ARTICLE
5 August 2025

Amendments To The COPPA Rule Now In Effect

BB
Bass, Berry & Sims

Contributor

Bass, Berry & Sims logo
Bass, Berry & Sims is a national law firm with nearly 350 attorneys dedicated to delivering exceptional service to numerous publicly traded companies and Fortune 500 businesses in significant litigation and investigations, complex business transactions, and international regulatory matters. For more than 100 years, our people have served as true partners to clients, working seamlessly across substantive practice disciplines, industries and geographies to deliver highly-effective legal advice and innovative, business-focused solutions. For more information, visit www.bassberry.com.
Explore Firm Details
On June 23, significant amendments (Amendments) to the Children's Online Privacy Protection Act (COPPA) Rule (COPPA Rule) became effective, which increase obligations on many operators of websites and online services.
United States Privacy
Samantha Ross Liskey and Roy Wyman

On June 23, significant amendments (Amendments) to the Children's Online Privacy Protection Act (COPPA) Rule (COPPA Rule) became effective, which increase obligations on many operators of websites and online services. The Federal Trade Commission (FTC) designed the Amendments with the intent to increase transparency regarding data collection and usage, impose stricter limitations on the sharing of children's data, and strengthen data security and retention requirements. While the updated COPPA Rule became effective on June 23, businesses subject to COPPA must achieve full compliance by April 22, 2026.

Background

Congress enacted COPPA in 1998 to safeguard children's privacy on the internet and to provide parents with greater control over the collection of their children's personal information. The COPPA Rule applies to operators (Operators) of websites and online services that target children or knowingly collect personal information from children under 13 years of age.

Operators are required to fulfill several key obligations, including the following:

  • Provide direct notice to parents regarding their data practices.
  • Obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children.
  • Afford parents the ability to review, delete, and restrict further use of their child's personal information.

The FTC last amended the COPPA Rule in 2013 to address the proliferation of mobile devices and social media platforms. The new Amendments, finalized in January 2025 and published on April 22, reflect the continued evolution of online services and growing concerns regarding data privacy.

Key Amendments

Heightened Transparency Obligations for Direct Notice to Parents

The "direct notice" that Operators must send to parents before collecting children's personal information must now include the identities and specific categories of third-party recipients of children's information as well as the purposes for such disclosures. Additionally, the direct notice must include a statement that the parent can consent to the collection and use of the child's personal information without consenting to the further disclosure of such information to third parties, except to the extent such disclosure is integral to the website or online service.

Additional Parental Consent Required for Disclosure to Third Parties

Operators are now required to obtain separate verifiable parental consent prior to disclosing a child's personal information to third parties for targeted advertising purposes unless such disclosure is integral to the website or online service. This requirement is in addition to the initial parental consent required for the broader collection, use and/or disclosure of children's personal information. The FTC has not mandated a specific method for obtaining this separate consent, but any method used must be "reasonably calculated, in light of available technology, to ensure that the person providing the consent is the child's parent."

New Consent Mechanisms

In addition to previously approved methods for verifying parental identity, the Amendments introduce three new methods for obtaining verifiable parental consent. These include: (1) knowledge-based, multiple-choice questions that a child could not reasonably answer; (2) facial recognition technology using an authorized government photographic identification; and (3) the "text plus" method, whereby the parent receives a text message followed by an additional step (such as a confirmatory text message, letter, or telephone call) to verify the recipient's identity.

Enhanced Data Security and Retention Policies

Operators are now required to provide written notice on their websites regarding their data retention policies for children's information. Operators are now prohibited from retaining such information indefinitely and may retain such data only as long as reasonably necessary to fulfill the specific purpose for which it was collected. The public notice regarding data retention must state the purpose for collecting children's data, the business need and the timeframe for the deletion of such information.

Additionally, Operators must now implement a written information security program with safeguards that are appropriate, taking into account the sensitivity of the children's personal information being collected and the Operator's size, complexity, and activities. At a minimum, the program must include an employee coordinator, annual risk assessments with corresponding safeguards, ongoing testing and monitoring, and annual evaluations and modifications to address new or more efficient technical or operational risk controls. Operators must also ensure that any third party receiving children's information can maintain its confidentiality, security, and integrity.

Definition Updates

The Amendments introduce a new definition for "mixed audience website or online service," permitting Operators of such sites to collect personal information for limited purposes without first obtaining parental consent, e.g., providing parental notice, responding directly to a specific request from a child, or ensuring a child's safety. This information can be collected prior to determining the age of the individual. These exceptions apply only if the Operator does not otherwise use or disclose such personal information for any other purpose.

  • The Amendments also expand the definition of "personal information" to include government-issued identifiers (such as birth certificates and passport numbers) and biometric identifiers (such as fingerprints, retina patterns, genetic data, and handprints).
  • In determining whether a website is "directed to children," the Amendments add factors such as the website's marketing or promotional materials or plans, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services.

Safe Harbor Program

The COPPA Rule's Safe Harbor provision allows industry groups or others to submit self-regulatory guidelines to the FTC for approval, provided they meet or exceed the COPPA Rule's protections. Following the recent Amendments, FTC-approved COPPA Safe Harbor programs must now publicly disclose their membership lists and provide records of disciplinary actions taken. Safe Harbor programs must comply with these new requirements by October 22, 2025.

Important Dates

  • October 22, 2025 – Deadline for Safe Harbor programs to comply with new disclosure requirements
  • April 22, 2026 – Deadline for Operators to fully comply with new COPPA Rule amendments

The authors wish to thank summer associate Maddy Tillery for her contributions to this content.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Samantha Ross Liskey
Samantha Ross Liskey
Photo of Roy Wyman
Roy Wyman
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More