On April 22, 2025, the Federal Trade Commission (“FTC”) formally adopted updates to regulations related to the Children’s Online Privacy Protection Act (“COPPA”). The FTC has regulatory authority over matters impacted by COPPA. The new regulations will take effect in June 2025, and relevant covered businesses will have to fully comply with the new regulations by June 2026. Here is a quick summary of the changes.

Changes to definitions

The new regulations modify a number of definitions. For example, the definition of a child’s “personal information” now includes “government-issued identifiers” such as Social Security numbers, state identification cards, birth certificates, and passport numbers. The definition was also expanded to include certain biometric information. Other examples include:

• The definition of evidence used to determine whether a website is “directed to children” was modified to add evidence involving marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services
• Change to the definition of a “mixed audience” website or online service — changes are similar to the above
• “Online contact information” now includes mobile telephone numbers
• The phrase “support for the internal operations of the website or online service” was amended to clarify that information collected for the enumerated activities in the definition may be used or disclosed to carry out those activities

Mandates for covered businesses

The key changes to the new regulations involve a few modified obligations imposed on covered businesses. Some changes may not require any additional effort on the part of a covered business. For example, the new regulations heighten the data security requirements and mandate a separate policy be drafted aimed specifically at safeguarding the personal information collected from minors that is “appropriate to the sensitivity” of that data. However, many online businesses may already have data security that is sufficient for the new regulations.

In addition, websites and online services are now required to modify their disclosures and obtain two sets of consents from parents: one for the general collection of data about their children and one for the disclosure of their child’s data to third parties. The new regulations make it clear that a separate disclosure and consent are needed if the online service is being paid to share data, if the data is shared for advertising, or is shared as part of the development or training of an AI module or program.

Further, the notices themselves must now be more complete. The regulations term the new notices as “direct notices.” Among other things, businesses must now disclose:

• How the business intends to use the personal data of the child or children in question — this is generally the “business purpose” disclosure
• If the business shares the data
• If so, the specific identity of those with whom the data is shared or the categories of third parties with which the data is shared
• The reasons why the data is disclosed to said entities or categories of entities

The new regulations also mandate tougher methods of obtaining verifiable consent from parents. Examples provided included using multiple-choice questions and including questions that only adults would be able to answer as part of the verification process.

Further, the new regulations mandate that covered businesses may only retain personal data for “as long as is reasonably necessary” for the purpose for which the data was collected. The new regulations also make it clear that such data may not be retained indefinitely. Businesses are also required to create and promulgate a written data retention policy (to the extent that already-existing written policies are not sufficient). The data retention policies must also be disclosed to parents as part of the other required disclosures.

Contact The COPPA Attorneys At Revision Legal

For more information, contact the experienced COPPA Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.