Skip to main content
Featured Topics
Featured Insights
View All Services
View All Industries
About Us Overview
      April 28, 2025

      FTC Announces Significant Amendments to COPPA

      Authors:
      Generate PDF
      Share

      On April 22, 2025, the Federal Trade Commission (FTC) published substantial amendments to the Children’s Online Privacy Protection Rule (COPPA), which will take effect on June 23, 2025. Businesses subject to COPPA must ensure compliance with these changes by April 22, 2026.

      Background

      COPPA was initially enacted in 1998 to protect children’s privacy on the internet. On November 3, 1999, the Commission issued the COPPA Rule, which became effective on April 21, 2000. The COPPA Rule applies to operators of websites and online services that target children or knowingly collect personal information from children under 13 years old.

      Under the COPPA Rule, businesses subject to COPPA (“Operators”) must comply with several requirements, including providing direct and online notice to parents, obtaining verifiable parental consent before collecting, using, or disclosing personal information from children under 13 years of age, and providing parents the opportunity to review the types of personal information collected from their child, delete the collected information, and prevent further use or future collection of personal information from their child.

      The FTC last updated the COPPA Rule in 2013 to address the increasing use of mobile devices and social networking. The latest amendments—proposed in January 2024 and finalized in January 2025—reflect the evolving landscape of online services and data privacy concerns.

      Amendments

      Several key amendments include:

      • A new definition for “mixed audience website or online service,” which permits Operators of mixed audience websites and online services to collect personal information without first obtaining parental consent for the limited purposes set forth in § 312.5(c), prior to determining visitor age. These purposes include to provide parental notice, respond directly to a specific request from the child, and to protect the safety of a child, provided the Operator does not otherwise use or disclose such personal information for any other purpose.
      • A modified definition of “online contact information” to now include “a mobile telephone number provided the operator uses it only to send text messages to a parent in connection with obtaining parental consent.”
      • Expanded definitions of “personal information” that now encompass biometric identifiers such as fingerprints, handprints, retina patterns, iris patterns, genetic data, voiceprints, gait patterns, facial templates, or faceprints, as well as government-issued identifiers like state identification card numbers, birth certificate numbers, and passport numbers.
      • Enhanced notice requirements to mandate that Operators provide detailed information in direct notices to parents about third-party sharing and the specific purposes for which personal information is collected. Additionally, Operators are required to identify third-party recipients by name and category in their online notices and include their data retention policies.
      • New consent mechanisms, including the “Text Plus” method, which allows parents to provide consent via text message. Operators may use the Text Plus method, provided that they do not disclose children’s personal information, and couple the text message with additional steps to provide assurances that the person providing the consent is the parent. Such additional steps include either sending a confirmatory text message to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call. An Operator that uses this method must provide notice that the parent can revoke any consent given in response to the earlier text message.
      • Operators must establish and maintain a written data retention policy that addresses the retention of children’s personal information and implement comprehensive information security programs.

      Safe Harbor Program

      The COPPA Safe Harbor program allows industry groups or other entities to create self-regulatory guidelines that meet or exceed the protections of the COPPA Rule. These guidelines must be submitted to the FTC for approval. With the recent amendments to COPAA, approved Safe Harbor programs are now required to publicly disclose their membership lists and report additional information to the FTC.

      Key Takeaways

      The recent amendments to COPPA come as the FTC makes public statements about continuing to focus on the privacy and safety of children and teens online. As such, companies subject to COPPA should take steps to ensure compliance with the COPPA’s new requirements, including by reviewing and updating their data collection, retention, and security policies. Companies may also consider integrating the new Text Plus and knowledge-based authentication methods to streamline parental consent processes. Finally, companies should provide clear and detailed notices to parents about their data practices, including third-party sharing and retention policies.

      Finally, while those businesses participating in a Safe Harbor program can benefit from streamlined compliance processes and potentially reduced liability, they should confirm that their self-regulatory guidelines are updated to reflect the new COPPA requirements. This includes incorporating the expanded definitions of personal information, enhanced notice requirements, and new consent mechanisms.

      Authors

      Related Services & Industries

      Stay Up To Date With Our Insights

      See how we use a multidisciplinary, integrated approach to meet our clients' needs.
      Subscribe

      Follow us

      © 2025 Mayer Brown

       

       

      Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Mayer Brown Hong Kong LLP operates in temporary association with Johnson Stokes & Master (“JSM”). More information about the individual Mayer Brown Practices, PKWN and the association between Mayer Brown Hong Kong LLP and JSM (including how information may be shared) can be found in the Legal Notices section of our website.

      “Mayer Brown” and the Mayer Brown logo are trademarks of Mayer Brown.

      Attorney Advertising. Prior results do not guarantee a similar outcome.