On January 16, 2025, the Federal Trade Commission (FTC) finalized amendments to the Children’s Online Privacy Protection Act (COPPA) Rule (Final Rule) relating to the collection, use and disclosure of personal information about children under the age of 13. The Final Rule, which comes into effect 60 days after publication in the Federal Register, adds new requirements for online notices, certain third-party disclosures, parental consent, data retention and Safe Harbor programs.
Key Points
- The Final Rule adopts several new requirements related to notice, parental consent for certain third-party disclosures, data retention and Safe Harbor Program transparency.
- Organizations should benchmark their online notices, parental consent mechanisms, data retention policies and data security programs against the Final Rule requirements. Organizations generally have one year after publication to comply, while Safe Harbor programs have earlier compliance deadlines.
- The Final Rule must be reviewed and approved by incoming FTC Chair Andrew Ferguson before taking effect. Statements from Chair Ferguson indicate that the FTC is likely to remain active in regulating the collection, use and disclosure of children’s personal information. Organizations should therefore be alert to future action by the FTC that may affect their obligations under the COPPA Rule.
Overview
The COPPA Rule, which first went into effect in 2000, sets requirements related to the online collection, use or disclosure of personal information about children under the age of 13. One of COPPA’s hallmark obligations is that websites and other online services that are “child-directed” must provide notice and obtain verifiable parental consent before collecting, using or disclosing personal information from children under 13. The COPPA Rule also includes requirements related to notice, parental rights, data minimization and data retention. The COPPA Rule also includes compliance obligations for general audience websites and other online services that have actual knowledge they are collecting information from children under 13.
Key Changes in the Final Rule
The Final Rule, the first significant update to the COPPA Rule since 2013, adopts changes that the FTC states are meant to address the evolving ways that companies collect, use and monetize information about child users of their services. Key changes to the COPPA Rule follow below:
Notice and consent to third-party disclosures: The Final Rule requires organizations to disclose in the online notice the identities and specific categories of any third parties, including the public, to which the organizations “disclose” personal information for other than integral support purposes and the purposes of such disclosures — a marked change from current U.S. practice.
The Final Rule also requires that organizations subject to the Final Rule to list in the direct notice to parents the identities or specific categories of third parties to whom personal information is “disclosed.” Additionally, websites and other online services covered by the Final Rule are required to provide parents the right to consent to the collection and use of personal information without consenting to disclosure to certain third parties, except where disclosure is “integral” to the service.
Verifiable parental consent methods: The Final Rule adopts three new methods for obtaining verifiable parental consent under certain circumstances:
- Knowledge-based questions where the probability of children ascertaining the answers is low.
- Facial recognition technology to match an image provided by the parent with the parent’s image from a government-issued photographic ID.
- “Text plus” verification, where text message verification is coupled with additional steps, such as sending a confirmatory text message.
Data retention limits: The Final Rule requires organizations that collect personal information about children to retain that information for only as long as reasonably necessary to fulfill the specific purpose for which it was collected. The Final Rule explicitly states that organizations cannot retain the information indefinitely. Organizations must also establish, implement and maintain a written children’s personal information security program that meets COPPA standards.
Heightened requirements for Safe Harbor programs: COPPA Safe Harbor programs — self-regulatory programs that implement protections of the COPPA Rule — must publicly disclose their membership list within 90 days of the Final Rule’s publication and regularly update the list. Within six months of the Final Rule’s publication, Safe Harbor programs must report to the FTC the list of operators currently certified under their program, any approved websites or online services, and operators that have left the program. The programs must also routinely review participating organizations’ security programs and provide all consumer complaints to the FTC.
Updated definitions: The Final Rule expands the definition of personal information to include biometric identifiers, such as fingerprints, retina patterns, gait, facial data and voice data, as well as government-issued identifiers. The Commission also adopted a new definition of “mixed audience website or online service” to clarify that operators of mixed audience websites and online services may collect personal information from a child under certain exceptions to the Final Rule prior to determining the child’s age. Such exceptions include:
- Collecting the name or online contact information of a parent or child to provide notice and obtain parental consent.
- Collecting online contact information from a child to respond directly to a specific request from the child, subject to certain requirements.
- Collecting a child’s and a parent’s name and online contact information to protect the safety of a child.
- Collecting a persistent identifier and no other personal information from a child to provide support for the internal operations of the website or online service.
What Should Organizations Be Doing?
Evaluate third-party disclosures and online notices: Organizations that collect personal information form children online should evaluate the third parties to whom they disclose information, confirm whether disclosures to those third parties are integral to the services and identify the specific category for each third party not integral to providing the service. Using this information, organizations should update their direct notices to parents and online notices to include that information as well as the purposes of such disclosures and the organization’s data retention policy.
Update parental consent mechanisms for third-party disclosures: Organizations that disclose personal information about children to third parties for purposes not integral to providing the service should update the methods they use to obtain verifiable parental consent to include a distinct mechanism for third-party disclosures. Organizations must ensure that they include options to consent to collection and use of children’s personal information without consenting to disclosure of the information.
Implement retention and deletion policies for children’s data: Organizations that collect personal information about children should establish clear data retention and deletion policies that are posted to their website or online service. Organizations should also create clear schedules for deleting children’s data to avoid indefinite retention of information beyond what is reasonably necessary.
Routinely audit data security programs: Organizations covered by the Final Rule should routinely audit their data security programs and operations to meet requirements outlined in the Final Rule and requirements for Safe Harbor programs. Organizations should ensure that they maintain sufficient safeguards to protect the confidentiality, security and integrity of personal information collected from children. Such safeguards should be commensurate with the organization’s size and complexity as well as the sensitivity of the information the organization collects and the nature of activities involving children’s personal information.
Looking Forward
President Trump’s January 20, 2025, regulatory freeze introduces uncertainty into the finality of the Final Rule. Under the freeze, regulations not yet published in the Federal Register as of President Trump taking office — including the Final Rule — must be reviewed and approved by the relevant department or agency head before taking effect. Although Chair Andrew Ferguson voted in favor of the Final Rule, in a concurring statement, he identified three possible ways the Final Rule might be improved:
- Explaining when a change to privacy terms is “material” such that it requires new parental consent.
- Modifying the prohibition on indefinite retention of personal information to make clear when organizations must delete information.
- Clarifying an exception to the Final Rule relating to the collection of children’s personal information for the sole purpose of age verification.
In light of that position, it is possible that Chair Ferguson may elect to delay the effective date of the Final Rule in order to address these and other identified concerns.
Organizations should therefore be alert to future action by the commission in this area and evaluate how it might affect their obligations under the COPPA Rule.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.