definition of Personal Information: The Amendments expand the definition of "personal information" to include (i) biometric identifiers that can be used for the automated or semi-automated recognition of an individual, such as fingerprints, handprints, retina patterns, iris patterns, genetic data, including DNA sequences, voiceprints, gait patterns, facial templates, or faceprints, and (ii) government-issued identifiers, such as social security numbers, state identification card numbers, birth certificate numbers, or passport numbers.
Identifying a Website or Online Service Directed to Children: The Amendments add that, in determining whether a website or online service is directed towards children, the FTC may, among other factors, consider marketing or promotional materials or plans, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services.
Content of Direct Notices: To empower parents to make informed choices, the Amendments require that the direct parental notice includes information on how the operator intends to use the personal information collected from the child. Operators must also identify any third parties with whom they will share the personal information and specify the purposes for such sharing. Finally, the direct parental notice must explain that parents can consent to the collection and use of personal information without consenting to its disclosure to third parties unless such disclosure is integral to the operation of the website or online service.
Content of Online Notices: The Amendments also prescribe additional requirements for operators to include in their online notices, including (i) the identities and specific categories of third-party disclosure recipients, (ii) how they use persistent identifiers to support internal operations, and (iii) in cases where the operator collects audio files containing a child's voice, a description of how the operator uses such audio files and confirmation that the operator deletes such audio files immediately after responding to the request for which they were collected.
Methods for Verifiable Parental Consent: The Amendments expand the acceptable methods for obtaining verifiable parental consent. Operators are now allowed to use the following methods: (i) knowledge-based authentication through dynamic, multiple-choice questions that are difficult for a child to answer, (ii) submission of government-issued photo identification, and (iii) text messaging coupled with additional steps, such as a follow-up text, letter, or phone call, to confirm that the consenting individual is the parent.
Written Children's Personal Information Security Programs: The Amendments require operators to implement a written children's personal information security program. This program must include safeguards tailored to the sensitivity of the data collected and be appropriate to the operator's size, complexity, and business activities. Operators must designate responsible personnel to oversee the program, assess internal and external risks to the confidentiality and integrity of children's data, implement and maintain safeguards to address those risks, regularly test the effectiveness of these safeguards, and review and update the program at least annually.
Data Retention: The Amendments prohibit operators from retaining children's personal information indefinitely and clarify that they may only retain such information for as long as reasonably necessary to fulfill the specific purposes for which it was collected.
Safe Harbor Programs: The COPPA Safe Harbor program allows industry groups and similar organizations to develop self-regulatory guidelines that comply with the COPPA Rule, subject to FTC approval. Under the recent Amendments, approved Safe Harbor programs are required to publicly disclose their membership lists and submit periodic reports to the FTC, such as annual disclosures of disciplinary actions taken against member operators and triennial updates on the program's technological capabilities.
Takeaways
Given the FTC's continued focus on children's personal information, organizations should take steps to ensure compliance with new requirements imposed under the Amendments, including prioritizing and updating their data collection, retention, security, and disclosure practices. Organizations should also take advantage of the new tools permitted under the Amendments, such as alternative methods for obtaining verifiable parental consent. The Amendments also highlight the FTC's expectation that organizations must demonstrate compliance through detailed written procedures and transparent public disclosures. Importantly, the COPPA Rule serves only as a baseline standard. Organizations are still subject to broader FTC enforcement under Section 5 of the FTC Act for any practices that could potentially harm children. This reinforces the necessity for rigorous adherence to both COPPA and broader consumer protection standards.
Burak Haylamaz (White & Case, Staff Attorney, Los Angeles) contributed to the development of this publication.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2025 White & Case LLP
