On April 22, 2026, the Federal Trade Commission will begin enforcing compliance with its most recent amendments to the Children’s Online Privacy Protection Rule (the COPPA Rule). As discussed in more detail below, the FTC published amendments in a 2025 final rule that, among other updates, expands the scope of the COPPA Rule, expands notice requirements, and requires specific data retention and information security policies and procedures.

Background

The Children’s Online Privacy Protection Act (COPPA)  was enacted in 1998, imposing obligations and restrictions on operators of websites or online services directed to, or with actual knowledge that they are collecting personal data from, children under the age of 13 (Operators). COPPA also charged the FTC with promulgating implementing regulations, which the Commission first published in the COPPA Rule in 2000. The regulations were updated substantially in 2013 to generally expand the rule’s scope and to address then-emerging technology such as mobile devices and social media.

The COPPA Rule placed numerous obligations and restrictions on Operators, including requirements to provide direct notices to parents and public website notices detailing relevant children’s information collection, use, and disclosure, and a requirement to obtain verifiable parental consent before engaging in such activities. The rule also provides parents with certain rights which can be exercised upon request, including a right to opt out of processing and a right of access regarding their children’s data.

After a multi-year review of the COPPA Rule and a notice and comment period, the Commission published finalized amendments on April 22, 2025 which became effective 60 days after publication and which the Commission will begin enforcing one year after publication. Certain updates are outlined below.

What’s New?

Key updates from the 2025 amendments include:

• The definition of “personal information” has been expanded. The definition now includes biometric identifiers such as fingerprints, eye patterns, voiceprints, facial templates, or faceprints, as well as government-issued identifiers such as state ID cards and passport numbers.
  
• Direct parental notice requirements have been expanded. The content of such notices must now identify the identities or specific categories of third parties to which the Operator discloses children’s personal information (including the public if making such data publicly available) and the purposes for such disclosure, and information about certain parental choices regarding such sharing.
• Website notice requirements have been expanded. Such notices must now include the identities and specific categories of any third parties to which the Operator discloses personal information, the purposes for such disclosures, and the Operator’s data retention policy. Website notices must also now include disclosures around collection and use of persistent identifiers and use of audio files containing children’s voices, if applicable.
  
• New parental consent obligations have been added. Opt-in parental consent is now required before Operators may disclose children’s personal data to third parties for targeted advertising.
  
• Operators are explicitly prohibited from retaining children’s data indefinitely. Operators are required to establish, implement, and maintain a written data retention policy specifically addressing children’s data and must make such policy available on its relevant website notice.
  
• A new exception to requirements for a “website or online service directed to children” has been added. The amendments define a new term: “mixed audience website or online service,” which is used as a carve out to the numerous requirements imposed on sites and services directed to children. The definition is nuanced but generally means a website or service which does not target children as its primary audience and that verifies the age of its visitors before collecting their personal information. Sites and services meeting this definition are not considered directed to children for any visitor unless that visitor has been identified as under 13.
  
• A new method for obtaining verifiable parental consent has been established. The so-called “text plus” method is now an authorized method for obtaining parental consent. This method is where an Operator uses a text message coupled with additional steps to verify that the person providing consent is actually the parent, so long as the message does not disclose a child’s personal information. Additional steps can include sending a follow-up text or confirming consent via mail or phone call.
  
• New information security requirements have been added. Operators must now establish, implement, and maintain a written information security program containing appropriate safeguards, which must include a detailed list of controls.

Key Takeaways

The COPPA Rule states that violations will be deemed unfair or deceptive acts or practices under the FTC Act, which can result in civil penalties of over $50,000 per violation.

With the rule’s enforcement date being imminent, Taft’s Privacy, Security, and AI Practice attorneys stand ready to help businesses assess applicability and develop strategic, risk-based compliance strategies.