COPPA Compliance Changes Coming in June

The Federal Trade Commission (FTC) finalized long-awaited amendments to the Children’s Online Privacy Protection Act (COPPA) in January of this year. But after President Trump froze rulemaking in February, it was unclear whether the COPPA amendments would come into effect at all. However, on April 22, the FTC published the amended COPPA rules in the Federal Register. This means the new rules will come into effect on June 23, 2025, and businesses will be expected to be in compliance by April 22, 2026. 

These updates mark the first significant changes to the rules since 2013, and it’s safe to say that a lot has changed in digital marketing practices, cybercrime, and the capability of tracking technologies in that time. In this post, we outline how these amendments will affect compliance obligations in the US for organisations advertising to or offering products to children online. 

Key Takeaways

• The changes to the COPPA rule are significant. You can find the FTC’s Amended Rule document here and the rule published in the Federal Register here. 
• If you currently advertise to children or operate a website/online service directed to children, we strongly recommend working with legal counsel to bring your practices in line with the amended COPPA compliance requirements. 
• One of the most significant changes is the requirement for advertisers to get opt-in consent for targeted advertising and to share personal information with third parties for advertising or other purposes.
• The amendments also place limits on data retention for children’s data, call for increased accountability and transparency programs, and revise the definitions for personal information to include biometric data (e.g., fingerprints, retina patterns, voiceprints) and government-issued identifiers (e.g., state ID and passport numbers).

What is COPPA?

The Children’s Online Privacy Protection Act is a U.S. federal law that has been in effect since 2000. It regulates the collection of personal information from children 13 and under by certain online services, including websites, advertising networks, and mobile apps.

COPPA requires certain companies to obtain verified parental consent (“VPC”) before collecting personal information from a child. 

It’s important to note that the definition of personal information under COPPA is different from the definition under many other privacy laws. Under COPPA, personal information includes anything that can be used to track a child across sites, apps, or devices. Persistent identifiers are all considered personal information under COPPA, which means companies are barred from using or tracking any of the following information about children without parental consent: 

• Cookies, 
• Google Ad IDs, 
• Precise geolocation, 
• Full IP address, 
• Full referrer URLs, 
• Full user agents, 
• Photos, 
• Videos, and 
• Voice recordings of children. 

What this means in practice is that COPPA bars behavioral advertising, retargeting, and user profiling of children.

Key Changes Introduced by the FTC’s COPPA Amendments

Separate Verifiable Parental Consent for Targeted Advertising

Under the amended rules, operators must now collect separate verifiable parental consent to disclose children’s data to third-party advertisers, unless such disclosure is essential for the internal operations of the website or online service. 

This effectively establishes a default consent framework that requires explicit separate opt-ins from parents for third-party behavioral advertising. In other words, COPPA now specifically separates consent for disclosure to third parties for targeted advertising, requiring an active choice from parents. 

We’ve discussed collecting verifiable parental consents in more detail. 

Stricter Data Retention Requirements

Indefinite retention of children’s data is out under the 2025 COPPA amendments. While this was always a best practice, the new rules require companies to only retain personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected. They also mandate deletion at some point. This change requires companies to publish a written data retention policy, and to implement it. 

We strongly suggest complying with the amended requirements here. The FTC has previously instituted enforcement proceedings against companies for failing to delete data collected about children (i.e., retaining it indefinitely). Moreover, two FTC Commissioners released a statement that specifically outlines the Commissioners’ expectation when it comes to deleting children’s data: 

“companies [cannot] keep children’s information indefinitely. That provision also requires that companies set a schedule for deleting those children’s data.”

Later in the Statement, the FTC Commissioners note that businesses have repeatedly attempted to claim that the indefinite retention is ‘reasonably necessary’ to improve algorithms and that this is not reasonable, nor is it a justification to override legal bans on indefinite retention of data. 

