FTC’s 2025 COPPA Final Rule Amendments: What You Need to Know

The Federal Trade Commission (FTC) has finalized significant amendments to the Children’s Online Privacy Protection Act Rule (Final Rule), published in the Federal Register on April 22, 2025. The new Rule becomes effective June 23, 2025, with a compliance deadline of April 22, 2026.

The following is a snapshot of changes that the FTC has introduced to the COPPA Final Rule.

Definitions

1. Mixed Audience Website

1. New Stand-Alone Definition: A clear, separate definition for “mixed audience website or online service” has been introduced to clarify this existing category under COPPA.
2. Definition Unchanged in Substance: The new definition does not alter the two-step test already in place:
   • Determine if the site/service is child-directed using COPPA’s multi-factor test.
   • If child-directed, assess whether children are the primary audience. If not, it qualifies as a “mixed audience.”
3. Mixed Audience = Subset of Child-Directed: The Commission reaffirms that mixed audience sites are still considered child-directed but serve both children and other age groups.
4. Age Screening Requirement: Mixed audience operators must collect age information (or use equivalent means) before collecting personal data. If a visitor is under 13, the operator must follow COPPA’s notice and parental consent rules.
5. No Expansion of COPPA’s Scope: The updated definition is not intended to broaden the types of sites considered child-directed—it only clarifies how to identify and handle mixed audience sites.

In short, the rule aims for greater clarity, not expansion, and keeps the current standards intact while emphasizing proper age screening and protections.

2. Online Contact Information

The definition of “Online Contact Information” has been revised to include mobile telephone numbers provided that it is used only in connection with the limited and specific purpose of sending a text message to a parent in order to obtain parental consent.

The FTC has noted that permitting operators to utilize text messages to facilitate the process of seeking verifiable parental consent is appropriate, given the increased utilization of text messaging and mobile phones in the United States. Mobile communication mechanisms are more likely than some other approved consent methods to result in operators reaching parents for the desired purpose of providing notice and obtaining consent, and sending a text message may be one of the most direct and frictionless methods of contacting a parent. This particular amendment is intended to give operators another way to initiate the process of seeking parental consent quickly and effectively.

3. Personal Information

The definition of “Personal Information” has been amended to include ‘Biometric identifiers’ and ‘Government-issued identifiers’.

• Biometric identifiers
  • A biometric identifier is an identifier that can be used for the automated or semi-automated recognition of an individual, such as fingerprints, handprints, retina patterns, iris patterns, genetic data, including a DNA sequence, voiceprints, gait patterns, facial templates, or faceprints.
    The FTC has explained that this proposed amendment is intended to ensure that the Rule keeps pace with technological developments that facilitate increasingly sophisticated means of identifying individuals. The FTC emphasized the uniquely personal nature of biometric identifiers and noted that there are particularly compelling privacy interests in protecting such sensitive data.
• Government-issued identifiers
  • Pursuant to the recent updates to the Final Rule, the government-issued identifier, such as a social security number, state identification card, birth certificate, or passport number, has also been included as part of the definition of Personal Information.
    The FTC has noted that government-issued identifiers can be used to identify and permit the physical or online contacting of a specific child and has concluded that it would be beneficial to expressly incorporate additional government identifiers in the definition of personal information in order to provide greater clarity.

4. Support for internal operations of the website or online service

The definition of “Support for the internal operations of the website or online service” has been revised to incorporate further clarity that the information collected for enumerated activities, which are considered necessary to support internal operations of the website or an online service, may be used or disclosed to carry out such activities.

5. Website or online service directed to children

The updated Final Rule has added the following text to the multifactor test used to determine whether a website or an online service, or a portion of the website or service is directed to children: “marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services”.

By adding the aforementioned factors as part of the multifactor test, the FTC has reiterated that the inquiry in determining child-directedness requires consideration of the totality of the circumstances, and not any one factor alone.

The FTC has emphasized that “marketing or promotional materials or plans” and “representations to consumers or to third parties” are within operators' control and appropriately focus on the ways that operators signal to consumers, advertisers, and others that children are a targeted audience. For these reasons, the FTC is convinced such materials and representations often provide compelling direct evidence regarding an operator's intended audience and audience composition.

The FTC understands that the review by “users or third parties” may not always be accurate and the information regarding the “age of users on similar websites or services” may not be easily accessible. The FTC further notes that the addition of these examples to the definition of “website or online service directed to children” is not intended to impose a burdensome requirement that operators identify and continuously monitor all such information.

