After years of consideration and public comment, the Federal Trade Commission (FTC) has officially updated its Children’s Online Privacy Protection Act (COPPA) rule, which will take effect on June 23, 2025. The update, finalized this week, aims to better protect children’s privacy online amid increasing concerns about the use of personal data by digital platforms, especially for advertising purposes. While privacy advocates have been pushing for tougher regulations for years, this new rule marks the first major shift in federal children’s privacy laws since COPPA’s inception in 2000.
The updated rule was published in the Federal Register, ensuring that the changes will be implemented as planned. This is especially significant as there had been some uncertainty regarding the future of these updates under the leadership of the new FTC Chairman, Andrew Ferguson.
His previous written critiques of the rule had led to speculation that the changes might be delayed or watered down. However, with the publication of the rule, those concerns have been alleviated.
A Step Forward in Children’s Online Privacy Protection
For over six years, privacy advocates and policymakers have been working on updating COPPA to address the growing concerns about children’s online activity and the collection of personal data by digital companies. The rule mandates that websites and apps targeting children under the age of 13 comply with strict guidelines regarding the collection and handling of personal information. The new version expands on these requirements, placing additional burdens on companies to protect children’s data.
The amended rule places a greater focus on ensuring that personal data is securely managed and limits how and with whom this data can be shared. This includes a mandatory annual risk assessment for operators of websites and apps aimed at children, as well as new restrictions on data retention and deletion. Companies will now be required to establish clear privacy practices and disclose to parents and users the types of personal data they collect, the parties they share it with, and the purpose of the data collection.
FTC Tougher Restrictions on Data Sharing
One of the most significant updates in the new rule is how personal data can be shared outside the platform where it was collected. Previously, data-sharing practices were largely left to the discretion of the company, but the new rule requires that websites and apps obtain separate, verifiable parental consent before sharing any data with third parties such as advertisers or data brokers. This added layer of consent is intended to ensure that parents have more control over how their child’s personal data is used.
The rule also mandates that companies disclose to parents the specific identities of third parties with whom they share data and the purposes for which the data is being used. This transparency is a critical part of the rule, as it will help parents make informed decisions about the apps and websites their children use.
Impact on Online Advertising and Third Parties
One of the core concerns driving the need for this update has been the growing role of online advertising in children’s lives. Many apps and websites collect extensive data on young users, which is then sold to advertisers or used to target personalized ads. Under the new rule, this practice will be more tightly regulated.
By slowing the flow of data to third parties, the new COPPA regulation aims to curb the overreach of digital advertising companies, particularly those that rely on collecting vast amounts of personal information to target users. Websites and apps will be forced to think carefully about the types of data they collect, how they store it, and with whom they share it. This will have a profound impact on the digital marketing landscape, especially for companies that rely heavily on child-focused content and advertising.
Challenges and Legislation History
While the FTC’s new rule is a significant step forward, it was not the only regulatory effort in recent years. In 2023, Congress attempted to pass a new version of COPPA, known as COPPA 2.0, which would have introduced even stricter measures. This bill would have required parents to actively consent to any data collection by websites or apps targeting children under 13, a provision not included in the FTC’s updated rule.
Despite receiving substantial support, the COPPA 2.0 bill was ultimately unsuccessful, as it was merged with another piece of legislation known as the Kids Online Safety Act (KOSA). The combined bill, the Kids Online Safety and Privacy Act (KOSPA), was passed by the Senate last year but failed to make it through the House of Representatives, leaving the future of children’s online privacy reform uncertain.
A Stricter, More Comprehensive Approach
The FTC’s decision to move forward with its own regulatory changes provides clarity for businesses and consumers alike. The final rule is far more comprehensive than its predecessor and addresses a broad range of concerns that were not fully anticipated when COPPA was first enacted. The rule now includes stricter guidelines on parental consent, data retention, and third-party sharing, making it more robust in protecting children’s privacy.
The new regulations are set to come into effect in June 2025, with companies given until April 2026 to comply fully. This timeline gives businesses time to adjust their practices and ensure that they are in line with the new standards. However, the FTC has made it clear that failure to comply with the new rule could result in significant penalties.
