On January 16, 2025, the Federal Trade Commission (FTC) finalized amendments to the Children’s Online Privacy Protection Act (COPPA) Rule (Final Rule), which completes the process that started back in 2019 when the FTC sought comments for the first update to the COPPA Rule since 2013. The Final Rule ushers in several important changes that will affect when child-directed sites can target advertisements to children, how the FTC defines a “mixed audience” site, required disclosures in privacy notices, and data retention, among others.
At the same time, the FTC declined to add several amendments proposed in the 2023 Notice of Proposed Rulemaking (NPRM), including limitations on the use of persistent identifiers to encourage children to continue using a site. It also declined to make changes to how it approaches educational technology companies’ reliance on schools to get verifiable parental consent (VPC). The amendments in the Final Rule are too numerous to address in this note, so we focus on those that are likely to be most impactful for the most businesses. The Final Rule will become enforceable 60 days after its publication in the Federal Register.
What is COPPA?
As a refresher, the COPPA statute and rule regulates how operators of online services, such as e-commerce websites, online games, and social media sites, collect, use, and share personal information of users who are children under the age of 13 (children). Operators of online services that are directed to children as their primary audience must get VPC before they may collect any personal information from users. When obtaining VPC, the services must provide a direct notice to parents that informs them of the personal information the operator will collect. The Final Rule makes several important changes to these fundamental requirements.
The Final Rule adds and modifies several key terms, including the following:
“Mixed Audience” Sites and Limitations on Their Collection of Personal Information. The 2012 COPPA Rule amendments and subsequent FAQ introduced the concept of mixed audience sites but did not define the term. The Final Rule defines the term to mean an online site or service that is directed to children but does not target children as its primary audience and does not collect personal information from any visitor, other than to estimate whether the visitor is a child. The site may only collect information to determine whether a visitor is a child in a neutral way, meaning that the site may not suggest that visitors who are 13 and over will get additional benefits or a better experience. Once a mixed audience site determines that a user is 13 or over, it may collect personal information from the visitor without VPC. The site may not deny access to visitors who are under 13, but it may require VPC or provide an experience that does not collect their personal information.
“Website or Online Service Directed to Children.” The Final Rule adds to the non-exhaustive list of information the FTC may consider when determining whether a site is directed to children to include “marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services.”
“Support for the Internal Operations of the Website or Online Service.” The 2012 COPPA Rule amendments introduced the term “support for the internal operations” of a site to permit collection of persistent identifiers from children (e.g., IP addresses, user IDs, etc.) without VPC for certain internal operations purposes, such as fraud detection, security, site operations, and contextual advertising. The Final Rule clarified that persistent identifiers may be used and disclosed for those enumerated purposes.
“Online Contact Information” and Mobile Phone Numbers. The Final Rule updates the definition of “online contact information” to include mobile phone numbers, provided that the operator collects them solely for the purpose of sending a text message as part of the process of obtaining VPC.
“Personal Information” Amended to Include Biometric Identifiers. The Final Rule adds biometric identifiers to the types of data that are personal information of a child, which it defines as an “identifier that can be used for the automated or semi-automated recognition of an individual, such as fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints.”
Parental Direct Notice Must State How the Operator Intends to Use the Child’s Personal Information. When obtaining VPC under the Final Rule, operators of sites and online services that are directed to children will need to identify the personal information they will collect from children as well as how they intend to use that information. Since the requirement to describe how operators intend to use children’s personal information is new, operators that obtain VPC will likely need to update their direct notice disclosures.
Parental Direct Notice and Website Notice Concerning Disclosure to Third Parties. The Final Rule adds a new parental direct notice requirement concerning disclosure of personal information to third parties. Under the Final Rule, operators who seek VPC must notify parents of the identities or specific categories of third parties to whom it will disclose the child’s personal information (including the public if making it publicly available) and the purposes for the disclosure. The notice must also give parents the right to consent to the collection and use of the child’s personal information without consenting to its disclosure, unless the disclosure is necessary for the operation of the site (e.g., a hosting provider).