The updated Final Rule has also amended paragraph (3) of the definition of “website or online service directed to children” to remove content now covered by the new proposed definition for “mixed audience website or online service” and has added a statement clarifying that “[a] mixed audience website or online service shall not be deemed directed to children with regard to any visitor not identified as under 13.” 

Content of the Direct Notice to Parents

The content of the direct notice to the parents has been revised and the following two major changes have been incorporated:

1. Usage of Personal Information: The notice on the website must include information on how the operator intends to use the information that has been collected from the child.
2. Disclosure to Third Parties: If the operator of a website or an online service directed to children discloses a child’s personal information to third parties, it must clearly explain who those third parties are, including the identities or categories of such third parties, the purposes of such disclosure, and whether it will be made public. Parents must be told this before taking their permission. Also, parents can agree to let the website collect and use their child’s information without consent to disclose the personal information with third parties—unless the disclosure is necessary for the website or service to work properly.
3. Deletion of Online Contact Information: The direct notice to the parent shall also set forth that if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s or child’s online contact information and the parent’s or child’s name from its records.

Notice on Website or Online Services

The notice on the website or online services has been amended to include the information about the following:

1. Third Party Disclosure and Data Retention Policy: This notice must include information about identities and categories of third parties to which disclosure is made, purposes of disclosure the operator’s data retention policy.
2. Information about Internal Operations: The notice must also specify specific internal operations for which the operator collects persistent identifier and the means employed by operator to ensure that the identifier is not used to contact a specific individual, through behavioral advertising, to amass a profile on a specific individual, or for any other purpose (except as specifically permitted to provide support for the internal operations of the website or online service).
3. Information regarding Audio Files: This notice must include information regarding the collection of audio files containing a child’s voice, a description of how the operator uses such audio files and that the operator deletes such audio files immediately after responding to the request for which they were collected.

Consent Choice for Third Party Disclosure

The Final Rule has been updated with respect to the separate consent choice for third-party disclosure. An operator must give the parent the option to consent to the collection and use of the child’s personal information without consenting to disclosure of his or her personal information to third parties, unless such disclosure is integral to the website or online service. An operator required to give the parent this option must obtain separate verifiable parental consent to such disclosure.

Methods for Cerifiable Parental Consent

Pursuant to the Final Rule, three new methods for verifiable parental consent have been added. They are as follows:

1. Knowledge-based authentication method: The updated Final Rule has introduced the Knowledge-based authentication method as an added method of obtaining verifiable parental consent. This method verifies a parent's identity using knowledge-based authentication provided:
   • The verification process uses dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low; and
   • The questions are of sufficient difficulty that a child age 12 or younger in the parent's household could not reasonably ascertain the answers.
2. Government-issued photographic ID verification and comparison against image of the parent’s face: This method involves having a parent submit a government-issued photographic identification that is verified to be authentic and is compared against an image of the parent's face taken with a phone camera or webcam using facial recognition technology and confirmed by personnel trained to confirm that the photos match; provided that the parent's identification and images are promptly deleted by the operator from its records after the match is confirmed.
3. Text-plus Method: Previously, the email-plus method was available to operators for obtaining verifiable parental consent. The email-plus method involves using email to obtain parental consent. This email can be backed by sending a confirmatory email to the parent following receipt of the consent or confirming the parent’s consent by letter or telephone call.
   Similar to the email-plus method, the updated Final Rule has also introduced the ‘Text-plus method’ as a valid method for obtaining verifiable parental consent. The Text-plus method involves using text messages to obtain verifiable parental consent. The consent obtained via text message can be confirmed via a follow-up text message to the parent following receipt of consent, or by sending a letter or making a telephone call to the parent. Parents must also be notified that they can revoke their consent at any time.

Exceptions to Prior Parental Consent

No obligation to obtain parental consent or to provide notice on the website regarding audio files: A new exception to parental consent has been added via the update to the Final Rule. The updated Final Rule now posits that:

1. where an operator collects an audio file containing a child's voice, and no other personal information, for use in responding to a child's specific request, and
2. where the operator does not use such information for any other purpose, does not disclose it, and deletes it immediately after responding to the child's request,

There shall be no obligation to obtain verifiable parental consent.

