New COPPA rules take effect June 23, 2025 with major advertising changes

The Federal Trade Commission published comprehensive amendments to the Children's Online Privacy Protection Rule on April 22, 2025, marking the most significant changes to children's online privacy protections in over a decade. These changes will take effect on June 23, 2025, with a compliance deadline of April 22, 2026.

The amendments introduce stringent new requirements for operators collecting personal information from children under 13, fundamentally altering how digital advertising and data collection practices operate in children-directed online services. According to the Federal Register documentation, the changes represent six years of rulemaking and build upon the Commission's enforcement experience since the last major COPPA amendments in January 2013.

Summary

Who: The Federal Trade Commission published amendments affecting operators of websites and online services that collect personal information from children under 13, along with their advertising partners and data processors.

What: Comprehensive amendments to the Children's Online Privacy Protection Rule requiring separate consent for third-party data sharing, enhanced transparency disclosures, stronger security programs, expanded definitions of child-directed services, and stricter data retention policies.

When: Published April 22, 2025, taking effect June 23, 2025, with full compliance required by April 22, 2026, representing the culmination of six years of rulemaking since initial proposals.

Where: United States federal regulation applying to all operators of child-directed websites and online services accessible to U.S. children, regardless of the operator's physical location.

Why: To strengthen protection of children's personal information in response to technological changes and enforcement experience since 2013, addressing concerns about data collection practices, targeted advertising, and inadequate parental control over children's online privacy.

Yield: How Google Bought, Built, and Bullied Its Way to Advertising Dominance

A deeply researched insider’s account of Google’s epic two-decade campaign to dominate online advertising by any means necessary.

Order Now

Enhanced transparency requirements reshape operator obligations

The amended rule significantly expands disclosure requirements for operators. According to the Commission's documentation, direct notices to parents must now include "the identities or specific categories of third-party recipients of children's personal information and the purposes for such disclosures." This requirement applies whenever operators seek parental consent for data collection.

Previously, operators could provide general descriptions of their data practices. The new rule mandates granular disclosure of exactly which third parties receive children's data and why. For persistent identifiers collected under the "internal operations" exception, operators must now explain specific collection purposes and demonstrate how they prevent unauthorized use.

The Commission received substantial feedback supporting these transparency measures. According to the rulemaking record, the Center for Democracy and Technology stated that "additional information about the intended use of the child's data is vital for ensuring the parent gives fully informed consent." A coalition of state attorneys general similarly emphasized that the proposed requirement "represents a significant step toward enhancing parental understanding and decision-making regarding consent to their child's personal information collection."

Separate consent requirement for third-party data sharing

The most consequential change requires operators to obtain separate verifiable parental consent before disclosing children's personal information to third parties, including advertisers and data brokers. This represents a departure from previous practice where general parental consent covered both collection and disclosure.

The rule establishes an exception for disclosures "integral to the nature of the website or online service," but the Commission deliberately avoided prescriptive definitions to maintain flexibility. According to the documentation, operators retain significant discretion in implementing separate consent mechanisms, with the Commission noting it "wanted to provide sufficient flexibility to enable operators to integrate the separate consent requirement in a way that enhances parents' ability to make deliberate and meaningful choices about their children's data."

This change directly impacts programmatic advertising practices that rely on children's data for targeting. Previously, the marketing industry raised concerns about similar proposals, with the Interactive Advertising Bureau arguing that overly broad restrictions could make services inaccessible to children. However, the final rule attempts to balance these concerns with enhanced privacy protections.

Expanded definition targets broader range of child-directed services

The amendments broaden the definition of "website or online service directed to children" by adding new factors for determining child-directedness. According to the Commission's analysis, these factors include "marketing or promotional materials or plans," "representations to consumers or to third parties," "reviews by users or third parties," and "the age of users on similar websites or services."

The Commission defended these additions despite industry opposition. Many commenters, according to the documentation, "contended these examples are not 'competent and reliable empirical evidence' of audience composition or intended audience." However, the Commission noted that "complaints in previous COPPA enforcement cases have cited such evidence as being relevant in determining whether a website or online service is directed to children."

These expanded criteria could potentially bring more platforms under COPPA's scope, particularly those serving mixed audiences with significant child user bases. The changes reflect the Commission's attempt to address modern digital services that may not explicitly target children but attract substantial child audiences through design, content, or marketing practices.

Comprehensive security program requirements

The rule mandates operators establish written comprehensive security programs with specific elements. According to the documentation, these programs must include "annual risk assessments and risk management procedures, regular testing and monitoring, vendor due diligence procedures, and annual evaluations and modifications that take into account new or more efficient technical or operational methods to control risks."

Operators must designate specific employees to coordinate these security programs. The Commission emphasized that programs should scale appropriately to operator size and complexity, stating that "each operator's security program and the safeguards instituted under such program will vary according to the operator's size and complexity, the nature and scope of its activities, and the sensitivity of the information involved."

Data retention requirements also receive significant strengthening. Operators must now implement written retention policies specifying collection purposes, business needs for retention, and deletion timeframes. These policies must be disclosed in operators' online privacy notices, creating additional transparency obligations.

Mixed audience services face new classification

The amendments introduce a new definition for "mixed audience website or online service," addressing platforms that serve both children and adults. According to the documentation, this category applies to services where "the operator does not have actual knowledge that it is collecting personal information from children, but knows that children may visit its website or use its online service."

