FTC Issues Long Awaited New COPPA Rules: How They Will Impact Your Business

On January 16, 2025, the Federal Trade Commission finalized changes to the Children's Online Privacy Protection Act (COPPA) Rule. The changes are broad, and, importantly, they require separate direct parental consent for any data sharing or monetization of children’s data; prescribe more granular disclosure of how children’s data is collected and used, including identifying specific third parties with whom data is shared; and update the Safe Harbor program.

For background, COPPA was initially enacted in 1998 to protect children’s privacy on the internet. COPPA applies to “operators” of websites and online services that target children or knowingly collect personal information from children under 13 years old. The law’s original regulations (the “COPPA Rule”) came into effect in 2000, but, as internet services and theories of harm evolved, the COPPA Rule was amended in 2013. The FTC began reviewing potential updates in 2019 and issued a notice of proposed rulemaking in January 2024. As the long awaited result, the FTC finalized and published new amendments earlier this month (the “New Rules”), which will become effective 60 days from the date the final New Rules are published in the Federal Register, subject to any delay that may result from the administration change.

Below, we discuss the most notable changes to the COPPA Rule and highlight the essential steps that businesses should take to comply with the New Rules.

1. Separate Verifiable Parental Consent
One of the most critical changes in the New Rules is the new requirement for “separate” verifiable parental consent for disclosure of a child’s personal information to third parties for targeted advertising or other purposes that are not “integral” to the website or online service. This change essentially adds a new opt-in requirement to the sale or sharing of children’s data, which mirrors similar requirements in state level privacy laws. Existing state level laws either require opt-in consent for sales of children’s data (e.g., California’s Consumer Privacy Act and New York’s Child Data Protection Act) or outright forbid such sales (e.g., New Hampshire’s SB 255, New Jersey’s S.B. 332, and Maryland’s Online Data Privacy Act, the last of which will go into effect in October of this year). State level laws are continuing to evolve rapidly in this space, and the requirements and prohibitions on personal data sales under such laws extend to the 13 – 17 age range.

Under the New Rules, the FTC clarifies that operators must provide direct notice to a parent for the purposes of obtaining consent to enable the parent to make an informed decision. The FTC also added new methods for collecting consent, such as such as knowledge-based authentication processes, government-photo identification with facial recognition technology, or text-plus methods. The New Rules also include an exception to the verifiable parental consent requirement for audio files containing children’s voices, so long as such audio files are deleted immediately after they are no longer needed for the original request.

Direct notice to parents must include the following:

• how operators will use the information;
• directly naming each third party to whom a child’s personal information is sent;
• purposes for sharing a child’s personal information; and
• the operator’s data retention policy.

This notice must be provided on a website or online service describing the operator’s disclosure practices for children’s personal information.

2. Mixed Audience Websites
The New Rules modified the definitions of certain key terms. Notably, the New Rules clarify that operators of “mixed audience websites” and online services may collect personal information under COPPA’s preexisting “limited purposes” prior to determining a visitor’s age. A website or online service is considered mixed audience if it is: (1) “child-directed” under the COPPA’s multi-factor test, and (2) does not target children as its primary audience (i.e. the website or service also targets adults or older teens).

The terms “mixed audience” and “limited purpose” have non-obvious meanings in this context.  “Mixed audience” is distinguishable from a “general audience” website or service, which apply to websites and services not directed at children, which may nevertheless be occasionally frequented by children under 13. Although the concepts may seem similar, “mixed audience” and “general audience” are distinct because the “mixed audience” category is a subset of the “directed to children” category, and a “general audience” site does not become “mixed audience” just because some children use the site or service. “Limited purpose” may sound open to interpretation, but the purposes are specifically enumerated in 16 CFR § 312.5(c). These permitted “limited purposes” that the COPPA Rule sanctions for data collection from children under 13 without advance parental consent are: to enable obtaining parental consent, providing disclosure to parents, to respond to one-time inquiries from children under 13, for targeted trust and safety, or where the data collection is limited to a persistent identifier and no other personal information.

The New Rules give operators of mixed audience websites room to rely on the exceptions to prior parental consent, but operators should be careful that the scope of data collection prior to consent remains tied to the limited purposes.

