On January 16, 2025, the Federal Trade Commission (FTC) announced significant amendments to the Children’s Online Privacy Protection Act (COPPA) Rule after a comprehensive review that began in 2019. This marks the first major update since 2013 and represents a robust effort to address the evolving digital landscape and growing concerns over the monetization of children’s data. These changes further highlight the importance of conducting periodic network traffic analysis tests to ensure your data practices are aligned from a company and technical POV. The updated COPPA Rule goes into effect 60 days after publication in the Federal Register.
Key Amendments to the COPPA Rule
The finalized amendments introduce several changes aimed at strengthening protections for children under the age of 13, including the following highlights:
- Expanded Definition of Personal Information
The Rule now includes biometric identifiers that could be used for automated or semi-automated identification of an individual child, such as fingerprints, retina patterns, gait, facial data, and voice data, reflecting advancements in technology and the need for increased safeguards against misuse of this data.
- Separate Opt-In for Targeted Advertising
Companies are now required to obtain distinct verifiable parental consent before disclosing children’s personal information to third parties, such as advertisers, unless such disclosures are strictly necessary to provide the service. This rule closes loopholes that previously allowed operators to bundle consent for advertising with consent for other purposes. It is a direct move to curb the monetization of children’s data without explicit parental approval. The final rule also requires a listing of every individual third party to which children’s information will be disclosed, including the purpose for sharing.
- Clarified Data Security Requirements
Organizations are mandated to establish, implement, and maintain a written children’s personal information security program, or a general program that meets COPPA standards. The program must include safeguards proportionate to the sensitivity of the data collected, and should include measures such as designated qualified employees, annual updates, consistent monitoring, and routine risk assessments. The updated rule also makes clear that organizations must take reasonable steps to ensure any party it shares children’s data with is capable of maintaining confidentiality, security, and integrity of that data, as well as obtain contractual assurances from those third parties.
- Expanded Expectations of Safe Harbor Programs
In addition to meeting the structural and operational requirements to show accountability and independence, designated third-party safe harbor organizations are now required to (a) review participating company’s security programs and operations and (b) provide all consumer complaints to the FTC as part of routine reviews.
One notable omission from the final rule involves clarity around COPPA’s role in education; in particular, COPPA’s application to the use of third-party software in US schools, which has been ambiguously applied thus far. The proposed rules would have required distinct contractual obligations between schools and the educational technology companies, putting the control over personal data in the hands of the schools, along with authorization control. The commentary, however, notes the omission is due to deference to the Department of Education, who recently affirmed its intention to amend the Family Educational Rights and Privacy Act (FERPA).
Our Take: What Clients Need to Know and Technical Steps to Take
For our clients, the COPPA Rule amendments signal the need to reassess current privacy practices, policies, and technical measures. Here are some of the key steps businesses should take to prepare for compliance:
- Assessment of Trackers
- Determine which trackers are on the sites/apps you develop or offer that may include children’s data.
- Determine whether these trackers are developed/offered by you (so-called “first-party trackers”) or whether they are offered by third parties (and if by third parties, which category of third party, such as targeting/advertising, analytics, etc.).
- If there are third-party trackers, determine which third parties are involved, and whether your organization:
- prefers to remove these third parties from your site/app. Note to also search for legacy trackers and other trackers that were inadvertently placed on your site, particularly on unauthenticated sites that historically have been less stringently controlled and/or
- determine whether the site or app can obtain appropriate parental consent prior to the disclosure of Personal Information to the third-party tracker.
- Review Consent Mechanisms
Ensure that parental consent is obtained separately and specifically for any targeted advertising or third-party data sharing involving children’s information. Companies should update consent workflows and documentation to avoid ambiguities.
- Audit Data Security Programs
Evaluate whether your current security infrastructure meets the heightened standards outlined by the FTC. This includes conducting regular risk assessments, maintaining up-to-date incident response plans, and adopting encryption and other safeguards for sensitive data. You must also obtain contractual assurances from third parties who you share children’s personal data that they will be compliant as well.
- Establish Retention Policies
Define clear retention and deletion schedules for children’s data – if your business collects information about minors, a written data retention policy addressing what information you collect must be posted on your company website or online service. The updated COPPA rule also requires companies to retain personal information from children for no longer than is reasonably necessary to fulfil the purpose for which it was collected and prohibits indefinite retention. to avoid long-term retention of information beyond what is reasonably necessary (excepting any regulatory retention or preservation requirements) or otherwise examine your current practices for routine disposal of children’s information.
- Address Partial Compliance Scenarios
Businesses that serve both general audiences and children may only need to apply COPPA-specific rules to certain operations. For instance, platforms hosting user-generated content or educational apps might need to segregate child-directed activities from general operations. In these cases, data mapping and detailed documentation will be critical for demonstrating compliance.
- Educate Internal Teams
Legal, compliance, and technology teams must stay informed about the updated rules. Provide training to ensure employees understand their responsibilities and can identify areas where compliance is required.
- Monitor Enforcement Trends
Pay attention to FTC guidance and enforcement actions, particularly those involving nuanced cases. Agencies are likely to release additional clarifications as the industry navigates this updated regulatory environment.
For businesses operating in edge cases, it is essential to work with legal counsel to interpret the rules’ applicability and mitigate risks. If your operations involve general-audience platforms, the determination of whether COPPA applies may hinge on how content is targeted and the extent of children’s data collection.
Reach out for more information on how we can help your organization meet its COPPA and other privacy requirements. You may consider utilizing NT Analyzer, our firm’s in-house technical privacy compliance tool suite, which analyzes network traffic to complete these steps. Indeed, these COPPA amendments, like many other privacy trends (e.g., CCPA, mobile app store requirements, etc.), reinforces the importance for organizations to utilize technical frameworks to obtain line-of-sight on data collection/sharing that is otherwise hidden from view for privacy compliance.
NT Analyzer is a practical tool suite for managing privacy compliance in mobile apps, websites, and IoT. The tool detects and tracks the full range of data, including PHI and PII, that is collected and shared, and then generates actionable reports through the lens of applicable privacy requirements, such as COPPA. To request a demo, please contact: NTAnalyzer@nortonrosefulbright.com.