The Commission explained that this definition provides "clarity for operators about their responsibilities with respect to their websites or online services, many of which are not exclusively directed to children but nevertheless may have child users." This classification helps operators understand their obligations when serving diverse age groups without explicitly targeting children.

The definition impacts how operators assess their COPPA obligations, particularly for general audience platforms with potential child users. Operators of mixed audience services must implement appropriate safeguards when they have reason to believe children may use their services, even without actual knowledge of specific child users.

Industry implications for marketing practices

These changes significantly impact digital advertising practices involving children's data. The separate consent requirement for third-party disclosures disrupts traditional programmatic advertising models that rely on seamless data sharing between operators and advertising partners.

The digital advertising industry has previously expressed concerns about COPPA modifications, particularly regarding requirements that could limit contextual advertising capabilities. The final rule attempts to address these concerns by maintaining flexibility in implementation while establishing clear privacy protection standards.

For marketing professionals, the changes necessitate careful review of data collection and sharing practices. Operators must evaluate their current consent mechanisms, third-party relationships, and disclosure practices to ensure compliance with the new requirements. The expanded definition of child-directedness may also bring additional services under COPPA's scope, requiring comprehensive compliance assessments.

The requirement for detailed third-party disclosure could impact advertising partnerships and data monetization strategies. Operators must now provide specific information about advertising partners and data sharing purposes, potentially affecting competitive relationships and commercial arrangements.

Safe Harbor program accountability measures

The amendments strengthen oversight of FTC-approved COPPA Safe Harbor programs through enhanced transparency and reporting requirements. According to the documentation, Safe Harbor programs must now "publicly disclose their membership lists" and provide additional information to the Commission about their operations and effectiveness.

These programs, which allow industry groups to develop COPPA compliance guidelines, face shorter implementation timelines than other rule provisions. Safe Harbor programs have six months from the rule's publication to comply with new disclosure requirements and 90 days to meet certain reporting obligations.

The Commission emphasized that these changes aim to "increase transparency and accountability of COPPA Safe Harbor programs" while maintaining their role in facilitating industry compliance. The enhanced oversight reflects the Commission's experience with existing programs and stakeholder feedback about program effectiveness.

Biometric data and persistent identifier provisions

The rule expands personal information definitions to include additional categories of persistent identifiers and biometric data. According to the documentation, this expansion addresses technological developments since the last major rule update, particularly in areas like voice recognition, behavioral tracking, and device fingerprinting.

The Commission received significant industry pushback on these expansions, with commenters arguing that broad biometric data inclusion could exceed the agency's authority. However, the final rule maintains these protections while providing implementation guidance for operators using emerging technologies.

Persistent identifiers face enhanced scrutiny under the internal operations exception. Operators collecting these identifiers must now provide detailed explanations of their purposes and demonstrate safeguards against unauthorized use. This requirement addresses concerns about behavioral tracking and profiling of children through device and browser identifiers.

Implementation timeline and compliance considerations

The staggered implementation timeline provides operators with planning opportunities while ensuring timely protection deployment. The rule takes effect June 23, 2025, but operators have until April 22, 2026, to achieve full compliance with most provisions.

Certain Safe Harbor program requirements have accelerated timelines, reflecting their role in industry guidance and compliance facilitation. The Commission noted that this timeline "balance[s] the urgency of protecting children's privacy with the practical considerations of implementation for those affected by the changes."

During the transition period, operators may comply with either the previous rule version or the new requirements, providing flexibility for implementation planning. However, the Commission expects operators to use this time for meaningful compliance preparation rather than delay implementation.

Enforcement and penalty considerations

The amendments maintain existing enforcement mechanisms while strengthening the regulatory framework. According to the documentation, violations can result in civil penalties of up to $43,792 per violation, creating significant financial exposure for non-compliant operators.

The expanded definition of child-directedness and enhanced disclosure requirements create additional compliance touchpoints where violations could occur. Operators must carefully assess their practices against the new requirements to avoid enforcement action.

Recent COPPA enforcement actions demonstrate the Commission's commitment to vigorous enforcement. The TikTok lawsuit, filed in August 2024, illustrates how the Commission pursues violations involving data collection and targeted advertising practices affecting children.

Industry response and future considerations

The marketing industry's response to these changes reflects broader tensions between privacy protection and commercial practices. Google's recent consolidation of its advertising policies for minors indicates how major platforms are adapting to evolving regulatory expectations.

The timing of these COPPA amendments coincides with broader privacy regulation developments, including state-level age-appropriate design codes and international children's privacy initiatives. Marketing professionals must navigate this evolving landscape while maintaining effective advertising strategies.

The Commission's emphasis on flexibility in implementation suggests ongoing dialogue with industry stakeholders about practical compliance approaches. However, the fundamental shift toward enhanced transparency and separate consent for data sharing represents a clear regulatory direction that operators must accommodate.

These changes position the United States as a leader in children's online privacy protection while creating new compliance challenges for the digital advertising ecosystem. The success of these amendments will depend largely on industry adaptation and the Commission's enforcement approach in the coming years.

Timeline

• January 11, 2024: FTC proposed COPPA rule changes in notice of proposed rulemaking

• March 17, 2024: Interactive Advertising Bureau raised concerns about proposed changes potentially limiting children's online access

• August 3, 2024: FTC sued TikTok for alleged COPPA violations and privacy infringements

• January 26, 2025: Google tightened advertising rules to protect minors across its platforms

• April 22, 2025: FTC published final COPPA rule amendments in Federal Register

• June 23, 2025: Amended COPPA rule takes effect

• April 22, 2026: Full compliance deadline for most provisions