COPPA Gets a Refresh: What the FTC’s Latest Updates Mean for Brands and Agencies

Yesterday, the Federal Trade Commission (FTC) announced major changes to the Children’s Online Privacy Protection Act (COPPA) Rule – the first major changes since 2013. These amendments come after a five-year review process, during which the FTC received more than 175,000 public comments. The updates were finalized just ahead of the impending administration change in the U.S.

FTC Commissioner Andrew Ferguson, who is set to become the next FTC Chair, joined outgoing Chair Lina Khan in approving the rule changes, signaling a bipartisan commitment to strengthening protections for children’s data privacy. Notably, Ferguson, while concurring, highlighted a few ‘serious problems’ with the final rule.

This development further demonstrates the growing legislative and regulatory focus on safeguarding kids and teens in the digital space, marking a pivotal moment in online privacy policy.

Need a Refresher on COPPA?

COPPA is a U.S. law designed to protect the digital privacy of kids under 13. It prohibits the collection of personal information, including technical data like full IP addresses, precise location data, and browser cookie data without obtaining verifiable parental consent. Violations can result in multi million-dollar fines, even for non-U.S. companies.

For advertisers, COPPA bans behavioral targeting, remarketing, and user profiling. For publishers, it prohibits trackers, including those from social media companies. To comply, companies must stick to contextual advertising, use compliant kidtech, or obtain parental consent before collecting any personal data.

Why the Update?

The digital landscape has evolved significantly since COPPA’s last update. Children are spending more time online, and the methods companies use to collect and leverage their data have grown increasingly sophisticated.

The latest updates ensure COPPA keeps pace with those, reinforcing and modernizing protections for kids’ privacy in today’s complex digital world.

What’s New?

Here are some of the key changes:

Targeted Ads Now Require an Additional Parental “Yes” – Under the updated rule, disclosures of children’s personal data to third parties require a separate consent than that required for data collection/use. Outgoing FTC Chair Lina Khan stated that operators are prohibited from selling children’s personal information or disclosing it for targeted advertising purposes unless parents separately agree and opt-in to such use. This heightened requirement makes scaling Verified Parental Consent (VPC) for targeted advertising even more challenging, underscoring the longstanding best practice that contextual advertising is the most practical and compliant solution for engaging young audiences.
Parental Consent by Text – Recognizing that text messaging is an easier method for reaching parents than email, the Commission agreed with public comments and will now permit text messaging to contact parents to obtain VPC. Note: mobile phone numbers still cannot be repurposed for unrelated marketing activities.
“Mixed Audience” Receives a Definition – The updated rule formally defines “mixed audience” using prior FTC guidance on this category. Operators (e.g. brand website owners, game developers) must understand the ages of their audience(s). Meaning, even if an operator didn’t intend to have kids on their site, they still have to actively understand the ages of their users. Where appropriate they may wish to use a neutral age assurance method (e.g. an age gate) to determine whether a visitor is a child. Operators must consider the totality of the circumstances to determine if their service is child-directed. This is particularly important in light of the new addition of user/third-party reviews and ages of users of similar services to the list of factors to be considered in determining whether a service is ‘directed to children.’
Data Retention on a Short Leash – Holding onto consented kids’ data? You can only keep it for as long as you really need it and you should have clear deletion protocols. Indefinite data storage is no longer allowed.
Biometrics and More Fall Under “Personal Info” – The scope of “personal information” now includes biometric identifiers that can be used for the automated or semi-automated recognition of a child (like fingerprints and voiceprints) and government-issued IDs (passport numbers, birth certificates). This reflects growing concerns about how sensitive data could be misused.
Safe Harbor Programs Must Be Even More Transparent – The updates enhance accountability for COPPA Safe Harbor programs, which are now required to provide even more detailed reports to ensure higher standards for participants.

And some important non-changes:

The FTC Declined to Impose Restrictions on User Engagement – The updates notably did not include the requirement of parental consent when collecting data to encourage prolonged use of online services. The FTC warned though that it may continue to use Section 5 of the FTC Act to address practices that may pose risks to children like excessive use.
Contextual Advertising Is Still the Only Expressly Approved Form of Advertising to Youth Audiences– The Rule continues to allow operator-driven personalization and contextual advertising under the “support for internal operations” exemption, with no new restrictions introduced.

What Does This Mean for Brands?

In short, it’s time to review your data practices and make sure you’re giving kids’ privacy the VIP treatment it deserves. Here’s a checklist:

Review and Update Privacy Notices – Make sure they’re aligned with the new updates to COPPA and written in clear, user-friendly language.
Get Clear on Consent – Develop a clear and scalable approach to obtaining VPC for any data collection and for third-party disclosures.
Audit Your Data Practices – Conduct a comprehensive review of your data collection, storage, and deletion practices. You should only be collecting what is strictly necessary and you should only keep kids’ data for as long as it’s needed to fulfill the intended purpose.
Partner with Kidtech Experts – Collaborate with specialists like SuperAwesome to ensure you’re on the right side of compliance.

And the clock is ticking! With COPPA updates now published by the FTC, the final rule takes effect in 60 days with a one-year compliance deadline.

The Takeaway

The recent COPPA updates mark a pivotal moment for anyone engaging with kids and teens online. These changes reinforce the importance of safeguarding children’s privacy in today’s digital world. For brands, it’s an opportunity to build trust with parents and demonstrate a commitment to creating a safer, more responsible digital world for young audiences.If you need help navigating the new COPPA landscape, SuperAwesome is here to help. We’re experts in kidtech and youth marketing, and have a deep understanding of COPPA and the other regulations that impact engaging youth audiences online.

Need a Refresher on COPPA?

Why the Update?

What’s New?

What Does This Mean for Brands?

The Takeaway

Reach out to us with your questions – we’re happy to share our knowledge and help you stay successful and compliant.

Related articles

How recent kids’ privacy legislation changes and applications could affect the way you engage with youth audiences

Youth Digital Safety and Compliance: In Conversation with BeMe Health’s Derek E. Baird

How will Google’s FLoCs work with kids digital privacy requirements for advertisers?

Kids’ privacy in practice: In conversation with WPP’s Gareth Burkhill-Howarth

Navigating COPPA for publishers: frequently asked questions

Ensure kid and brand safety on social video: a guide for content creators