3. Data Retention
The FTC clarifies operators’ obligations in the New Rules by expressly prohibiting operators from retaining children’s personal information indefinitely. Notably, the New Rules require that:

• operators may retain children’s personal information for only as long as is reasonably necessary for the specific purposes for which it was collected;
• operators must delete the information once it is no longer reasonably necessary for its original purpose; and
• operators must establish and maintain a written data retention policy that covers children’s data and provide that policy on its website.

Operators should comply with COPPA’s retention policies and delete children’s personal information once it is no longer reasonably necessary for the service provided. In the highly topical context of artificial intelligence (AI) large language models (LLM) training and fine tuning, the FTC Chair’s statement in connection with the New Rules specifically noted that indefinite retention of children’s data for the purpose of model training and fine tuning is inconsistent with the New Rules. We note, though, that these issues may not be as clear as a simple retention period for the original data, given the complex questions about the possible persistence of personal information in the LLM or its outputs. While the FTC does not specifically reach the issue of whether models potentially being able to “recall” personal information that was used in the training and fine tuning would constitute indefinite retention, we anticipate this may be an issue of interest in future AI facing laws and regulations.

In the meantime, we recommend all operators update existing written data retention policy and ensure compliance 60 days from the date the final rule is published in the Federal Register.

4. Increased Safe Harbor Program Transparency
To ease compliance and improve transparency, the New Rules enhance COPPA’s Safe Harbor program. The Safe Harbor program allows industries to form self-regulated groups with rules that either meet or exceed COPPA’s rules. If the FTC approves these Safe Harbor groups, websites or online operators satisfying the rules of a given Safe Harbor group will be deemed to have also met COPPA's rules and regulations.

The New Rules updated aspects of the Safe Harbor program, including requiring participating Safe Harbor organizations to:

• conduct diligence into their operators’ information security and data privacy practices;
• publicly post a list of their organization’s operators, as well as any operators that have left the program, on their website or online service;
• include the specific certified website, operating system, or online service for each operator; and
• in their annual FTC report, include a description of each disciplinary action taken against an operator, as well as a description of the process used to determine whether an operator required discipline.

Given the increased scrutiny of the Safe Harbor program, Safe Harbor operators should work with their Safe Harbor organizations to assess compliance requirements and prepare to meet enhanced reporting to retain membership with their Safe Harbor program. Safe Harbor program organizers should promptly review and address these amendments to meet the FTC’s six-month revision window.

5. What Stayed the Same in EdTech
As important as the changes were, at least one critical potential change did not materialize in the New Rules. Namely, the FTC decided to not adopt the proposed provisions clarifying COPPA’s application to websites and online services used by schools and students, a market often referred to as education technologies or EdTech. The FTC referenced the Department of Education’s potential upcoming amendments to the Family Educational Rights and Privacy Act (FERPA) regulations, citing reluctance to create conflict between the New Rules and changes to the FERPA regulations. The changes would have given schools and EdTech providers more clarity regarding verifiable parental consent requirements for schools acting in loco parentis in procuring EdTech services on behalf of students under 13. While this leaves EdTech providers and schools with legal ambiguity, especially as its now no longer clear if the Department of Education will indeed advance new rules, the FTC did note that they would consider further COPPA Rule amendments depending on how the FERPA regulations are amended. Parties in this space should stay tuned and prepare to adapt, be it to the future FERPA regulation changes or to future changes to the COPPA Rule.

6. Next Steps
Complying with the changes to COPPA will take time, so we advise that companies get a head start. While the New Rules will become effective 60 days after their publication in the Federal Register, operators will generally have one year from the publication date to achieve full compliance with amendments.  Online services or websites that collect data from or target children under 13 should promptly undertake to:

• Review data collection practices considering the new definitions;
• Obtain parental opt in consent to any selling or sharing children’ information for targeted advertising or non-service related purposes;
• Assess notices and consents to align with the changed requirements;
• Examine data retention practices, implement regularly reviewed retention limitations, and disclose such limits on the business’s website;
• Ensure their security programs cover personal information of children; and
• For Safe Harbor operators, assess their new obligations to retain membership with their Safe Harbor organization and prepare a compliance plan.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.