Sweeping Changes to Children’s Privacy Law Will Affect Businesses

On June 23, 2025, businesses will face a new world of children’s privacy regulation, with amendments to the Children’s Online Privacy Protection Act (COPPA) imposing a host of requirements on operators. The sweeping new changes place requirements on businesses not originally scoped under COPPA and mandate stronger parental consent mechanisms. Under some of the key changes, operators must provide additional disclosures on the collection and use of children’s data, name third parties that receive children’s data and implement procedures to prohibit unlimited storage of children’s data. The COPPA amendments continue to apply to children under the age of 13, compared to California’s Age-Appropriate Design Code Act, which applies to children under the age of 18.

Approved by the Federal Trade Commission (FTC) on January 16, 2025, and published on April 22, 2025, the changes give operators until April 22, 2026, to comply with them. Of note, new FTC Chairman Andrew Ferguson expressed support for the amendments when he voted to approve them as a commissioner in January, noting that while he had some concerns he would seek to improve on, he believes the amendments “contain several measures improving data privacy and security protections for children.”

Below, we have outlined key changes from the amendments.

Updates to Key Definitions

The amendments expand the definition of “personal information” to include biometric identifiers and new government-issued identifiers (e.g., state cards, birth certificates). The amendments also add a standalone definition of “mixed audience website or online service” as a website or online service that does not target children as the primary audience.

The FTC first established the “mixed audience” category in the 2013 amendments, and per the 2024 Notice of Proposed Rulemaking (NPRM), the added standalone definition is intended to make clearer in the rule the existing category for “mixed audience” websites and online services and to provide greater clarity about the means by which operators of mixed audience sites and services can determine whether a user is a child. The amendments retain the two-step analysis used to determine whether a service is “mixed audience,” and operators of mixed audience services will have the same ability to use the exceptions to the verifiable parental consent requirement provided under the COPPA rule as operators of other child-directed websites and online services.

Updates to Key Provisions

Parental Consent

The amendments include significant changes to COPPA’s parental consent provisions. Operators must obtain separate verifiable parental consent for the disclosure of a child’s personal information to a third party, unless that disclosure is “integral” to the nature of the relevant website or online service (e.g., delivery of a product). Notably, the FTC did not include a definition of “integral” and in the 2024 NPRM, the FTC stated that whether a disclosure is “integral” to a service would involve a fact-specific inquiry. Changes also include new options for authenticating parents’/guardians’ identities that are either knowledge-based, text message-based or based on matching a facial image to a verified photo identification. Additionally, while operators that only collect persistent identifiers (e.g., cookie, IP address) to support “internal operations” still do not need to obtain consent for such collection, they must describe it in their privacy notice.

Direct Notice to Parents/Guardians

The COPPA rule’s notice provisions have been updated to include that disclosures required in direct notices to parents/guardians must include how personal information will be used and the names and categories of any third parties that receive personal information. Additionally, online notices must explain what policies or practices are in place to avoid using persistent identifiers for unauthorized purposes. Online notices must also include a description of how operators use audio files along with confirmation that those files are deleted immediately after responding to the request for which they were collected.

Confidentiality, Security and Integrity of Personal Information

Provisions regarding confidentiality, security and integrity of personal information have been updated to clarify that operators must, at a minimum, establish, implement and maintain a written children’s personal information security program, unless they already have an information security plan in place that applies to both children’s personal information and other information. Additionally, the amendments provide that operators which release children’s personal information to other operators, service, providers or third parties must also ensure that those entities can maintain the confidentiality, security and integrity of that information as well as obtain written assurances as such from those recipients.

Data Retention and Deletion

Data retention and deletion provisions have been clarified to note that operators cannot retain children’s personal information indefinitely. Further, operators’ duties regarding retention of children’s personal information include that operators may maintain this information for as long as reasonably necessary for the purposes for which it was collected. Operators must delete children’s personal information once it is no longer reasonably necessary for those purposes for which it was collected, and they must establish and maintain a written data retention policy specifying collection purposes, business needs for retention and deletion timeframes. Operators must include these retention policies in their privacy notice or on their website.

Safe Harbor Programs

Provisions regarding FTC-approved COPPA Safe Harbor programs have been updated to require that these programs include member operators’ information privacy and security policies, practices, and representations. Additionally, these programs’ mandatory reports to the FTC must identify each subject operator, all approved website or online services and any subject operators that have left the relevant program. The mandatory reports must also include a narrative description of the programs’ business models, copies of consumer complaints related to any subject operators’ violation of programs’ guidelines and a description of the process for determining whether an operator is subject to discipline. These programs must also publicly post a list of subject operators on their website or online service and submit proposed modifications to their guidelines by October 22, 2025.

Next Steps

Operators that must comply with COPPA should consider taking the following steps to ensure they are compliant with the updates by April 2026:

• Establish more robust procedures for parental consent.
• Update notices to account for new disclosures required, including disclosure of third-party recipients of children’s data, use of persistent identifiers, and use and destruction of audio files.
• Draft or update information security policies to ensure they cover children’s personal information.
• Evaluate document classification and retention procedures to ensure compliance with new COPPA requirements.
• Ensure that any Safe Harbor programs they belong to have all necessary information to draft and submit mandatory reporting requirements to the FTC.

The Paul Hastings Data Privacy and Cybersecurity practice is closely monitoring these developments. If you have any questions, please do not hesitate to contact any member of our team.