Unchanged for the last 12 years, this past April, the Federal Trade Commission (FTC) enacted multiple amendments to the Children’s Online Privacy Protection Act (COPPA). These amendments became effective on June 23rd, 2025, while regulated entities have until April 22nd, 2026, to comply with the changes (except for § 312.11(d)(1), (d)(4), and (g)).
The amendments to COPPA include a new definition, modified definitions, modifications to the operator’s obligations, changes to the parental consent requirements, and modifications to the FTC-approved COPPA Safe Harbor program. Following is a little more detail on these changes.
New Definition of “Mixed Audience Website” or “Online Service”
This new definition provides greater flexibility to operators by including additional language clarifying that operators of mixed audience websites and online services may collect personal information for the limited purposes set forth in § 312.5(c) prior to determining visitor age. This allows operators to have the same ability to utilize the exceptions to the verifiable parental consent requirement as operators of other child-directed websites and online services.
Modified Definition of “Personal Information” and “Online Contact Information”
Previously, COPPA defined “personal information” as individually identifiable information about an individual collected online, including, for example, a first and last name, an email address, or a Social Security number. Now, the definition has been updated to include biometric identifiers, such as fingerprints or handprints, retina and iris patterns, generic data, or data derived from voice data, gait data, or facial data.
The definition of “online contact information” was modified to also include “a mobile telephone number,” provided that the operator uses it only to send text messages to a parent in connection with obtaining parental consent.
Operator Obligations with Data Retention
The amendments now include a new requirement that operators disclose a data retention policy. In addition, Operators are required to update their direct and online notices with additional information about the operators’ information practices.
Parental Consent Requirements
Under the newly modified § 312.4(d)(3), operators are now required to disclose, in general, categorical terms on how the operator uses persistent identifiers for support of internal operations purposes. Operators must explain in their online notice what policies or practices are in place to avoid using persistent identifiers for unauthorized purposes, such as by providing a general statement about training, data segregation, and data access and storage.
The FTC also has added a new method for obtaining verifiable parental consent, similar to that of the “email plus” method outlined in § 312.5(b)(2)(vi) that is currently in force. This new method is known as the “text plus” method. It can only be utilized, coupled with additional steps, when an operator does not “disclose” (as defined in § 312.2) children’s personal information because both forms (text and email) of communication carry a higher risk of a child impersonating a parent than do other approved methods of obtaining verifiable parental consent. Such additional steps include sending a confirmatory text message to the parent following receipt of consent or obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call. However, if the “text plus” method is used, then the operator has to provide notice that the parent can revoke any consent given in response to the earlier text message.
Online Notice Requirement
In addition to the updated direct notice requirement for parental consent and data retention policy, operators must also include in their online notices additional information practices for transparency. This includes: 1) the contact information of all operators collecting or maintaining personal information, 2) a description of what information the operator collects from children, 3) specific internal operators for which the operator has collected a persistent identifier (if applicable) and the means used, 4) when audio files containing a child’s voice are used and how it is used, and finally 5) the ability for the parent to review or delete the child’s personal information and refuse to permit further collection.
Safe Harbor Program
The Safe Harbor Program allows operators to have greater flexibility in their ability to implement substantially the same or greater protections for children and to submit those guidelines for approval to the FTC for review. The new amendments for this program include not just the privacy aspect, but also the data security aspect, based on the size, complexity, nature, and scope of the activities. Furthermore, the Safe Harbor Program will be amended to oblige operators to publicly post on each of the approved safe harbor program’s websites and online services a list of all current subject operators and, for each such operator, list each certified website or online service.
Closing Thoughts
The FTC last updated COPPA more than a decade ago in 2013. The current updates are meant to combat and reflect the continued advancement of capable tools, as well as methods that may exploit or even harm children, by 1) providing greater clarity to parents through online and direct notices, 2) making it more difficult for children to accidentally or intentionally circumvent parental consent, and 3) shortening the leash on retaining children’s data, specifically with audio files. Organizations, especially those currently considered operators processing data of children, should take a hard look at their data collection, retention, and security policies to make sure they are compliant with these new rules.
The information you obtain at this site, or this blog is not, nor is it intended to be, legal advice. You should consult an attorney for advice regarding your individual situation. We invite you to contact us through the website, email, phone, or through LinkedIn. Contacting us does not create an attorney-client relationship. Please do not send any confidential information to us until such time as an attorney-client relationship has been established.