FTC's Amendment to COPPA Enhances Protections for Children Under 13

FTC’s Amendment to COPPA Enhances Protections for Children Under 13

Atlanta, Ga. (January 21, 2025) - On January 16, 2025, the Federal Trade Commission (“FTC”) issued its final rule amending the Children’s Online Privacy Protection (“COPPA”) Rule by a unanimous vote. The amendment to the COPPA Rule addresses changes that will enhance protections for children under the age of 13 in areas such as the advancement in technology, online practices, and the evolving digital landscape to ensure children’s online privacy remains a top priority.

The new rule updates key definitions, updates the parental consent procedures, expands the disclosure requirements for parental notices and privacy policies, and enhances accountability under the Safe Harbor Program. The definition of “Personal Information” under COPPA now includes biometric data. The new rule also clarifies that there are certain permissible data uses that fall outside of the parental consent requirements, such as “support for internal operations,” including improving service functionality, debugging, and user authentication. Despite these permissible uses, the data may not be used for behavioral advertising.

The new rule also requires technology-driven age screening methods that prohibit personal data collection from any visitor until a user’s age is determined. Under the new rule, parents can now provide consent via text message. The “text plus” consent procedure combines text messaging with additional verification steps, such as confirming consent through unique codes, rather than limiting the means of consent to email or phone calls.

Concomitant with the updated consent procedures, the new rule also expands the disclosure requirements in both parental notices and privacy policies, ensuring parents have a comprehensive understanding of how their children’s data is handled. Parental notices must list every third party with whom children’s personal information is shared, along with the purpose of sharing. Any material change to data sharing practices, such as introducing new third party recipients, require updated parental consent ensuring parents are kept informed of material updates affecting their children’s data. This also extends to updates in privacy policies, which must now explicitly describe the collection and handling of persistent identifiers. Any omission in these disclosures could result in a COPPA violation. Parental notices must also address situations where information may be made publicly available.

Finally, the FTC has also overhauled COPPA’s Safe Harbor Program to enhance accountability and transparency. Organizations that manage safe harbor programs are now required to conduct comprehensive evaluations of a participant’s data security practices in addition to their privacy operations. These reviews must include detailed assessments of encryption protocols, data retention policies, access controls, and other technical safeguards designed to protect children’s personal information. To further strengthen the integrity of safe harbor programs, the FTC has also introduced measures to ensure operational independence to avoid conflicts of interest.

The FTC has also emphasized the need for greater transparency within safe harbor programs. As part of the new requirements, organizations must submit all consumer complaints received to the FTC during regular evaluations. This ensures that any potential noncompliance issue is promptly escalated for investigation. Additionally, safe harbor programs are now obligated to provide annual reports to the FTC. These reports must detail the compliance measures implemented, audit outcomes, and any enforcement actions taken against participants.

The FTC stopped short of approving proposed amendments to the COPPA rule with regards to the treatment of EdTech providers. The FTC opted to wait for related changes due to the potential for confusion and overlap with the Family Education Rights and Privacy Act (“FERPA”). Thus, while the FTC has proposed changes, it will not finalize the proposed amendments so as to avoid any conflicts with the current proposed amendments to FERPA that were issued by the Department of Education in the fall of 2024.

The amendments to COPPA are set to take effect 60 days after their publication in the Federal Register. The compliance requirements, however, come with a 365-day implementation period, which provides businesses sufficient time to align their operations with the updated rules.

For more information, contact the authors of this alert. Visit our Data Privacy & Cybersecurity Practice page to learn more about our capabilities in this area.

Authors:

Tawana Johnson, Partner and Vice Chair of Data Privacy & Cybersecurity Practice

Nicholas Ramos, Associate