FTC Finalizes Updated COPPA Rule
After a process that began back in 2019, the Federal Trade Commission (FTC or Commission) unanimously approved a revised Children’s Online Privacy Protection Act Rule (COPPA Rule or Rule) on January 16, 2025. The Rule was based on comments responding to the FTC’s Notice of Proposed Rulemaking (NPRM) issued January 11, 2024. This is the first revision to the COPPA Rule since 2013.
The COPPA Rule implements the Children’s Online Privacy Protection Act and imposes certain requirements on businesses (referred to as “operators”) regarding the collection, use, and disclosure of children’s personal information. While the changes to the Rule are not as far-reaching as they might have been (some proposed provisions in the January 2024 NPRM, including changes related to edtech, did not make it into the final version of the Rule), the modifications to the Rule impose a number of important new requirements on operators that will require action.
Key changes, among others, include the following:
- Operators must directly notify parents of the identities or categories (including the public) of each third party to whom the operator discloses children’s personal information and obtain parental consent.
- The Rule adopts new definitions, including “mixed audience” (although the concept was reflected in the 2013 rule), and adds biometric and government identifiers (each separately defined) as types of information included in the definition of “personal information.”
- The Rule expands existing general requirements that operators maintain “reasonable security.” A covered operator must adopt a written data security program, designate one or more employees to coordinate the program, conduct, at least annually, a security risk assessment, and obtain written assurances that third parties with which personal information is shared will maintain the security of children’s data.
- The Rule elaborates on the existing requirement that children’s data should be retained only so long as necessary by requiring operators to adopt a written data retention policy and include it in the website privacy notice.
- COPPA Safe Harbor programs will be required to publicly disclose their membership lists and provide additional accountability reports to the FTC.
The Rule takes effect 60 days after its publication in the Federal Register, but specifies that, with the exception of certain referenced provisions affecting Safe Harbor programs, operators will have a year (365 days from publication in the Federal Register) to fully comply. In a concurring opinion, Commissioner Ferguson, who will soon step into the role of Chair, identified a few areas where additional clarification in rule language would be helpful. Thus, stay tuned to this space for further updates.