Written by: Haim Ravia, Dotan Hammer
The U.S. Federal Trade Commission (FTC) has adopted final rule amendments to the Children’s Online Privacy Protection Rule (COPPA Rule). These amendments aim to strengthen the protection of personal information collected from children, respond to changes in technology and online practices, and clarify and streamline the COPPA Rule since its last amendment in 2013. The amendments are based on the FTC’s review of public comments from various stakeholders and its enforcement experience.
Key changes include modifications to several definitions. A new definition for “Mixed audience website or online service” is added for clarity. The definition of “Online contact information” now includes mobile telephone numbers, but their use without verifiable parental consent is generally limited to obtaining such consent.
The definition of “Personal information” is expanded to include government-issued identifiers (like Social Security or passport numbers) and certain biometric identifiers (such as fingerprints, retina patterns, genetic data, voiceprints, gait patterns, facial templates, or faceprints) that can be used for automated or semi-automated recognition. The definition of “Website or online service directed to children” now provides examples of evidence the FTC may consider in analyzing whether a website or service is directed to children.
The obligations of operators of online services directed to children are also updated. The direct privacy notice and online privacy policy have new content requirements, including greater detail about information use and disclosure practices, such as identifying third parties by name and category and the purposes for disclosure. The new COPPA Rule also requires operators to disclose their written data retention policy in their online notice. Operators must establish and maintain a written information security program and reasonable procedures to protect children’s personal information. Data retention is explicitly limited to being reasonably necessary for the specific collected purposes, and indefinite retention is prohibited. Operators must delete information when it is no longer necessary.
Amendment to the COPPA Rule also affects parental consent. Separate verifiable parental consent is required for disclosing a child’s personal information to third parties unless the disclosure is integral to the online service. Access to a service cannot be conditioned on consent to non-integrated disclosures.
While the new COPPA Rule is effective from June 2025, organizations subject to COPPA generally have until April 22, 2026, to come into compliance, except for specific sections related to FTC-approved COPPA Safe Harbor programs.
Click here to read the FTC’s amendments to the Children’s Online Privacy Protection Rule.
