On January 16, 2025, the Federal Trade Commission (FTC or Commission) published a final rule updating the Children's Online Privacy Protection Act (COPPA) Rule (Final Rule). This Final Rule follows a January 2024 notice of proposed rulemaking (2024 NPRM) after the FTC initiated its review of the COPPA Rule in July 2019. Upon publication in the Federal Register, the Final Rule will go into effect in 60 days.
Nevertheless, the prospects for this Final Rule are uncertain. On January 20, 2025, President Trump took executive action to freeze all pending federal regulations. Although the FTC published the Final Rule on the FTC website, the Final Rule was not published in the Federal Register prior to the change in administration. Rules that have not yet been published in the Federal Register now must be reviewed and approved by an agency head designated by President Trump. With the FTC now headed by Chair Andrew Ferguson—who voted in favor of the Final Rule but expressed several concerns in his concurring statement—the Final Rule will not move forward absent review and approval by Chair Ferguson.
I. Key Changes to the COPPA Rule
If the Final Rule goes into effect in its current form, notable changes to the COPPA Rule include (1) additional examples of evidence to consider when determining whether an online property is directed to children; (2) revisions to COPPA's existing consent requirements; (3) new methods for obtaining verifiable parental consent; (4) new notice obligations for covered operators; and (5) new requirements for information security programs and data retention policies.
Additional Child-Directed Factors
The Final Rule adds four examples of "evidence" that the FTC will consider when evaluating the "intended audience" of an online property to assess whether it meets the definition of "website or online service directed to children." These examples are (1) marketing or promotional materials; (2) representations to consumers or to third parties; (3) reviews by users or third parties; and (4) the age of users on similar websites or services. The inclusion of third-party reviews and comparative data may increase the uncertainty about what properties are child-directed by incorporating information outside of operators' control. However, FTC commentary on the Final Rule notes that the addition of these examples is not "intended to impose a burdensome requirement that operators identify and continuously monitor all such information."
Requirements for "Separate" Consent
The Final Rule amends COPPA's existing parental consent requirements to add that operators must obtain a "separate" consent for the disclosure of personal information to third parties, unless the disclosure is "integral" to the nature of the online service. The Final Rule does not specify how and when operators should seek separate parental consent. However, commentary indicates that the Commission intends to provide operators "sufficient flexibility" to integrate the requirement "in a way that enhances parents' ability to make deliberate and meaningful choices."
More Options for Verifiable Parental Consent
The Final Rule adds three new methods for operators to obtain verifiable parental consent (VPC) and revises one of the COPPA Rule's existing VPC methods:
- Text Message Mechanism: The Final Rule adopts a new "text plus" method of obtaining VPC, which is similar to the existing "email plus" method. Like "email plus," the new "text plus" method may be used to obtain consent only when personal information under COPPA will not be "disclosed."
- Knowledge-Based Authentication: The Final Rule allows operators to employ a "knowledge-based authentication" VPC method where a parent may verify their identity using "dynamic, multiple-choice questions" that are difficult to correctly guess and reasonably challenging for children aged 12 or younger to answer.
- Facial Recognition: The Final Rule allows operators to deploy facial recognition technology and human review to match the image of the parent's face, taken with a phone camera or webcam, with a verified government-issued photo identification. Operators must then "promptly" delete the identification and images after confirming the match.
- Payment Transaction: The Final Rule revises the existing "payment transaction method" of obtaining VPC by removing the requirement that the transaction be "monetary." With this change, operators may use a qualifying online payment to obtain VPC without entering (and subsequently refunding) a monetary charge.
New Requirements to Provide Notice of Internal Uses and Recipients of Children's Data
The Final Rule imposes on operators two significant new notice requirements. First, operators that rely on the "support for internal operations" exception to obtaining VPC must disclose the "specific" internal operations for which the operator uses persistent identifiers, as well as how the operator ensures identifiers are not used or disclosed to contact a specific individual for impermissible purposes. FTC commentary states that these descriptions may be "general" and explains that this notice obligation will "enhance the Commission's ability to monitor operators' use" of the support for internal operations exception.
Second, operators must identify third-party recipients of children's data, both in the operator's online notice and in the direct notice provided to parents when obtaining consent, although the level of specificity required varies by type of notice. Both types of notices must also describe the purposes for disclosures of children's data. In his concurring statement, now-Chair Ferguson supported this requirement but expressed concern that the Final Rule could require operators to seek parental consent for every addition or change of a third-party service provider.
New Information Security Program and Data Retention Requirements
The Final Rule adds a requirement for operators to establish, implement, and maintain a "written information security program" for personal information subject to COPPA. To satisfy this requirement, operators must (1) designate at least one employee as coordinator of the program; (2) perform an annual risk assessment of the "confidentiality, security, and integrity" of personal information collected from children and the safeguards in place; (3) design, implement, and maintain safeguards to control identified risks; (4) test and monitor the effectiveness of the safeguards; and (5) annually evaluate and modify the program to address identified risks. These requirements are broadly consistent with other FTC guidance on data security. In commentary, the FTC clarifies that such a program does not have to be specific to children's data.
The Final Rule also requires operators to establish and publish online a "written data retention policy" that discloses (1) the purposes of collecting personal information from children; (2) the business need for retention of that information; and (3) a deletion time frame for that information. The Final Rule reconfirms that personal information subject to COPPA "may not be retained indefinitely."
II. Implications of Certain Tabled Proposals
Operators should also note what the FTC did not change in the Final Rule. As explained below, proposals in the 2024 NPRM related to educational technology (EdTech) were not implemented in the Final Rule. Additionally, although the press release accompanying the Final Rule characterizes the Final Rule as limiting monetization of children's data, the Final Rule may have limited practical impact, as the COPPA Rule already prohibited targeted advertising without parental consent.
EdTech Requirements Not Formalized in the Final Rule
In the 2024 NPRM, the FTC proposed to codify its preexisting guidance related to EdTech, including by explicitly authorizing covered EdTech providers to obtain parental consent from schools to collect personal information from students for educational purposes. In the Final Rule, however, the FTC reversed course by declining to finalize its EdTech proposals, expressing concern that amending the COPPA Rule could conflict with potential changes to the U.S. Department of Education's Family Educational Rights and Privacy Act (FERPA) regulations. EdTech providers should operate under the FTC's preexisting guidance, which the FTC stated it will continue to rely on in its COPPA enforcement.
Various Proposals Affecting Advertising Not Included in the Final Rule
The Final Rule underscores the FTC's continued focus on uses of children's data for advertising purposes. As noted above, the Final Rule requires "separate" parental consent for disclosures of personal information that are not "integral" to the nature of the online service, such as for targeted advertising. Although this "separate" consent requirement could make it more difficult to obtain verifiable parental consent for targeted advertising, the practical impact may be muted because of the COPPA Rule's preexisting requirement to obtain VPC for targeted advertising.
In addition, the FTC declined to implement a number of 2024 NPRM proposals that would have further restricted advertising use cases under COPPA, including potential limits on contextual advertising and personalization. As a result, operators may continue to rely on the support for internal operations exception to collect persistent identifiers for contextual advertising and certain personalization purposes, consistent with the COPPA Rule's existing requirements.
About Venable
Venable's Privacy and Data Security Practice Group has extensive experience counseling clients on obligations under COPPA. Please feel free to reach out to us if you would like to learn more about the implications of the FTC's changes to the COPPA Rule, the applicability to your organization, or what you can do to assess your compliance posture with respect to new and existing obligations.