The FTC’s amendments to the Children’s Online Privacy Protection Act (COPPA) represented the most significant update to the rule since it was first enacted in 1998. By expanding the definition of personal information, closing loopholes exploited by third-party advertising networks, and imposing stronger data security and retention requirements, the amended rule substantially increased compliance obligations for operators of websites and online services that attract children under 13. Understanding what changed—and what it means for operators today—is essential for any business that markets to or collects information from children.
COPPA, 15 U.S.C. §§ 6501-6506, prohibits operators of websites and online services directed to children under 13 from collecting personal information from children without obtaining verifiable parental consent. The FTC’s implementing regulations specify what operators must disclose, how they must obtain parental consent, and what data security and retention obligations they must meet.
Violations of COPPA can result in civil penalties of up to $50,120 per violation per day. The FTC has brought numerous COPPA enforcement actions against major companies, including settlements with TikTok, Google, and YouTube for tens of millions of dollars.
The amended rule expanded the definition of personal information to include geolocation information, photographs, and videos. Prior to the amendment, personal information was defined primarily as name, address, email address, phone number, and Social Security number. The expansion to include persistent identifiers—including IP addresses and mobile device IDs—that can be used to track a child across websites and services over time was particularly significant for digital advertising and analytics.
Before the amendment, third-party advertising networks that collected personal information directly from children through plug-ins on child-directed sites were not clearly covered by COPPA. The amended rule extended coverage to third-party advertisers that knowingly collect personal information from children on covered websites, closing a loophole that had allowed extensive data collection without parental consent.
The amended rule added new methods by which operators can obtain verified parental consent, including electronic verification methods. The intent was to reduce friction in the consent process while maintaining meaningful verification.
Operators are now required to maintain policies limiting the retention of children’s personal information to only as long as is reasonably necessary for the purpose for which it was collected. Upon termination of the purpose, operators must securely delete the information. This requirement imposes affirmative data management obligations, not just consent requirements.
The amended rule strengthened data security requirements for the sharing of children’s personal information with service providers and third parties, requiring confidentiality and security protections in contracts with entities that receive children’s data.
COPPA applies to operators of websites and online services that are directed to children under 13 and to operators of general-audience websites that have actual knowledge they are collecting personal information from children. Determining whether a website is ‘directed to children’ requires examining:
In 2024, the FTC finalized additional updates to the COPPA rule, further expanding protections. The updated rule strengthened limits on conditioning access to services on children disclosing more personal information than necessary, added requirements around targeted advertising to children, and enhanced school-related service provisions.
If your website or online service collects information from or is directed to children under 13, COPPA compliance is not optional. The FTC actively enforces the rule, and penalties for violations can be severe. Contact Revision Legal’s internet attorneys today to review your privacy practices and ensure COPPA compliance.
COPPA compliance requires more than updating a privacy policy. It requires implementing operational processes for obtaining verifiable parental consent before collecting personal information from children, maintaining records of consents received, responding to parental requests to review and delete their children’s information, and ensuring that third-party advertisers and analytics providers do not collect children’s data without authorization.
The challenge for many operators is that their service may attract child users even if it is not explicitly directed at children. The FTC’s ‘actual knowledge’ standard means that operators who receive signals indicating child users—such as a child revealing their age in a registration form, a child using their parent’s account, or a teacher using a general-audience platform with a class of minors—must comply with COPPA as to those specific users.
COPPA’s verified parental consent requirement is one of the most operationally challenging aspects of compliance. The consent must come from a parent or legal guardian (not the child), and it must be verifiable—meaning the operator must have reasonable assurance that the person consenting is actually an adult. Approved consent methods include:
The FTC has approved various technologies for digital parental consent verification, and operators can apply for FTC approval of novel consent mechanisms through the formal approval process.
The FTC has approved several industry self-regulatory programs as COPPA safe harbors. Operators who are members of an approved safe harbor program and comply with its guidelines are deemed to be in compliance with COPPA’s requirements. Approved safe harbor programs include the kidSAFE SEAL Program and PRIVO’s Privacy Vaults Online program.
Safe harbor membership does not eliminate the risk of FTC enforcement action entirely—violations of safe harbor guidelines can be referred to the FTC—but it provides an additional layer of compliance assurance and demonstrates good-faith effort to comply with the law.
Educational technology companies that provide services to schools face a specific COPPA provision: operators may rely on a school’s authorization to collect student information without direct parental consent when the operator provides services to the school and the school acts as the agent of parents for consent purposes. This exception requires that the operator’s data collection be limited to educational purposes, not commercial uses.
The FTC has issued guidance on the school context and has pursued enforcement actions against EdTech companies that collected student data for commercial purposes beyond what was disclosed to schools.
COPPA compliance requires ongoing attention—the FTC actively enforces the rule and the regulatory requirements continue to evolve. Revision Legal’s internet attorneys help operators of child-directed and general-audience websites assess their COPPA obligations, implement compliant consent mechanisms, and respond to FTC investigations. Contact us today.
Facebook agreed to pay $550 million to settle a class action lawsuit under Illinois’ Biometric Information Privacy Act. Here’s what the case means for biometric data law.
Read more about Facebook’s $550M Illinois Biometric Settlement
Seizing an infringer’s domain name is one of the most effective ways to stop IP theft online. Here’s how courts order domain transfers and what rights holders need to show.
Read more about Seizing an Infringer’s Domain to Stop Infringement
Recent court decisions on what counts as an ‘autodialer’ under the TCPA suggest restrictions may be loosening. Here’s what businesses using automated texts need to know.
Read more about TCPA Autodialer Decisions: Are Restrictions Easing?