On January 16, 2025, the Federal Trade Commission (FTC) announced the finalized amendments (Final Rule) to the Children’s Online Privacy Protection Rule (COPPA Rule), which regulates operators of websites and online services that collect personal information from children under the age of 13.
The Final Rule’s announcement came approximately a year after the FTC's notice of proposed rulemaking (NPRM) and is presumed to have marked the conclusion of the FTC’s latest review of the COPPA Rule that began in 2019. But the fate of the Final Rule is now unclear after the Trump Administration issued a regulatory freeze on January 20 to halt all agency rulemaking activities, including any publication of new regulations in the Federal Register. Pursuant to the regulatory freeze, newly appointed FTC Chair Andrew Ferguson must review and approve the Final Rule before it can be published in the Federal Register. If approved by Ferguson, the Final Rule will become effective 60 days following its publication in the Federal Register. Once the Final Rule takes effect, operators will have one year to comply with its new requirements. The new requirements for organizations offering safe harbor programs will have earlier compliance deadlines for the applicable amendments.
We discuss the Final Rule’s impact on operators subject to the COPPA Rule (if it is published as announced), highlight the Final Rule’s material deviations from the NPRM, and explore potential issues that Ferguson may raise in his review of the Final Rule.
Separate Verifiable Parental Consent for Disclosures of Personal Information
Consistent with the NPRM’s proposal, the Final Rule requires an operator to obtain separate verifiable parental consent (VPC) before disclosing personal information collected from children. The current COPPA Rule requires an operator to “give the parent the option to consent to the collection and use of the child’s information without consenting to disclosure of his or her personal information to third parties.” The Final Rule strengthens this requirement by clarifying that VPC for the disclosure of personal information collected from children, including for targeted advertising, must be distinct and separate from VPC for the collection and use of that personal information unless the disclosure is “integral” to the operator’s website or online service.
The Final Rule does not define “integral,” and the FTC commented that whether a disclosure is integral to a website or online service would involve a fact-specific inquiry to evaluate the types of services that an operator offers through its website or online service. For instance, the NPRM explained that a disclosure could be integral “if the website or online service is an online messaging forum through which children necessarily have to disclose their personal information … to other users on that forum.” Therefore, an operator will need to assess whether their disclosures of personal information collected from children are integral to their website or online service and establish a separate process for obtaining VPC for disclosures, if needed.
The Final Rule notably rejects the NPRM's proposal to explicitly prohibit operators from conditioning a child’s access to their website or online service on the parent’s provision of VPC for disclosures. The FTC clarified that this rejection is not substantive because the COPPA Rule has always prohibited such conditioning since its adoption in 2000. The FTC explained that including the NPRM’s explicit language would be redundant and could potentially cause interpretative confusion.
Additional Disclosures for the “Support for the Internal Operations” Exception
The Final Rule introduces a new requirement for operators using the “support for the internal operations” exception to the VPC requirement. Under the current COPPA Rule, operators do not need to obtain VPC, provide direct parental notice, or post an online notice if they collect only persistent identifiers from children and use them solely to support the internal operations of their website or online service. But the Final Rule, adopting the NPRM’s proposal, mandates that operators using this exception post an online notice that specifies the internal operations for which they collect persistent identifiers from children and explains how they ensure the identifiers are used exclusively for those internal operations.
Many commentators objected to this new disclosure requirement, arguing that it could result in operators having to “reveal confidential information, security measures, proprietary information, and trade secrets.” Responding to these concerns, the FTC clarified that high-level disclosures are sufficient to meet this requirement. For example, an operator may disclose relevant internal operations “in general, categorical terms” and provide a “general statement” about relevant measures, such as policies and procedures for “training, data segregation, and data access and storage.”
Written Information Security Program
The Final Rule expands operators’ general obligation under the current COPPA Rule to maintain reasonable security procedures to protect personal information collected from children. The Final Rule’s security requirement closely tracks the FTC’s Safeguards Rule under the Gramm–Leach–Bliley Act by requiring operators to:
- Establish, implement, and maintain a written information security program that applies to personal information collected from children.
