This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Our Take

| 4 minute read

Big Changes for Small Users: FTC Finalizes COPPA Rule Update

On April 21, 2025, the Federal Trade Commission (FTC) finalized a significant and long-awaited update to the Children’s Online Privacy Protection Act (COPPA) Rule—the law’s first update since 2013. The revised Rule introduces stricter requirements around verifiable parental consent, third-party sharing, disclosures, security, and safe harbor program oversight.

Companies (i.e., “operators”) that maintain websites or online services directed to children under 13 or knowingly collect personal data from children should prepare now to meet the new obligations by the June 23, 2025 effective date. 

Below is a breakdown of the biggest changes: 

1. Separate Consent for Non-Integral Third Parties

Under the updated Rule, operators must now obtain verifiable parental consent before disclosing a child’s personal data to non-integral third parties (defined below), in addition to and separate from the baseline parental consent already required to collect, use, and disclose the child’s personal data generally. Sharing with integral third parties does not require additional separate consent, only baseline consent. 

The term “integral” here means integral to the operator’s product or service. For example, the FTC considers any information sharing necessary to provide the consumer-requested product or service to be integral, and thus such disclosure would not require separate additional consent (only baseline consent). However, sharing information with third parties for monetization, advertising, analytics, AI training, or profiling purposes is not considered integral, and thus such disclosures would require separate parental consent in addition to baseline parental consent. 

2. Enhanced Disclosure Requirements

The updated Rule also strengthens transparency obligations in an operator’s Privacy Notice and its direct parental notices. Particularly, in its direct parental notices, an operator must now include the identities or specific categories of third parties to whom child personal data is disclosed, the purpose of such disclosure, and the parent’s option to provide baseline consent without additional consent for non-integral third parties. Likewise, the operator’s Privacy Notice must now include the identities and specific categories of receiving third parties, the purpose of disclosure, and the operator’s written retention policy (see below). 

Commentators have expressed concern over the requirement to include identities of all receiving third parties in the Privacy Notice, and how it may interact with the operator’s obligation to notify users of material updates to the Privacy Notice. They claim these two obligations in tandem may unintentionally result in excessive update notices to users each time the operator changes vendors or business partners.

3. Written Information Security Program

The updated COPPA Rule replaces the prior general security obligation to implement “reasonable” measures with a more prescriptive security framework. In particular, operators must now adopt a written information security program that includes annual assessments of security risks, technical and organizational safeguards to address such risks, and ongoing monitoring and testing of such safeguards. These new security standards closely track the FTC’s Safeguards Rule for financial institutions and signal a broader shift toward codifying baseline cybersecurity expectations across industries. Operators that have an existing written information security program do not need to create a separate one for COPPA, but must ensure all required elements are incorporated.

4. Tightened Data Retention  

The COPPA Rule’s update also tightened its retention standard, which was previously simply that operators could retain child data “as long as is reasonably necessary to fulfill the purpose for which the information was collected.” The new Rule retains this language, but adds that child data may not be retained “indefinitely.” 

Commentators have expressed concern over the new prohibition against indefinite retention, claiming that the original language was sufficient to prevent the FTC’s concerns and that the new language may result in required deletion of user data after a certain period, against the user’s wishes. We recommend any operators with such concerns to mitigate harm by providing clear and timely notice to users that their child data may be deleted on a certain date and requesting continued permission to store for an additional discrete period.

5. Increased Oversight of Safe Harbor Programs

Lastly, the original COPPA Rule provides for safe harbor programs, which are FTC-approved industry groups that establish self-regulating guidelines for their members to follow and satisfy COPPA compliance. Under the COPPA Rule update, such safe harbor programs will be subject to expanded transparency obligations and oversight. For example, they will be required to conduct more robust compliance monitoring and auditing of their members. They must also publish their full list of members.

Action Items for Companies

With June 23 quickly approaching, companies that operate child-directed or mixed-use websites should take several preparatory actions: 

  • First, operators should review their existing data flows and map out how child personal data is collected, used, stored, retained, and disclosed to third parties. 
  • Second, for each third party to whom child personal data is disclosed, the operator should classify the third party as either integral or non-integral, and if necessary, develop an additional parental consent mechanism for non-integral third-party disclosures. 
  • Third, operators should review the content of their Privacy Notice and direct parental notices, and ensure that each contains the appropriate information under the updated Rule. 
  • Fourth, operators that have an existing written information security policy should review it to ensure it aligns with the security requirements under the new Rule, and those without a written policy should work with their security and legal teams to draft one. 
  • Finally, operators should review their personal data retention and deletion practices to ensure timely and security deletion of child information (and if appropriate, notice to users whose data may be unexpectedly deleted). 

The revised COPPA Rule marks a clear evolution in the FTC’s approach to child data privacy—shifting toward more granular consent, structured security controls, and greater transparency. For companies in sectors like advertising, gaming, streaming, and edtech, the operational impact may be significant. Now is the time to assess compliance gaps and make the necessary adjustments.

Tags

data privacy, coppa, child data, ftc, privacy and cybersecurity