FTC Adopts Amended Children’s Online Protection Act Rule
On January 16, 2025, the Federal Trade Commission (FTC or Commission) finalized changes to the Children’s Online Privacy Protection Act (COPPA) Rule (Final Rule). The Final Rule adopts certain amendments that were proposed in a January 2024 Notice of Proposed Rulemaking (2024 NPRM), which we summarized here. The Final Rule largely adopts the rule changes proposed in the 2024 NPRM, with a few exceptions.
The Final Rule goes into effect 60 days after publication in the Federal Register. Entities will have one year after publication to comply, with the exception of FTC-approved COPPA Safe Harbor programs, which have earlier compliance deadlines. The rule changes are explained below along with insights into how the new Administration may approach the rule change.
New Requirements
The Final Rule largely adopts the proposed changes from the 2024 NPRM, including:
Notice Requirements: Operators must provide more transparent notices. For online notices, operators must disclose the “identities and specific categories of any third parties to which the operator discloses personal information and the purposes of such disclosures, and the operator’s data retention policy. . . .” Operators must also disclose how they collect persistent identifiers and explain how they ensure the identifier is only used for the website’s internal operations and is not used or disclosed to contact a specific individual. If an operator collects audio files containing a child’s voice, it must also disclose “how the operator uses such audio files and that the operator deletes such audio files immediately after responding to the request for which they were collected.”
Methods for Verifiable Consent: In addition to currently authorized methods, the Final Rule adopts three new methods for an operator to obtain verifiable parental consent.
First, an operator can verify a parent’s identity using knowledge-based authentication that (1) “uses dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low;” and (2) uses questions of a “sufficient difficulty that a child age 12 or younger in the parent’s household could not reasonably ascertain the answers. . . .” Second, the operator may use facial recognition using a government-issued photographic identification, “provided that the parent’s identification and images are deleted by the operator . . . after the match is confirmed.” Third, the operator may “use a text message coupled with additional steps to provide assurances that the person providing the consent is the parent.”
Operators must provide parents with the option to consent to the collection and use of the child’s personal information without consenting to the disclosure of such information, “unless such disclosure is integral to the nature of the website or online service.” Separate verifiable consent to such disclosure is required.
Definition and Management of Personal Information: The definition of “personal information” was expanded to include government-issued identifiers and “biometric identifier[s] that can be used for the automated or semi-automated recognition of an individual, such as fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints.”
Operators are required to “establish, implement, and maintain a written information security program” and “obtain written assurances” that any third parties collecting information on the operator’s behalf “will employ reasonable measures to maintain the confidentiality, security, and integrity of the information.”
Data Retention: Children’s personal information must be deleted “when such information is no longer reasonably necessary for the purposes for which it was collected” and “may not be retained indefinitely.”
Safe Harbor Programs: The Final Rule implements new requirements and compliance deadlines for FTC-approved COPPA Safe Harbor programs. No later than six months after publication of the Final Rule, Safe Harbor programs must submit a report to the FTC that identifies (1) operators currently certified under the program, (2) approved websites or online services, and (3) operators that have left the program. No later than 90 days after publication, each Safe Harbor program must publicly post and regularly update a list of current operators on its websites. The Final Rule also adopts the proposed self-regulatory requirements for Safe Harbor programs, which require that the programs “submit a report on the program’s technological capabilities and mechanisms for assessing subject operator’s fitness” no later than three years after publication in the Federal Register, and every three years thereafter.
Rejected Proposals
The Commission declined to adopt two proposals from the 2024 NPRM regarding push notifications and educational technology.
Push Notifications: The 2024 NPRM proposed to disallow operators from using persistent identifiers to “encourage or prompt use of a website or online service.” The proposed rule change was designed to address concerns about children’s overuse of online services due to push notifications. The Commission ultimately declined to adopt the additional language because it was overly broad.
Education Technology: The Commission proposed several modifications relating to educational technology in the 2024 NPRM, including new definitions of “School” and “School-authorized education purpose,” as well as provisions governing collection of information from children in schools, and codifying a school authorization exception to obtaining verifiable parental consent. The Commission decided not to finalize any of these proposed amendments related to educational technology or schools in light of the U.S. Department of Education’s plans to update and clarify current regulations under the Family Educational Rights and Privacy Act (FERPA).
Looking Forward
The final rule was passed 5-0 with incoming FTC Chair Andrew Ferguson issuing a concurring statement. Commissioner Ferguson stated that he voted in favor of the final rule as “these amendments to the old COPPA Rule are the culmination of a bipartisan effort initiated when President Trump was last in office.” In his concurrence, he identifies three issues with the final rule that he argues were the result of a rushed process and that the next Commission may need to address. He indicates that the FTC going forward may consider 1) clarifying the definition of “materiality” in relation to parental disclosure requirements; 2) modifying the prohibition on the indefinite retention of personal information; and 3) clarifying an exception for the collection of children’s personal information for the sole purpose of age verification.
***
Wiley’s Privacy, Cyber & Data Governance team has helped companies of all sizes comply with their state and federal privacy and cyber obligations. Please reach out to the authors with any questions.