Expanded Definition of “Personal Information”

Personal information, under the amended COPPA rule means individually identifiable information about an individual collected online, including: 

• A first and last name;
• A home or other physical address including street name and name of a city or town;
• Online contact information as defined by the rule;
• A screen or user name where it functions in the same manner as online contact information;
• A telephone number;
• A government-issued identifier, such as a Social Security number, state identification card, birth certificate, or passport number;
• A persistent identifier that can be used to recognize a user over time and across different websites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
• A photograph, video, or audio file where such file contains a child’s image or voice; 
• Geolocation information sufficient to identify street name and name of a city or town;
• A biometric identifier that can be used for the automated or semi-automated recognition of an individual, such as fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints; or 
• Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.

So, what’s changed here? 

The amendments expand the definition of ‘personal information’ for children, namely the inclusion of government-issued identifiers and biometric information. Plus it adopted the language ‘such as’ for many of the examples, to highlight that the list is inclusive but not exhaustive. In other words, companies should be prepared for a wider range of information to fall under these categories, beyond what is specifically spelled out. One example of this might be ‘neural information’ – information measuring the activity of a person’s central or peripheral nervous system.. We’re already seeing neural information be included in some U.S. state privacy frameworks and this could be an area to watch for businesses developing wearables or operating in the video and virtual reality gaming industries.

The Meaning of ‘Directed to Children’

The meaning of ‘directed to children’ is expanded somewhat under the amended rules. 

The amended rule retains the ‘fact-based’ determination of whether a website/online service is directed to children, however, it notes that enforcement authorities can specifically consider marketing or promotional materials or plans, representations to consumers/third-parties/reviews, and the age of users on similar websites. This beefs up the original rule from 2013, which highlighted the following considerations when determining if a website or online service is directed to children: 

• Subject matter; 
• Visual content;
• Use of animated characters or child-oriented activities and incentives; 
• Music or other audio content; 
• Age of models;
• Presence of child celebrities or celebrities who appeal to children;
• Sophistication of the language;
• Other characteristics of the website or online service; and 
• Advertising materials promoting the website or advertising materials that appear on the website.

Other Key Changes

• The definition of a ‘mixed audience website or online service’ has been updated. The amended rule defines this as  a website or online service that is directed to children under the COPPA criteria, but that does not target children as its primary audience. These websites/online services are allowed to collect personal information from visitors in a neutral manner without parental consent for the sole purpose of determining their age. Once a mixed audience website or online service determines that a visitor is 13 years of age or older, it may then collect personal information from that visitor without the need to obtain verifiable parental consent. 
• The FTC has also focused on enhancing the accountability of FTC-approved COPPA Safe Harbor programs. Under the amended rule, these programs are now required to publicly disclose their lists of member operators and report additional information to the FTC as part of an effort to increase transparency and accountability. They will also undergo reviews of their privacy and security policies, practices, and representations to ensure they are effectively upholding the principles of COPPA. 
• Operators must now provide more detailed information in direct notices to parents about third-party data sharing and the specific purposes of personal information collection. Online notices must also identify third-party recipients by name and category, along with the operator’s data retention policies.

Best Practices for COPPA Compliance

These are some best practices for COPPA compliance we’ve identified based on the amended COPPA rules: 

Implement Strong Age Verification Measures

Age verification is tricky, since it requires companies to balance the privacy of all users with protecting children, as well as security, accuracy, and ease of use. However, it’s also a non-negotiable for websites and online services that are directed to children. 

You will need to implement age verification measures that are robust and challenging for children to circumvent. Common methods here include age gating, requiring government-issued IDs, checking credit card statements, and/or using digital ID verification (these are often AI-enabled). Then, you will also need to review these mechanisms regularly to ensure they’re working effectively. 

Review & Update Your Published Privacy Documents

The amended rules require operators to publish at least two privacy notices: 

• A direct notice that discloses to parents “the collection, use, or disclosure of personal information from children, including notice of any material change in the collection, use, or disclosure practices to which the parent has previously consented.” This should link to the main privacy notice; and
• A privacy notice that describes your information practices for personal information collected from online children. It must also include specific contact information for all operators of the website/online service, a description of what information is collected, and that the parent can review or have deleted the child’s personal information. 