The website notice, on the other hand, requires identification—by both name and category—of the third parties to whom the operator will disclose children’s personal information. Many child-directed sites will need to amend their privacy policies to comply with this identification requirement.
Separate, Express Consent for Sharing Personal Information for Targeted Advertising. The Final Rule will require separate parental consent to disclose children’s personal information to advertisers and other third parties for monetary or other consideration, for targeted advertising purposes, or for training or otherwise developing artificial intelligence technologies.
Website Notice of Specific Internal Operations for Which Persistent Identifiers Will be Used. Under the Final Rule, operators of websites or services directed to children that collect persistent identifiers to support internal operations will need to update their website privacy policies to identify the specific internal operations for which they collect personal information and the means they use to prevent the use of those identifiers to contact individuals or to profile.
Website Notice of Data Retention Policy. The Final Rule requires operators to include in their privacy policies their data retention policy for the personal information collected from children. Operators may not retain personal information for longer than necessary to fulfill the purpose for which it was collected.
Monetary Charge Requirement No Longer Needed for VPC. Processing and subsequently refunding a credit or debit card payment, often in the form of a micropayment, has always been a means by which operators could obtain VPC. Under the Final Rule, processing a monetary charge on a transaction is no longer required, provided that the transaction through the payment card “provides notification of each discrete transaction to the primary account holder.”
Knowledge-Based Questions. The Final Rule codifies as an approved VPC method the use of a knowledge-based authentication process, which involves “us[ing] dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low,” and “the questions are of sufficient difficulty that a child age 12 or younger in the parent’s household could not reasonably ascertain the answers.”
Facial Recognition. Under the Final Rule, operators will be permitted to verify a parent’s ID by matching a selfie photo with that of a verified photo ID, such as a driver’s license number. This type of identification technology is already widely in use on other non-child sites and will make obtaining VPC more accessible to many child-directed sites. Operators who choose to use this method must promptly delete the parent’s photo ID and facial image after confirming they match.
Extension of “Email Plus” Consent to Text Messaging. “Email plus” is an existing method of VPC through which the child is prompted to provide a parent’s email address and the operator sends an email to the parent with the direct children’s privacy notice and request for consent to allow the child to use the site. If the parent consents, the site must then send a confirmation of the consent. The Final Rule extends this form of VPC to permit the operator to send a text message instead of an email. Both forms of VPC come with an important limitation: This method may only be used when an operator does not disclose children’s personal information to a third party.
Written Information Security Program. The Final Rule requires operators to establish, implement, and maintain a written information security program that contains certain safeguards prescribed by the Final Rule that are appropriate to the sensitivity of personal information collected from children and contains the operator’s size, complexity, and nature and scope of activities. Operators need not implement these requirements to personal information collected from children if the operator already has an information security program that complies with the Final Rule’s minimum requirements and that applies to all personal information the operator collects.
Data Retention Policy. As noted above, operators must establish and maintain a written data retention policy specifying the purposes for which children’s personal information is collected, the business need for retaining such information, and a time frame for deleting it, which may not be longer than the time needed to fulfill the purpose for which it was collected. Operators cannot indefinitely retain personal information collected online from a child.
The Final Rule left out several amendments that the FTC proposed in the NPRM.
The FTC declined to add any specific provisions on when operators could rely on educational institutions to obtain VPC and the limits on that consent in light of forthcoming amendments by the Department of Education to the Family Educational Rights and Privacy Act regulations. The FTC intends to continue to enforce COPPA in the ed tech context consistent with its existing guidance.
Prohibition on Using Persistent Identifiers to Encourage More Engagement with a Site or Service. In the 2022 NPRM, the FTC proposed amending the definition of “Support for Internal Operations” to prohibit sites from using persistent identifiers to encourage children to engage more with the site, such as in-game notices or website pop-ups. The Final Rule reversed course and rejected that addition.
Avatars. The FTC declined to expand the definition of personal information to include avatars generated from a child’s image.
Most operators of mixed audience and child-directed sites will need to review and update their children’s privacy policies and notice and consent practices to comply with the Final Rule by the end of 2025. In particular, operators should:
Subscribe to our insights to stay up to date with Fenwick’s privacy team.