Little Data, Big Requirements: Is Your Business Ready for COPPA’s Amendments?
On April 22, 2025, the Federal Trade Commission (“FTC”) published its much-anticipated final amendments to the Children’s Online Privacy Protection Act (“COPPA”) Rule.
InfoLawGroup previously covered the initial publication of the FTC’s proposed amendments to the COPPA regulations, announced in the week leading up to President Trump’s inauguration. Comments made by the new FTC Chairman sowed some doubt regarding whether the January 2025 COPPA amendments would ultimately be enacted as initially written. Now, businesses subject to COPPA (“operators”) have been put on notice of the Rule’s amendments. We expect minor privacy and online safety will continue to be a priority for state and federal regulators. With the exception of certain Safe Harbor requirements, operators will have until April 22, 2026, to fully comply with the new regulations.
Below, we’ve highlighted a few of the new requirements and regulatory considerations that businesses should keep on their radar as they plan their digital compliance strategy in the coming year:
Third-Party Sharing – Consent & Disclosures. Operators will be required to obtain separate verifiable parental consents for both the collection and disclosure of children's personal information, unless the third-party disclosure is “integral to the website or online service.” This means that operators will need to obtain verifiable parental consent prior to collecting or disclosing children’s personal information for targeted advertising. Additionally, with narrow exceptions, operators’ online privacy notices must now include the “identities and specific categories of any third parties to which the operator discloses personal information” and explain the purposes of disclosing children’s personal information. Given the FTC’s recent regulatory emphasis on unfair and deceptive data sharing practices, particularly with regards to sensitive data, operators should prepare well in advance to comply with these requirements.
Biometrics – Front & Center. The COPPA amendments and their accompanying statements from the FTC highlighted the increased regulatory focus on biometric data collection:
Biometric Identifiers as Personal Information. The final Rule adds biometric identifiers to COPPA’s definition of “personal information.” This includes any biometric identifiers “that can be used for the automated or semi-automated recognition of an individual, such as fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints[.]” Notably, the FTC made a point of highlighting its decision to list examples of biometric identifiers using “such as,” rather than “including,” to provide illustrative examples of biometric identifiers, clarifying the non-exhaustive scope of the list.
Risk Assessments for Facial-Recognition Tech. COPPA now allows operators to verify a parent’s identity by comparing the parent’s government-issued photo ID against an image of the parent's face taken with a phone camera or webcam using facial recognition technology and confirmed by a person, provided that the parent's ID and images are promptly deleted after a match is confirmed. The FTC declined to impose risk-assessment requirements on operators using facial recognition tech in this way. However, the FTC explicitly flagged that “operators should be aware that the Commission has challenged as an unfair act or practice under section 5 of the FTC Act the deployment of facial recognition technology that resulted in demonstrably inaccurate outcomes, where the company deploying it failed to heed red flags or to conduct appropriate risk assessments.”
No Other Special Exceptions for Biometric Data. Additionally, the FTC rejected proposals to add exceptions under COPPA to collect and process biometric identifiers for security or age-verification purposes. The Commission expressed concerns that biometric technologies “vary in terms of efficacy across use cases and across providers,” and that “the uniquely personal and immutable nature of biometric identifiers and potential privacy and other harms when such data is misused” justify the added regulatory burden placed on operators to obtain verifiable parental consent before using biometric data. For example, even if biometric data used for age verification was promptly deleted, the FTC noted that “storage of sensitive biometric identifiers for even limited periods of time increases the risk that such data will be compromised in a data security incident.”
Inferred Data Not Regulated by COPPA. In finalizing the definition of “personal information,” the FTC clarified that, while “inferred or proxy data about a child may sometimes include sensitive information presenting privacy risks, the COPPA statute regulates the collection of personal information from a child, and inferred or proxy data that is derived from information collected from sources other than a child therefore cannot be treated as personal information under the COPPA statute.”
“Dark Patterns” Enforcement. As we previously noted, the FTC declined to prohibit push notifications and other prompts that encourage user engagement, noting that some prompts may be beneficial to children (e.g., homework reminders). However, the FTC expressed concerns “regarding practices that operators employ to maximize children's engagement with online services” and noted that it “may pursue enforcement under section 5 of the FTC Act to address unfair or deceptive acts or practices encouraging prolonged use of websites and online services that increase risks of harm to children.”
Compliance is due April 22, 2026—what are your next steps?
Businesses should begin reviewing their current practices against COPPA’s new requirements in order to identify and remedy compliance gaps. Some initial questions businesses might ask themselves include:
Will COPPA apply to our websites, apps, or other online platforms?
Are we collecting children’s biometric data?
Who are we disclosing children’s personal information to, and for what purposes?
Do we need additional parental consent for those disclosures and, if so, are our consent mechanisms ready to accommodate that?
Do our apps or websites use engagement techniques that could attract enforcement actions?
What other minor privacy and online safety laws are we subject to? As we’ve previously discussed, several states now govern data collection and processing for minors younger than 16, 17, and even 18 years old.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.