- Designate one or more employees to coordinate the program.
- Regularly (and at least annually) conduct risk assessments to identify internal and external risks to the confidentiality, security, and integrity of personal information collected from children and assess the sufficiency of safeguards in place to control the risks.
- Design, implement, and maintain safeguards to control risks the operator identifies through risk assessments.
- Regularly test and monitor the effectiveness of the operator’s safeguards.
- Regularly (and at least annually) evaluate and modify the program to reflect identified risks, results of required testing and monitoring, new or more efficient safeguards, and any other circumstances that the operator knows or has reason to know may have a material impact on the program.
The requirement under the Final Rule is substantively identical to the NPRM’s proposal. But the FTC clarified that the Final Rule does not require operators to create a standalone information security program specific to children’s personal information. Instead, operators may leverage their existing written information security program so long as the program covers personal information they collect from children and otherwise satisfies the Final Rule’s standards.
Additionally, the Final Rule incorporates the NPRM’s proposal requiring operators to conduct reasonable due diligence on other operators, service providers, and third parties that collect personal information from children on their behalf or receive such information from them. Operators must also obtain written assurances from these entities, confirming they will implement reasonable security measures to protect children’s personal information.
Written Data Retention Policy
The Final Rule bolsters the current COPPA Rule’s data retention obligation by requiring operators to establish, implement, maintain, and publish a written data retention policy that specifies:
- The purposes for which the operator collects personal information from children.
- The business needs for retaining personal information the operator collects from children.
- The timeframe for deleting personal information the operator collects from children.
The FTC also explained that the Final Rule’s minor deviation from the NPRM intends to clarify that, similar to the written information security program requirement, operators need not prepare a standalone data retention policy specific to children’s personal information. Therefore, operators may satisfy this requirement by maintaining a general data retention policy that also applies to children’s personal information so long as it contains all the information necessary under the Final Rule. The Final Rule also adopts the NPRM’s proposal to expressly prohibit operators from indefinitely retaining children’s personal information.
Other Notable Changes
Expansion of “personal information”
The Final Rule expands the definition of “personal information” by adopting the NPRM’s addition of “biometric identifier that can be used for the automated or semi-automated recognition of an individual” into the nonexhaustive list of personal information. The Final Rule also clarifies that personal information includes all government-issued identifiers, including state identification card, birth certificate, and passport numbers, in addition to Social Security numbers, which the current COPPA Rule specifies.
Additional content requirements for direct and online notices
The Final Rule requires operators to specify (1) the identities and specific categories of third parties to whom they disclose personal information collected from children in the online notice; and (2) the identities or specific categories of those third parties in the direct parental notice. The direct parental notice must also explain that parents may consent to the collection and use of personal information without consenting to the disclosure of information unless the disclosure is integral to the relevant website or online service.
Additional VPC methods
The Final Rule introduces a new “text plus” VPC method, which was not in the NPRM. Similar to the current COPPA Rule’s “email plus” method, the “text plus” method allows operators to collect, but not disclose to third parties, personal information from a child by sending a text message to the parent and taking additional steps to verify the parent’s relationship with the child. The additional steps can include sending a confirmatory text message after receiving VPC. In addition, consistent with the NPRM’s proposal, the Final Rule codifies "knowledge-based authentication" and "face match to verified photo identification," which the FTC previously approved as reasonable methods to obtain VPC in compliance with the COPPA Rule.
Safe harbor
The Final Rule endorses the NPRM’s proposal to enhance oversight of Children’s Online Privacy Protection Act safe harbor programs. These programs must (1) include supplemental disclosures in their annual reports to the FTC; (2) publicly post and update a list of participating operators at least every six months; and (3) submit a report to the FTC every three years detailing their technical capabilities and mechanisms for assessing operators’ eligibility for membership.
