COPPA changes specify children’s biometrics and government IDs for protection

The Federal Trade Commission (FTC) Thursday issued notice that it finalized substantial changes to the Children’s Online Privacy Protection Act (COPPA), signaling a significant step toward enhancing online privacy safeguards for children.
The updated COPPA rule represents a pivotal moment in the ongoing effort to protect children’s privacy online. By introducing stricter requirements for data collection, use, and sharing, the FTC is setting a higher standard for how companies interact with their youngest users. The updated rule imposes stricter requirements, introduces new protections for parents, and seeks to mitigate the risks associated with the monetization of children’s data.
The rule not only empowers parents, but it also sends a clear message to the industry: children’s data is not a commodity to be exploited. As the rule takes effect, its impact will be closely watched, serving as a benchmark for future privacy regulations.
At the core of the changes is a groundbreaking provision requiring parental opt-in for third-party advertising practices. This marks a pivotal shift in the regulation of targeted advertising aimed at children. Companies must now secure explicit, verifiable parental consent before disclosing children’s personal information to third parties for advertising or other purposes. By implementing this rule, the FTC is targeting practices that have allowed businesses to profit from children’s data without active parental involvement.
FTC Chairman Lina M. Khan emphasized the importance of the changes. She said, “The updated COPPA rule strengthens key protections for kids’ privacy online. By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission. The FTC is using all its tools to keep kids safe online.”
The COPPA rule, first implemented in 2000, underwent its last significant revision in 2013. However, the rapid evolution of technology and online services has rendered many aspects of the rule insufficient to address emerging threats to children’s privacy. In January 2024, the FTC proposed a series of amendments designed to modernize COPPA, reflecting the realities of the current digital environment. The finalized changes are a culmination of this effort, incorporating insights from nearly 300 public comments on the proposed revisions.
One notable update involves stringent limits on data retention. Businesses subject to COPPA are now required to retain children’s personal information only as long as it is reasonably necessary to fulfill the specific purpose for which the data was collected. This provision is explicitly designed to prevent indefinite retention of sensitive information which can increase the risk of misuse or data breaches. By mandating that companies adopt more disciplined data retention practices, the FTC aims to reduce potential harm to children resulting from long-term exposure of their data.
“In recent years, the FTC has repeatedly encountered and filed suit against companies who apparently never deleted children’s data,” Commissioners Alvaro Bedoya and Rebecca Slaughter said in a joint statement that “claims from businesses that data must be indefinitely retained to improve algorithms do not override legal bans on indefinite retention of data. Companies eyeing children’s data would do well to heed this lesson. [We are] glad that this rule update will make those obligations even more explicit.”
The FTC also bolstered transparency within its Safe Harbor programs, which allow industry groups to develop self-regulatory guidelines in compliance with COPPA. Approved programs will now be required to disclose their membership lists publicly and submit additional reports to the FTC. This enhancement is intended to increase accountability and ensure that Safe Harbor programs uphold robust standards for protecting children’s privacy. By shining a light on these programs, the FTC seeks to build trust among parents and advocates while encouraging greater compliance from participating organizations.
Another significant change is the expansion of COPPA’s definition of personal information. The revised definition now encompasses biometric identifiers, such as fingerprints and facial recognition data, as well as government-issued identifiers. This change reflects the FTC’s acknowledgment of the growing prevalence and potential risks of advanced data collection technologies. By broadening the scope of protected information, the FTC is addressing concerns about the exploitation of increasingly sophisticated data types in ways that could compromise children’s privacy.
Despite these advancements, however, the FTC decided against adopting some of the proposed changes. It declined, for example, to finalize requirements aimed at limiting the use of push notifications directed to children without parental consent and specific provisions related to educational technology companies operating in school environments.
The FTC expressed ongoing concerns about the use of engagement techniques, such as push notifications, to retain children’s attention online in ways that could harm their mental health. However, it concluded that further evaluation is necessary before implementing additional regulations.
The final rule also underscores the importance of balancing regulatory objectives with practical implementation timelines. While the rule will take effect 60 days after its publication in the Federal Register, entities subject to the amendments will have one year from the publication date to achieve full compliance. This phased approach provides organizations with a reasonable timeframe to adjust their practices and ensure adherence to the new requirements.
The unanimous 5-0 vote to approve the final rule reflects broad consensus among the FTC’s commissioners on the need for strengthened protections for children’s online privacy. Khan and Commissioner Andrew Ferguson issued separate concurring statements, while Commissioners Bedoya and Slaughter released a joint concurring statement. The statements highlight the FTC’s shared commitment to safeguarding children’s digital experiences while addressing emerging privacy concerns.
“Today, the Commission takes the important step of finalizing its amendments to the COPPA Rule,” Bedoya and Slaughter said. “These changes are a necessary effort by the Commission – and authorized by Congress – to modernize the COPPA Rule and ensure it keeps up with advancements in technology.”
Commissioner Ferguson – Trump’s pick to lead the FTC – issued a politically charged statement in which he said there are “serious problems with the final rule, problems that are the result of the outgoing administration’s irresponsible rush to issue last-minute rules two months after the American people voted to evict them from office, which the Commission under President Trump will have to address.”
Biometric Update earlier reported that Trump’s choice of Ferguson to lead the FTC could indicate an inclination by the incoming administration to deprioritize FTC rulemaking and enforcement activities related to data privacy, which also could indicate a broader regulatory philosophy that emphasizes legislative action over administrative rulemaking.
Nevertheless, the updated COPPA rule is not merely a regulatory milestone, it is a response to the growing public demand for greater accountability in how companies handle children’s data. The Internet and digital technologies have become integral to children’s lives, offering educational, social, and recreational opportunities, but these benefits often come with significant risks, including exposure to intrusive advertising, data exploitation, and threats to mental health. The FTC’s amendments to COPPA are intended to mitigate these risks by empowering parents and ensuring that businesses prioritize the privacy and safety of their youngest users.
One of the most transformative aspects of the updated rule is its potential to reshape the online advertising landscape. Targeted advertising has long been a lucrative revenue stream for companies, but its reliance on personal data has drawn increasing scrutiny, particularly when children are involved. By requiring opt-in consent, the FTC is effectively curbing the unchecked monetization of children’s data and ensuring that parents retain control over what information is shared. This move not only protects children’s privacy but also sets a precedent for broader industry practices, potentially influencing how data is handled across other demographics.
The inclusion of biometric and government-issued identifiers in the definition of personal information addresses another critical concern: the growing use of advanced technologies to collect and analyze sensitive data. As biometric tools become more widespread, the risks of misuse or unauthorized access increase. By extending COPPA’s protections to these data types, the FTC is proactively addressing potential threats and ensuring that its regulatory framework keeps pace with technological advancements.
The emphasis on data minimization and transparency aligns with broader trends in privacy regulation, both domestically and internationally. By mandating that companies retain personal information only for as long as necessary, the FTC is reinforcing the principle that data should not be collected or stored beyond its intended purpose. Similarly, the increased transparency within Safe Harbor programs mirrors global efforts to enhance accountability and build public trust in self-regulatory initiatives.
While the updated COPPA rule marks significant progress, it also leaves room for further action. The FTC’s decision to hold off on regulating push notifications and engagement techniques suggests that these issues will remain on the agency’s radar. As digital platforms continue to evolve, the FTC is likely to revisit these topics, potentially introducing additional safeguards to address emerging risks.
Commissioner Ferguson – Trumps pick to head the FTC – criticizes changes
In a statement, Ferguson criticized several aspects of the FTC’s final amendments to COPPA. While he supports certain provisions, such as requiring businesses to disclose third-party data recipients to parents and obtain parental consent for specific disclosures, he raises concerns about how these measures could inadvertently stifle competition among third-party service providers.
Ferguson argues that the requirement to seek fresh parental consent for changes in third-party data recipients, while well-intentioned, could impose high compliance costs on businesses and create market stickiness, entrenching the dominance of incumbent providers.
Ferguson also critiques the new rule prohibiting the indefinite retention of children’s data. He acknowledges its good intentions, but warned it might result in unintended negative consequences, such as the irreversible loss of digital content with personal significance.
Additionally, he questions the practical definition of “indefinite” and how it differs substantively from existing rules that already limit data retention.
Finally, he expressed disappointment that the rule fails to include an exception for the use of children’s personal information solely for age verification. He argues that this omission complicates compliance for mixed-audience platforms seeking to adopt more reliable age verification methods than self-declaration, as they must obtain parental consent to collect data for verification purposes.
Ferguson attributes these shortcomings to the hasty finalization of the amendments during the transition between presidential administrations and calls on the new FTC leadership under Trump to address these flaws.
Article Topics
biometric data | biometric identifiers | biometrics | children | COPPA | data privacy | data protection | digital identity | FTC | U.S. Government
Comments