FTC Set to Enforce Sweeping COPPA Updates Expanding Compliance Burdens

Enacted in 1998, COPPA governs the collection, use, and disclosure of personal information from children under 13 by operators of websites and online services. The FTC first implemented the COPPA Rule in 2000, with a major update in 2013 to address mobile ecosystems and social media.

The law requires covered operators to provide clear notice of data practices, obtain verifiable parental consent prior to collecting or sharing children’s data, and afford parents rights to access and delete such data. Violations are treated as unfair or deceptive practices under the FTC Act and can trigger civil penalties exceeding $50,000 per violation.

According to a client alert from the Privacy, Security and AI Practice attorneys with the Taft law firm, a central feature of the amendments is the broadened definition of “personal information.” The updated rule explicitly includes biometric identifiers, such as facial recognition data, voiceprints, and fingerprints, as well as government-issued identifiers like passport numbers and state IDs. This change reflects the FTC’s effort to align COPPA with evolving data collection practices, particularly in AI-driven and identity-based technologies.

The amendments significantly expand both direct parental notices and publicly posted privacy disclosures. Operators must now identify the specific third parties, or categories of third parties, to whom children’s data is disclosed, along with the purposes for such disclosures. Notices must also address parental choices regarding data sharing.

Website privacy notices must further disclose data retention policies and provide transparency into the use of persistent identifiers and audio data, including voice recordings. These changes are designed to provide parents with more granular insight into downstream data flows and lifecycle management.

The rule also introduces a new opt-in requirement for targeted advertising. Operators must now obtain verifiable parental consent before sharing children’s personal information with third parties for behavioral advertising purposes.

The FTC has also approved a new “text plus” method for obtaining parental consent, allowing operators to use text messaging combined with supplementary verification steps—such as follow-up confirmations—to authenticate parental identity without exposing children’s data.

Related: Children’s Privacy and App Store Accountability: The Risks of Knowing Too Much

For the first time, the COPPA Rule explicitly prohibits indefinite retention of children’s data. Operators must implement and maintain a written data retention policy tailored to children’s information and disclose that policy in their public notices.

The amendments also mandate operators implement comprehensive information security programs, including documented safeguards and controls. This effectively aligns COPPA compliance with broader data security frameworks increasingly expected by regulators.

Finally, the amendments introduce a “mixed audience” category, allowing certain services that do not primarily target children to avoid full COPPA obligations provided they implement age-screening mechanisms and treat users as children only when identified as under 13. This creates a more nuanced compliance pathway for platforms with more general user bases.

For in-house counsel and compliance officers, the amendments signal a shift toward more prescriptive and operationalized privacy requirements. Taft recommends organizations prioritize:

• Data mapping to identify newly covered data types, particularly biometric identifiers
• Updates to privacy notices and parental disclosures
• Implementation of targeted advertising consent controls
• Development of documented data retention and security programs
• Evaluation of eligibility for the mixed audience exemption

With enforcement imminent, companies operating digital services, especially those incorporating AI, identity verification or advertising technologies, face heightened regulatory exposure if compliance gaps persist.