Updates
EPIC Applauds Critical Updates to COPPA Rule, Strengthening FTC’s Ability to Protect Kids’ Privacy
January 16, 2025

The Electronic Privacy Information Center (EPIC) applauds today’s action by the Federal Trade Commission to strengthen and modernize the Children’s Online Privacy Protection Rule. Approved by a unanimous 5-0 vote, the updated COPPA Rule illustrates the Commission’s strong, bipartisan commitment to protecting kids’ privacy and safety online.
The updated COPPA Rule is a critical step to improving privacy and data security protections for children as they engage in the online world. Apps and websites generate billions of dollars by routinely collecting, sharing and selling children’s personal information to data brokers, advertisers, and other entities. This pervasive data collection fuels commercial surveillance and profiling that can lead to myriad privacy harms for children online. These practices can deprive children of their autonomy and threaten their physical safety and data security. By finalizing the updated COPPA Rule, the Commission is better equipped to regulate the current reality for kids online.
“We applaud the Commission’s unanimous effort to modernize the COPPA Rule and carry forward its commitment to protecting the privacy and safety of children online,” said Suzanne Bernstein, EPIC Counsel. “By requiring that operators implement a formal data security program—including data minimization obligations—the Commission has improved the power of COPPA to mitigate the risks that unrestrained personal data collection and retention pose to children online every day.”
The COPPA Rule clarifies obligations for websites, apps and other covered entities that collect kids’ data. Among other updated provisions, critical updates to the COPPA Rule include:
- Improving data security: The Rule expands operators’ obligation to protect the confidentiality, security, and integrity, of personal information collected from children by requiring a formal information security program. It also requires strict data retention and deletion requirements for personal data.
- Limiting behavioral advertising: The Rule expands the definition of personal information to reflect current technology, requires additional consent to share data with third parties, and continues to prohibit operators from using or disclosing persistent identifiers for behavioral advertising or profiling.
- Limiting and slowing how data is shared with external parties: The Rule now requires operators to obtain separate and additional verifiable parental consent prior to disclosing a child’s personal information to third parties.
***
EPIC regularly advocates for privacy safeguards for children online. Last year EPIC submitted extensive comments to the Federal Trade Commission supporting changes to modernize the COPPA Rule. Recently, EPIC submitted comments to the New York Office Attorney General to support its rulemaking effort implementing the NY SAFE for Kids Act.
In court, EPIC has filed amicus briefs in ongoing NetChoice v. Bonta litigation supporting the California Age-Appropriate Design Code. EPIC also filed an amicus brief to the Northern District of California urging the court not to block California’s Protecting Our Kids from Social Media Addiction Act (SB 976) from going into effect.

Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate