On January 16, 2025, the Federal Trade Commission (FTC)
announced that it had finalized changes to the Children’s Online Privacy Protection Act (COPPA) Rule to strengthen key protections for children’s online privacy and impose new requirements around the collection, use, and disclosure of children’s personal information.
What led to this update?
In 1998, Congress enacted the COPPA statute, which directed the FTC to promulgate regulations implementing COPPA’s requirements. In 1999, the FTC issued the COPPA Rule, a set of implementing regulations that became effective in 2000 and set a new standard for children’s online privacy.
The COPPA statute requires the FTC to initiate a review of the COPPA Rule no later than five years after the initial Rule’s effective date, so in 2005, the FTC initiated this review and determined that no changes were necessary.
In 2010, the FTC once again undertook a review of the COPPA Rule and, in 2013, issued the first amendments to the Rule. These amendments revised the COPPA Rule to address changes in the way children used and accessed the Internet, including through the increased use of mobile devices and social media.
In 2019, the FTC again announced that it was undertaking a review of the COPPA Rule, and the FTC held a public workshop in October of 2019 to discuss specific areas of concern. In response to the proposed review and associated workshop, the FTC received over 175,000 public comments.
Five years later, in 2024, the FTC finally announced its
proposed changes to the COPPA Rule, which it declared would clarify the scope of the Rule and increase protections for children’s privacy.
Now, a year after announcing the proposed changes, the FTC
released the final rule, which was, prior to the Trump administration’s regulatory freeze, expected to go into effect 60 days after publication in the Federal Register.
What does the updated COPPA Rule change?
The final rule amends the COPPA Rule by changing several key definitions, including the definition of personal information, and adding new obligations for how children’s data can be handled, used, and retained. The final rule also modifies the requirements that must be satisfied to participate in the COPPA Safe Harbor program.
These changes include, but are not limited to:
- Expanded definition of “personal information”
The updated COPPA Rule expands the existing definition of “personal information” to include government-issued identifiers (e.g., Social Security, state IDs, birth certificates, and passports) and biometric identifiers that can be used for the automated or semi-automated recognition of an individual (e.g., fingerprints, handprints, retina patterns, iris patterns, genetic data, voiceprints, gait patterns, facial templates, faceprints).
- New definition for “mixed audience website or online service”
The updated COPPA Rule adds a new definition for a “mixed audience website or online service,” which is a website or online service directed to children but does not target children as its primary audience, and, other than for a few limited exceptions, does not collect personal information from any visitor prior to either collecting age information or using another means to reasonably calculate whether the visitor is a child. The law imposes certain obligations on these mixed audience websites or online services.
- Clarifying data minimization and retention requirements
The updated COPPA Rule requires covered entities to develop and maintain a written document retention policy and post the policy in an online privacy notice. In addition, the updated Rule requires covered entities to only collect and retain personal information for “specific” purposes—meaning, covered entities should not retain personal information indefinitely and should delete the information when it is no longer required.
- Requiring a written information security program
Under the updated COPPA Rule, the FTC modified the existing security requirements for covered entities to include creating and implementing a written information security program. The program should be appropriate for the entity’s size, complexity, and nature and scope of activities, and take into account the sensitivity of the personal information collected by the entity.
- Modifying COPPA’s Safe Harbor programs
To enhance the oversight and transparency of COPPA-approved Safe Harbor programs, the updated COPPA Rule requires the Safe Harbor programs to conduct an annual assessment of their members’ compliance and, among other requirements, maintain and submit to the FTC records of complaints about, and disciplinary actions against, Safe Harbor program members.
Does the Trump administration’s regulatory freeze affect the updated COPPA Rule?
Yes, the Trump administration’s
regulatory freeze issued on January 20, 2025, casts some uncertainty on the future of the updated COPPA Rule. Under the regulatory freeze, regulations not yet published in the Federal Register as of President Trump taking office—which includes the updated COPPA Rule—must be reviewed and approved before taking effect.
Andrew Ferguson, who is now the FTC Chair, had voted to approve the updated COPPA Rule while the FTC was still under Chair Lina Khan, during the Biden administration. However, while Ferguson voted approvingly of the updated Rule, he wrote a
concurring statement indicating that he nonetheless believed the COPPA Rule could be improved in various ways. Given his concurring statement, Chair Ferguson may delay publication of the updated COPPA Rule to address these proposed improvements.
