NEWS: The Federal Trade Commission (FTC) recently published updates to the Children’s Online Privacy Protection Rule (COPPA Rule), which will take effect on June 23, 2025, but companies have until April 22, 2026 to fully comply. The rule imposes new obligations on website operators regarding the collection, use, and disclosure of personal information from children under 13.
Background
The FTC adopted the COPPA Rule back in 2000. The rule was last updated in 2013. COPPA applies only to online services that are directed to children under 13 or that collect, use, or share personal information of a user with actual knowledge that a particular user is under 13.
The rule requires websites and apps that have actual knowledge that they collect personal information from children under 13 to provide direct notice to parents of their information practices and obtain verifiable parental consent before collecting, using, or disclosing such information from children, among other things. COPPA’s primary goal is to give parents control over their children’s personal information and how that information is collected and processed.
COPPA and its implementing rules at 16 C.F.R. 312 generally apply to financial institutions and others that operate commercial websites or provide online services (or portions thereof) directed to, or knowingly collect personal information from, children under the age of 13.
Key Amendments
According to the FTC, these amendments “will update and clarify the COPPA Rule, consistent with the requirements of the Children’s Online Privacy Protection Act (“COPPA” or “COPPA statute”), 15 U.S.C. 6501 et seq., to protect children’s personal information and give parents control over their children’s personal information.”
- Separate verifiable parental consent required for third-party advertising. Operators of websites must now obtain an additional layer of consent before disclosing children’s personal information to third parties for the purpose of targeted advertising. Businesses subject to the COPPA Rule should assess relationships with vendors and service providers to ensure contractual terms align with these new restrictions. If a business discloses personal information (including persistent identifiers) collected from children for targeted advertising, it must ensure the two-step consent process is in place before engaging in such disclosures.
- Additional content requirement for direct notice to parents. The “direct notice” that companies must send to parents before collecting personal information from children must now include how the collected personal information will be used, and if applicable, which third parties will receive such information.
- Written information security program and retention requirements. Website operators must now “establish, implement, and maintain a written comprehensive security program that contains safeguards that are appropriate to the sensitivity of children’s information and to the operator’s size, complexity, and nature and scope of activities.” This security requirement closely tracks the FTC’s Safeguards Rule under the Gramm-Leach-Bliley Act. In addition, operators must establish, implement, and maintain, a written data retention policy. This requirement can be maintained in a general data retention policy that also applies to children’s personal information. Operators are explicitly prohibited from retaining personal information indefinitely and must instead keep it for as long as reasonably necessary to fulfill a specific purpose for which it was collected.
- Three new methods available for verifying parental identity. In addition to previously approved methods for verifying parental identity, like telephone or video calling, written consent forms and credit card verification, operators may also use:
- Knowledge-based multiple-choice questions that are of sufficient difficulty that a child “could not reasonably ascertain the answers,”
- Facial recognition technology that uses an authorized “government-issued photographic identification,” or
- The “text plus” method, whereby the operator sends a text message to the parent followed by an additional step to ensure the recipient is in fact the parent (e.g., a confirmatory text message, letter or telephone call).
- Online privacy notice. Companies must also post clear, prominent links to online notices of their information practices regarding children. The amendments expand what must be included in the online notices to include:
- The identities and categories of any third parties to which the operator discloses personal information and the purpose for such disclosure;
- The specific internal operations for which the operator uses persistent identifiers, and the policies or practices the operator has in place to avoid using persistent identifiers for unauthorized purposes;
- When an operator collects an audio file of a child’s voice pursuant to the audio file exception, a description of how the operator uses the audio files, and that such files are deleted immediately after responding to the request for which they were collected; and
- The operator’s data retention policies for personal information collected from children.
Updates to Defined Terms
- Mixed audience website or online service is defined as those directed to children but that do not target children as their primary audience, and that do not collect personal information from any visitor other than to assess whether a visitor is a child. Unlike other child-directed websites and online services, mixed audience websites and online services are permitted to collect information from visitors in a neutral manner in order to determine whether a visitor is a child. Once a mixed audience website or online service determines that a visitor is 13 or over, it may collect personal information from the visitor without obtaining verifiable parental consent. The mixed audience website or online service may not deny access to visitors who are under 13, but may require verifiable parental consent or offer an experience that does not collect their personal information.
- Online Contact Information now includes mobile telephone numbers provided the operator uses it only to send text messages to a parent in connection with obtaining parental consent.
- Personal Information now includes (1) biometric identifiers, defined as an “identifier that can be used for the automated or semi-automated recognition of an individual, such as fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints”; and (2) government-issued identifiers beyond social security numbers, including state ID cards, birth certificates, and passport numbers.
The FTC continues to focus on the privacy and safety of children and teens online. Credit unions should take steps to assess whether COPPA will apply to your website or online services and ensure compliance by reviewing and updating your data collection, retention, and security policies.
The League will update its Children’s Online Privacy Protection Act ii Release No. 0156 to reflect these recent amendments.