Your privacy notices should be easily accessible, written in plain language that parents can understand, and clearly explain all data collection, use, and disclosure practices, including the specific identities or categories of any third parties involved. The policy should also explicitly detail the company’s data retention practices and schedules when it comes to data collected from children and the data collected from parents to confirm opt-in consents.

Want a downloadable checklist covering these best practices? Get yours here. 

Obtain Verifiable Parental Consent Using Approved Methods

You will need to obtain separate and specific consent for disclosing a child’s personal information to third parties for the purpose of targeted advertising. Learn more here.

Practice Data Minimization and Purpose Limitation

Generally speaking, it’s a good privacy practice to collect only the personal information that is reasonably necessary to fulfill a specific, clearly defined purpose. Overcollecting can harm your reputation, erode trust, and it comes with higher costs for use and storage, as well as the additional risks of a breach. This is particularly true in the case of data collected from children, given the FTC’s high levels of enforcement activity for COPPA compliance. 

That said, for the data you do need to collect, you will need to implement processes to ensure it’s deleted in a timely manner – once the purpose of collection has been fulfilled. Adopting a “less is more” approach to data collection and retention is going to be an asset when dealing with children’s data in the current compliance and enforcement landscape. 

Ensure Transparency in Advertising Practices

You must clearly and conspicuously disclose the identities and specific categories of any third parties with whom you share children’s data. To do this, you should audit the third parties you share information with and confirm whether the disclosures to these third parties are ‘worth’ the effort of declaring the disclosures and obtaining separate opt-ins. 

If they are, you must provide a notice that explains in clear and accessible terms the purposes for which data is collected and shared in the context of advertising, and opt-in consent must be collected from parents. 

Honor Parents’ Ongoing Rights Regarding their Children’s Information.

If a parent asks you to, you must: 

• Enable them to review the personal information you have collected from their child;

• Provide them with a way to revoke their consent and prohibit further processing of their child’s information; and 
• Delete their child’s information.

Where parental consent for targeted advertising is not obtained (or would be costly and difficult to collect), consider introducing contextual advertising as an alternative.

Take Reasonable Measures to Protect the Security of Children’s Information

The COPPA Rule requires operators to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children” and to “take reasonable steps to release children’s personal information only to service providers and third parties who are capable of maintaining the information’s confidentiality, security, and integrity and provide assurances that they will do so”.

In practice this means you should implement and maintain a comprehensive written information security program that documents and addresses the risks that come with collecting data from children. You will also need to designate at least one employee to coordinate this security program, and you will need to regularly test and evaluate it (at least annually). 

The security measures you adopt must reflect your company’s size and complexity and the sensitivity of the data you collect from children. In other words, if you collect sensitive information from children, your security measures must adequately reflect that risk (regardless of how big your company is). 

Businesses should run cost-benefit analyses when deciding whether to collect this data in the first place. It’s likely that the costs of adequate security measures will be higher than ‘the average’ security program. 

What If You Get COPPA Compliance Wrong? 

COPPA compliance has been regularly enforced by the FTC. We don’t yet have the figures for 2024, but we know that the FTC brought 42 COPPA cases in 2023, resulting in more than half a billion dollars in civil penalties. So, it’s safe to say that failure to comply with the updated COPPA rules carries significant risk of financial penalties against companies. 

Beyond monetary penalties, companies also face legal action from the FTC and state attorneys general, which can result in costly lawsuits, injunctive relief, and court orders impacting business operations. Furthermore, COPPA violations can severely damage a company’s reputation and erode customer trust, especially among parents. Negative press and social media backlash can make it difficult to attract and retain users, particularly harming companies striving to build brand credibility within the family market.

Access Outsourced Privacy Counsel

CGL LLP offers outsourced, on-demand privacy counsel services, providing growing companies with access to partner-level privacy counsel without the need for (or cost of) a full-time in-house legal team . Our team can provide expert advice and guidance on all aspects of COPPA compliance, helping you understand your obligations and implement effective strategies to meet them. 

If you’re uncertain about your obligations under the COPPA, reach out. Our privacy attorneys are available to help.

• Privacy