On April 22, 2025, the Federal Trade Commission (“FTC”) formally adopted updates to regulations related to the Children’s Online Privacy Protection Act (“COPPA”). The FTC has regulatory authority over matters impacted by COPPA. The new regulations will take effect in June 2025, and relevant covered businesses will have to fully comply with the new regulations by June 2026. Here is a quick summary of the changes.

Changes to definitions

The new regulations modify a number of definitions. For example, the definition of a child’s “personal information” now includes “government-issued identifiers” such as Social Security numbers, state identification cards, birth certificates, and passport numbers. The definition was also expanded to include certain biometric information. Other examples include:

• The definition of evidence used to determine whether a website is “directed to children” was modified to add evidence involving marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services
• Change to the definition of a “mixed audience” website or online service — changes are similar to the above
• “Online contact information” now includes mobile telephone numbers
• The phrase “support for the internal operations of the website or online service” was amended to clarify that information collected for the enumerated activities in the definition may be used or disclosed to carry out those activities

Mandates for covered businesses

The key changes to the new regulations involve a few modified obligations imposed on covered businesses. Some changes may not require any additional effort on the part of a covered business. For example, the new regulations heighten the data security requirements and mandate a separate policy be drafted aimed specifically at safeguarding the personal information collected from minors that is “appropriate to the sensitivity” of that data. However, many online businesses may already have data security that is sufficient for the new regulations.

In addition, websites and online services are now required to modify their disclosures and obtain two sets of consents from parents: one for the general collection of data about their children and one for the disclosure of their child’s data to third parties. The new regulations make it clear that a separate disclosure and consent are needed if the online service is being paid to share data, if the data is shared for advertising, or is shared as part of the development or training of an AI module or program.

Further, the notices themselves must now be more complete. The regulations term the new notices as “direct notices.” Among other things, businesses must now disclose:

• How the business intends to use the personal data of the child or children in question — this is generally the “business purpose” disclosure
• If the business shares the data
• If so, the specific identity of those with whom the data is shared or the categories of third parties with which the data is shared
• The reasons why the data is disclosed to said entities or categories of entities

The new regulations also mandate tougher methods of obtaining verifiable consent from parents. Examples provided included using multiple-choice questions and including questions that only adults would be able to answer as part of the verification process.

Further, the new regulations mandate that covered businesses may only retain personal data for “as long as is reasonably necessary” for the purpose for which the data was collected. The new regulations also make it clear that such data may not be retained indefinitely. Businesses are also required to create and promulgate a written data retention policy (to the extent that already-existing written policies are not sufficient). The data retention policies must also be disclosed to parents as part of the other required disclosures.

Contact The COPPA Attorneys At Revision Legal

For more information, contact the experienced COPPA Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Who Is a ‘Covered Entity’ Under COPPA and the New Regulations?

COPPA and the new FTC regulations apply to operators of websites or online services that are “directed to children under 13” or that have “actual knowledge” that they are collecting personal information from children under 13. The concept of “directed to children” has always been a fact-intensive inquiry, and the 2025 regulatory update expands the evidentiary factors the FTC considers:

• Marketing or promotional materials or plans — if your marketing specifically targets children, this is strong evidence that the service is directed to children
• Representations to consumers or third parties — statements in investor materials, press releases, or ad sales pitches about your audience composition can be used against you
• Reviews by users or third parties — if consumer reviews or app store ratings consistently describe child users, the FTC may deem the service “directed to children”
• Age composition of users on similar services or websites — the FTC now explicitly considers whether comparable platforms attract child users

Mixed-audience websites — those not primarily directed to children but with some child users — have additional compliance options under COPPA, including age-screening mechanisms. The new regulations modify the definition of a “mixed audience” website and clarify when operators of such sites must comply with COPPA’s verifiable parental consent requirements.

The New Two-Consent Framework

One of the most significant changes in the 2025 COPPA update is the requirement for two separate parental consents: one for the general collection and use of a child’s personal data, and a separate consent specifically for the disclosure of that data to third parties. This is a meaningful departure from prior practice, where a single consent could cover both collection and disclosure.

The practical implication is that covered businesses must redesign their consent flows. A parent who consents to the collection of their child’s data for the purpose of using an app has not thereby consented to that data being shared with advertisers, analytics providers, or other third parties. A separate, specific consent is required before any third-party disclosure can occur.

Heightened Data Security Requirements

The new regulations mandate a written information security program specifically tailored to the personal information collected from minors. The program must be “appropriate to the sensitivity” of the data — meaning that particularly sensitive categories of data (such as biometric information, precise geolocation, or government-issued identifiers) require a higher level of protection than general contact information.

While the FTC has not prescribed specific technical controls, covered businesses should evaluate their security practices against established frameworks such as NIST SP 800-53 or CIS Controls, and document their security program in writing. The existence of a documented, risk-based security program is a key factor the FTC considers in enforcement decisions.

Compliance Timeline and Consequences of Non-Compliance

The new COPPA regulations took effect in June 2025. Covered businesses have until June 2026 to achieve full compliance. The FTC can seek civil penalties of up to $51,744 per day per violation. High-profile COPPA enforcement actions have resulted in settlements of tens of millions of dollars — TikTok paid $5.7 million in 2019, and YouTube/Google paid $170 million in 2019 for COPPA violations.

Businesses that are uncertain about whether COPPA applies to their services, or that need to redesign consent flows and security programs to meet the new requirements, should consult with experienced internet law counsel as soon as possible.

Contact the Attorneys at Revision Legal

If you have questions or need legal advice, contact the experienced attorneys at Revision Legal. Our team handles internet law and COPPA compliance matters for businesses and individuals nationwide. Call us at (855) 473-8474 or use the contact form on our website.