Notable Deviations from the NPRM
Processes that encourage or prompt use of a website or online service
The NPRM proposed to ban operators that collect persistent identifiers under the “support for the internal operations” exception from using persistent identifiers “in connection with processes that encourage or prompt use of a website or online service.” The intent of this prohibition was to restrict operators from using persistent identifiers to “optimize user attention or maximize user engagement with the website or online service” without having to obtain VPC, because such user engagement could result in harm to children.
Responding to many commentators who argued that this prohibition is vague and overbroad, the FTC conceded that the NPRM’s language could inadvertently constrain “beneficial prompts and notifications” such as important reminders and removed it from the Final Rule. The FTC maintains its warning to operators that certain techniques to maximize children’s engagement with online services may harm children and could constitute an unfair or deceptive trade practice subject to Section 5 of the FTC Act, even when not specifically prohibited by the COPPA Rule.
Education technology
The Final Rule does not adopt the NPRM’s proposal to codify the FTC's Policy Statement on Education Technology and the Children’s Online Privacy Protection Act into the COPPA Rule. The NPRM would have allowed schools and school districts to provide authorization for operators of education technology services to collect, use, and disclose students’ personal information without obtaining individual VPC if the operators collect, use, and disclose that information solely for a “school-authorized education purpose” and implement certain specific safeguards.
But the FTC did not adopt these modifications relating to educational technology, citing that the U.S. Department of Education recently affirmed its intention to propose amendments to the Family Education and Privacy Act regulations (FERPA Rule) to, among other things, clarify provisions governing disclosures of students’ personal information from education records to third parties. To avoid creating a potential conflict between the Final Rule and the updated FERPA Rule, the FTC decided against making education technology-related modifications to the COPPA Rule at this time.
Regulation Freeze
As an FTC commissioner before the Trump Administration took office, Ferguson voted in favor of the Final Rule. But the Final Rule’s publication may experience delays given that Ferguson pointed out the Final Rule’s “three major problems” in his concurring statement: (1) the lack of clarity on whether operators must obtain refreshed VPC anytime they add to or modify a list of third parties to whom they disclose children’s personal information; (2) the risk of inadvertent hostile outcomes caused by the prohibition against an indefinite retention of children’s personal information; and (3) the failure to clarify that the COPPA Rule does not prohibit the use of children’s personal information solely for age verification purposes. Nonetheless, even though Ferguson expressed concerns on parts of the Final Rule, he recognized the amendments as “the culmination of a bipartisan effort” to update “the old COPPA Rule,” contributing to the FTC’s 5–0 vote to approve the Final Rule. Accordingly, operators should continue to monitor developments related to the Final Rule.
Takeaways
Children’s privacy remains a bipartisan focus of the FTC
The Final Rule highlights the FTC’s bipartisan focus on children’s privacy. Despite the uncertainties that the Administration change may bring in the privacy regulatory landscape, operators should take note that protecting children’s privacy is a key policy objective supported by both sides of the aisle.
The FTC is increasingly expecting businesses to be able to demonstrate their COPPA compliance
The Final Rule signals the FTC’s expectation for businesses to be able to demonstrate that they process children’s personal information in a COPPA-compliant manner. Under the Final Rule, operators must establish written policies and procedures that describe how they retain and protect children’s personal information; they must also publicly describe certain protective measures they take to safeguard children’s personal information. Operators should thus closely evaluate their existing policies and procedures and update them as necessary to ensure their compliance with the Final Rule.
The COPPA Rule is the floor, not the ceiling, for children’s privacy
As the FTC clarified in its comments to the Final Rule, operators can expect the FTC to bring enforcement actions against operators that process children’s personal information in a way that could harm children under its Section 5 authority, regardless of the fate of the Final Rule or whether the COPPA Rule expressly prohibits those processing activities. Therefore, operators must proactively evaluate whether their processing of children’s personal information could pose a risk of harm to children, and if so, implement appropriate safeguards to mitigate that risk.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.
If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.