The Federal Trade Commission has published a Final Rule relating to changes in the Children’s Online Privacy Protection Act (“COPPA”) regulations, which will go into effect on Monday, June 23, 2025. The final Rule generally provides 365 days from the final Rule’s publication date (April 22, 2025) to come into full compliance. The Final Rule contains some substantive changes (including a prohibition of indefinite retention of a child’s data) but also includes some commentary that may be of interest (including a consent requirement for use in AI training).
Background
Congress passed COPPA in 1998, and the Federal Trade Commission promulgated regulations in 1999 relating to children under 13 and the personal information that websites and apps could collect and to require parental consent for that collection and use. The FTC amended the COPPA Rule in 2013. The FTC then proposed amendments in 2019, which were delayed by COVID, but have now been finalized.
COPPA Rule Changes
Unlike the 2013 changes, the latest changes are few in number. For example, the FTC will now permit websites/apps to obtain parental consent via text messages in order to collect and share a child’s personal information, as long as those text messages are coupled with additional steps to provide assurances that the person providing the consent is the parent and not the child. Those additional steps include: “Sending a confirmatory text message to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call.” The notice must state that the parent can revoke any consent given in response to the earlier text message.
The FTC also expanded the definition of “personal information” to include a “biometric identifier that can be used for the automated or semi-automated recognition of an individual, such as fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints.”
Because many websites and apps are not exclusively directed to children under 13, the question of whether COPPA would apply to a particular website or app is a multi-factor analysis. The FTC has now added four more factors to aid in determining whether the site/app is directed to children: “competent and reliable empirical evidence regarding . . . marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services.”
The FTC also expanded the information available to parents, as well as parental choices. If the website/app discloses personal information to third parties, the disclosure in the direct notice to the parent must include not only the purpose of the disclosure but also the identity or specific category of the third parties that would receive the data. The FTC made it clear that a parent can decide to consent to the collection but not the sharing, or both.
On a related note, the FTC will require that the website notice must include
- identities and specific categories of any third parties to which the operator discloses personal information;
- the purposes for such disclosures;
- the operator’s data retention policy for such data;
- if applicable, the specific internal operations for which the operator has collected a persistent identifier for the child; and
- where the operator collects audio files containing a child’s voice and no other personal information, a description of how the operator uses such audio files and that the operator deletes such audio files immediately after responding to the request for which they were collected.
The FTC also added several requirements relating to security of the data, including (a) maintaining a written information security program; (b) designating one or more employees to coordinate that program; and (c) conducting an annual assessment of internal and external risks. In addition, before allowing other operators, service providers, or third parties to collect or maintain personal information from children, the operator of the website/app must “determine that such entities are capable of maintaining the confidentiality, security, and integrity of the information and must obtain written assurances that such entities will employ reasonable measures to maintain the confidentiality, security, and integrity of the information.” The FTC stated in the commentary that these requirements are modeled on the FTC’s Safeguards Rule.
With respect to retention, the FTC has amended that section of the rule to read:
An operator of a website or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the specific purpose(s) for which the information was collected. When such information is no longer reasonably necessary for the purposes for which it was collected, the operator must delete the information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion. Personal information collected online from a child may not be retained indefinitely. At a minimum, the operator must establish, implement, and maintain a written data retention policy that sets forth the purposes for which children’s personal information is collected, the business need for retaining such information, and a timeframe for deletion of such information. The operator must provide its written data retention policy addressing personal information collected from children in the notice on the website or online service . . .
(emphasis supplied). More specifically, the FTC requires “a hyperlink to the operator’s online notice that must describe the business need for retaining children’s personal information and the timeframe for deleting it.” In the commentary, the FTC pointed out that “if operators are not deleting that information as required, then they will be liable for that failure under the relevant provision of the Rule.”
FTC Commentary
In addition to the Rule changes themselves, the FTC’s 130+ pages of commentary in the Federal Register notice also contained some noteworthy insights:
AI Training. “Disclosures of a child’s personal information to third parties for monetary or other consideration, for advertising purposes, or to train or otherwise develop artificial intelligence technologies, are not integral to the website or online service and would require consent”
Biometrics. “The Commission also expects that biometric identifiers, particularly when combined with increasingly sophisticated methods of consumer profiling, potentially could be used to track and deliver targeted advertisements to specific children online, which would constitute online contact.” The FTC also found “as some commenters noted, storage of sensitive biometric identifiers for even limited periods of time increases the risk that such data will be compromised in a data security incident.”
Our Take
Unsurprisingly, children’s data is the subject of heightened regulatory attention. The focus on data retention is also not new as the FTC, like many other regulators, have realized that over retention of personal data exacerbates cyber breaches and data that that no longer exists cannot be misused. Although the FTC or other regulator is not likely to audit a company to determine compliance with the personal information disposal requirements, regulators have starting issuing fines for over-retention when a company has a security incident. As the FTC makes clear here, violations of the destruction requirements is a violation of the COPPA Rule and, in 2025, would be subject to a fine of $53,088 per violation.
With respect to AI, the FTC did not explain whether it considered the parental consent requirement would also apply to children’s data collected prior to the effective date that is used for AI training, nor did the FTC describe what a company must do if a parent withdraws consent and the data is already in the AI algorithm. The FTC also did not address how the data disposal requirements would apply to that training data.