After the Children’s Online Privacy Protection Rule (COPPA) updates, proposed by the FTC’s Final Rule, were paused due to an Executive Order in January this year, many wondered whether that would be the end of the long overdue updates. On April 22, the FTC ended some (but not all) of that speculation when it published its final amendments to COPPA. Presuming no further changes, these amendments will mark the first major updates to the rule since 2013.
While the amendments largely mirror those announced in January, there are a few key updates that may leave operators scrambling to comply by the June 23, 2025 deadline.[1]
COPPA 2.0: Definitions
Personal information now includes biometric identifiers:
- Fingerprints, handprints, retina patters, iris patterns, genetic data
- Voiceprints, facial templates, faceprints, and gait patterns
Online Contact Information now includes mobile phone numbers when used to send text messages to parents for consent purposes.
Government-Issued Identifiers now include state ID cards, birth certificates, and passport numbers.
Mixed Audience Websites/Services now has a separate definition for sites that are directed to children but do not target them as a primary source.
COPPA 2.0: Additional Updates
New Methods for Verifiable Parental Consent: Verifiable Parental Consent may now be obtained through knowledge-based authentication questions (multiple choice questions), facial recognition to match parent provided government-issued ID’s, and “text plus” verification methods.
Expanded Disclosure Requirements
- Direct Notices must now include:
- How the operator uses the information it collects
- What third parties are receiving information, by their name and category
- Purposes for any disclosures
- Online Notices must now include:
- The operator’s data retention policy
- How persistent identifiers are used for internal operations
- How audio files are used
New Data Security and Retention Requirement
- Information Security Programs must now include:
- An employee(s) to coordinate the program
- Risk assessments at least annually
- Regularly tested safeguards
- Written assurances from third parties
- Data Retention Policies must now include:
- Why information is collected
- The business need for the information retention
- A timeframe for deletion of the information
- Be included in the online notice
- Clear prohibition on the indefinite retention
Safe Harbor Program Enhancements
- Increased transparency for FTC-approved COPPA Safe Harbor Programs:
- Must now publicly post all member operators and their certified websites/services
- Annual reports must now include details about disciplinary actions
In remarks at the IAPP Global Privacy Summit, FTC Commissioner Melissa Holyoak recognized the potential for growing pains related to company compliance with the new amendments, as well as how the FTC is prepared to work through such efforts. Whether and to what extent companies can rely on that understanding remains to be seen. For now, companies will undoubtedly scramble to some extent to understand and apply these definitions.
To read more about the FTC COPPA updates see: https://www.govinfo.gov/content/pkg/FR-2025-04-22/pdf/2025-05904.pdf
[1] Regulated entities have until April 22, 2026 to come into compliance.
[View source.]
