Children’s Privacy Law “Matures” After Year-Long Review

In December 2023, the Federal Trade Commission (FTC) proposed changes to the Children’s Online Privacy Protection Act (COPPA) Rule to address the increasing use and monetization of children’s data online. The COPPA Rule, which implements the 1998 Act, requires certain website and online service operators to obtain parental consent before collecting, using, or disclosing personal data of children under the age of 13. The Act and the Rule also grant parents rights regarding their children’s data, including access, deletion, and use restriction rights.

On January 16, 2025, the FTC finalized these changes to the COPPA Rule, which had not previously been updated in over a decade. Notable changes to definitions and key provisions include:

1. Establishing a new, stand-alone definition for “mixed audience website or online service,” defined as “a website or online service that is directed to children but does not target children as its primary audience, and does not collect personal information from any visitor prior to collecting age information or using another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child.” The new COPPA Rule clarifies how such mixed audience websites should neutrally incorporate age analysis into their websites’ operations.
2. Adding “mobile telephone number” to the definition of “online contact information.”
3. Expanding the definition of covered “Personal Information” to include biometric and government-issued identifiers.
4. Requiring separate, verifiable parental consent for the disclosure of children’s personal data to third parties for targeted advertising and other purposes.
5. Limiting the retention period of a child’s personal data to only the time necessary for the specific purpose for which the information was collected and requiring website operators to adopt a data retention policy.
6. Requiring FTC-approved COPPA Safe Harbor Programs to publicly disclose their membership lists.
7. Expanding the required assessments of members’ compliance with Safe Harbor program guidelines to include a comprehensive review of the member’s “information privacy and security policies, practices, and representations.”
8. Requiring further disclosures be made in online notices, such as the identities and specific categories of any third parties to which the operator discloses personal information.

The new COPPA Rule will become effective 60 days after it is posted in the Federal Register.

These changes to the COPPA Rule are only one piece in the changing landscape of children’s online privacy as states increasingly implement their own children’s privacy laws – which may introduce obligations beyond those required by COPPA.
For further information about COPPA, the COPPA Rule, or privacy laws in general, please contact John Landolfi, Chris Ingram, Chris LaRocco, Gretchen Rutz Leist, Nikkia Knudsen, or your Vorys attorney.