Confidentiality, Security, and Integrity of Personal Information Collected from Children

The updated Final Rule has provided for the following new measures to uphold the confidentiality, security and integrity of personal information:

1. Designated personnel regarding security program: The operator must appoint one or more employees to manage and coordinate the company’s information security program.
2. Conduct Regular Risk Assessments: At least once a year, the operator must assess internal and external risks to the security, confidentiality, and integrity of children’s personal information and evaluate how well current safeguards address those risks.
3. Implement Safeguards Based on Risks: The operator must design, implement, and maintain safeguards tailored to the amount and sensitivity of children's personal information and the risk of harm from unauthorized access or misuse.
4. Monitor and Test Safeguards: Safeguards must be regularly tested and monitored to ensure they are effectively managing identified risks.
5. Review and Update Security Program Annually: Each year, the operator must review and update the security program to reflect:
   • New or evolving risks,
   • Test results,
   • Technological improvements, and
   • Any changes that may affect the program’s effectiveness.
6. Ensure Third-Party Security Compliance: Before allowing third parties (including service providers) to collect or handle children’s personal data:
   • The operator must ensure they are capable of protecting the data.
   • The operator must get written confirmation that these parties will use reasonable security measures.

Data Retention and Deletion Requirements

The updated Final Rule has been amended to include the following data retention and deletion requirements:

1. Limited Retention: Operators may only keep children’s personal information for as long as it is reasonably needed to fulfill the original purpose for which it was collected.
2. Timely Deletion: Once the data is no longer needed, it must be deleted securely to prevent unauthorized access or use.
3. No Indefinite Storage: Indefinite retention is not allowed — children's data must have a defined lifecycle.
4. Written Data Retention Policy: Operators must create, implement, and maintain a written policy that:
   • Explains why the data is collected.
   • States the business need for keeping it.
   • Specifies a clear timeframe for when it will be deleted.
5. Public Disclosure: The written data retention policy must be included in the privacy notice on the website or online service, as required by § 312.4(d).

Reporting and Record Keeping Requirements for Safe Harbor Programs

Starting October 22, 2025, and every year after, approved safe harbor programs must submit a report to the Federal Trade Commission (FTC). The report must include the following:

1. Operator or website Information: The report must include:
   • A list of all current subject operators and approved websites or services.
   • A list of any operators who have left the program.
2. Program Description: The report must provide:
   • A description of the safe harbor program’s business model.
   • Information on any extra services provided, such as training.
3. Consumer Complaints: Copies of all consumer complaints related to violations by subject operators must be included.
4. Assessments Results Summary: The report must contain a summarized overview of results from independent assessments conducted on subject operators. 
5. Disciplinary Actions: The report must describe:
   • Any disciplinary actions taken against operators.
   • The process used to determine when discipline is necessary.
6. Parental Consent Approvals: Any approvals granted to member operators for using a specific parental consent method must be documented.

Review of Self-Regulatory Programme Guidelines

No later than April 22, 2028, and every three years thereafter, approved safe harbor programs shall submit to the FTC a report detailing the safe harbor program’s technological capabilities and mechanisms for assessing subject operators’ fitness for membership in the safe harbor program.

Revocation of Approval of Self-Regulatory Program Guidelines

The FTC reserves the right to revoke any approval granted under this section if, at any time, it determines that the approved self-regulatory program guidelines or their implementation do not meet the requirements of this part. Safe harbor programs shall, by October 22, 2025, submit proposed modifications to their guidelines.

Conclusion

In conclusion, the FTC’s 2025 amendments to the Children’s Online Privacy Protection Act (COPPA) Rule represent a sweeping modernization effort aimed at strengthening protections for children’s personal data in today’s digital environment. By expanding key definitions—such as those for personal information and online contact information—to reflect technological advances, and by adding new categories like biometric and government-issued identifiers, the FTC ensures that the Rule keeps pace with evolving privacy risks.

The introduction of updated methods for obtaining verifiable parental consent, amendments to the content of notices to the parents and on the website or online service, enhanced transparency obligations, and rigorous data security and retention requirements demonstrate the FTC’s commitment to a comprehensive, adaptive regulatory framework.

These changes not only offer parents greater control and clarity but also place greater accountability on operators of child-directed websites and online services. As the compliance deadline of April 22, 2026, approaches, stakeholders must thoroughly evaluate and update their practices to align with the Rule’s heightened standards for data collection, use, and protection.