Overview
On April 22, 2025, the Federal Trade Commission’s (FTC) changes to the Children’s Online Privacy Protection Rule (COPPA Rule) were published in the Federal Register. The updates will go into effect on June 23, 2025, and businesses will have until April 22, 2026, to comply. Until then, businesses will need to implement new consent management and data retention practices.
The Children’s Online Privacy Protection Act (COPPA) is a 26-year-old law that aims to protect the personal information collected from children online. The FTC’s updates to the COPPA Rule were six years in the making. Among other updates, the most critical changes aim to increase transparency obligations related to data collection and use, place strong limits on sharing data with third parties for advertising purposes, and enhance data security and retention requirements.
In Depth
UPDATES TO TRANSPARENCY REQUIREMENTS
The COPPA Rule amendments update the notice requirements to significantly enhance the transparency of operators’ collection, use, and sharing of children’s data. For example:
- The direct notice to the parent must now include the identities or specific categories of third-party recipients of children’s personal information and the purposes for such disclosures.
- If an operator collects persistent identifiers under the “internal operations” exception, it must explain the purposes for that collection and how it prevents those identifiers from being used for unapproved purposes.
NEW LIMITS ON DATA SHARING
The COPPA Rule amendments require operators to obtain separate and additional verifiable parental consent prior to disclosing a child’s personal information to third parties like advertisers and data brokers. These updates will significantly impact an operator’s ability to use children’s personal information to serve and tailor digital advertisements using third-party cookies and similar technologies. The FTC did not prescribe rigid requirements for obtaining this separate consent. Rather, the FTC stated in its rulemaking that it wanted to provide sufficient flexibility to enable operators to integrate the separate consent requirement in a way that enhances parents’ ability to make deliberate and meaningful choices about their children’s data.
ENHANCED SECURITY AND RETENTION REQUIREMENTS
The COPPA Rule amendments expand operators’ responsibility to protect the confidentiality, security, and integrity of children’s personal information. Operators must now implement a formal written information security program that includes, at a minimum, annual risk assessments and risk management procedures, regular testing and monitoring, vendor due diligence procedures, and annual evaluations and modifications that take into account new or more efficient technical or operational methods to control risks, among other things. Operators must designate one or more employees to coordinate the program.
Operators must also establish and implement a written data retention policy that sets forth the purposes for which children’s personal information is collected, the business need for retaining it, and the timeframe for deletion. This data retention policy must be provided in the operator’s online privacy notice.
CONCLUSION
The COPPA Rule takes effect on June 23, 2025, and companies must comply by April 22, 2026. Updating consent mechanisms and implementing the data governance and security requirements will take time.
If you have questions about the COPPA Rule or how your business may be affected, please contact your regular McDermott lawyer or the authors of this article.
