Updated COPPA Rule (Finally) Finalized Today

Today the updated Children’s Online Privacy Protection (COPPA) Rule was published in the Federal Register, finalizing the much-needed modernization to the COPPA Rule. After a nearly 6-year rulemaking process, the Federal Trade Commission unanimously approved the updated COPPA Rule in January 2025, but it did not become effective until today’s publication. Finalizing the COPPA Rule improves the Commission’s ability to protect kids online. 

Apps and websites generate billions of dollars by routinely collecting, sharing and selling children’s personal information to data brokers, advertisers, and other entities. This pervasive data collection fuels commercial surveillance and profiling that can lead to myriad privacy harms for children online. The updated COPPA Rule provides the FTC with critical tools to address these risks so that children can engage with the online world in a safer, more privacy-protective way.

The COPPA Rule clarifies obligations for websites, apps and other covered entities that collect kids’ data. Among other updated provisions, critical updates to the COPPA Rule include: 

• Enhanced data security and retention requirements: The Rule expands operators’ obligation to protect the confidentiality, security, and integrity of personal information collected from children by requiring a formal information security program. The required information security program includes an obligation to evaluate data security risks, deploy safeguards to mitigate those risks, and test and monitor the efficacy of safeguards, including evaluating the entire information security program annually. It also mandates strict data retention and deletion requirements for personal data.

• Increased transparency obligations related to data collection and use: The Rule includes changes to the notice requirements that will significantly enhance transparency about operators’ collection, use, and sharing of kids’ data. For example, the Rule now requires a direct notice on the website or online service to include “identities andspecific categories of any third parties to which the operator discloses personal information and the purposes for such disclosures […].” §312.4(d)(2).

• Strong limits on data sharing with external parties, including the advertising ecosystem: The Rule now requires operators to obtain separate and additional verifiable parental consent prior to disclosing a child’s personal information to third parties like advertisers and data brokers. These provisions will provide significant friction, slowing the incessant data flow of personal data to third parties.

EPIC regularly advocates for privacy safeguards for children online. Last year EPIC submitted extensive comments to the Federal Trade Commission supporting changes to modernize the COPPA Rule. EPIC also submitted comments to the New York Office Attorney General to support its rulemaking effort implementing the NY SAFE for Kids Act. In court, EPIC has filed amicus briefs in ongoing NetChoice v. Bonta litigation supporting the California Age-Appropriate Design Code. EPIC also filed amicus briefs to the Northern District of California urging the court not to block California’s Protecting Our Kids from Social Media Addiction Act (SB 976) from going into effect.