FTC Finalizes Changes to the Children’s Online Privacy Protection Rule

On January 16, 2025, the Federal Trade Commission (FTC) announced that it has finalized amendments to the Children’s Online Privacy Protection Rule (the COPPA Rule). Any organization that collects, uses, or shares the personal information of children under the age of 13 should take note of the FTC’s recent amendments, which establish new requirements regarding the safeguarding of children’s personal information.

Specifically, digital platforms, app developers, ad tech, and digital service providers of all kinds should ensure that they are up to speed on key elements of the amended COPPA Rule, such as:

• Opt-in Consent for Targeted Advertising and Third-Party Disclosures: Operators of websites and online services subject to COPPA must obtain separate, verifiable parental consent before sharing children’s personal information with third parties for targeted advertising or other purposes.
• Data Retention Limits: The rule mandates that operators retain personal information only as long as necessary to fulfill the specific purpose for which it was collected. It explicitly prohibits indefinite retention.
• Enhanced Transparency in Safe Harbor Programs: COPPA Safe Harbor programs, approved by the FTC as self-regulatory frameworks, must now publicly disclose their membership lists and provide additional information to the FTC to improve accountability and transparency.
• Revised Definitions: The final rule revises key definitions, including expanding the scope of “personal information” to encompass biometric identifiers and government-issued identifiers.

Businesses squarely focused on children’s offerings — for example, a kid-oriented app or website — may already be aware of these changes if they regularly monitor new children’s privacy requirements. However, businesses that collect data from children as part of a broader audience may be affected by the amendments in ways they may not have considered. Now is the time for such businesses to reexamine what data they are collecting, whether they are obtaining adequate parental consent, and how they are storing or sharing that data to ensure compliance with the updated COPPA Rule.

Please contact the authors of this post or any of their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy practice group if you have questions about the COPPA Rule or privacy compliance more generally.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.