U.S. Privacy and Data Protection Updates | Insights | Q3 2025 (Federal Law)

COPPA Updates 2025: Regulatory and Compliance Implications Businesses Should Know

Overview
The Federal Trade Commission (FTC) finalized significant amendments to the Children's Online Privacy Protection Rule (COPPA) in 2025, with the goal of enhancing protections for minors in an evolving digital ecosystem. The COPPA rule (originally in effect since 2000), applicable to operators of websites and online services directed at children under 13, has now been substantially broadened to address new data practices and technologies.

Expanded Definition of Personal Information
The revised rule broadens what is covered as “personal information.” In addition to traditional identifiers (name, address, email), the definition now encompasses biometric and genetic data (including faceprints, voiceprints, fingerprints, and retinal data), and government-issued identification numbers. This expansion aligns COPPA with contemporary data practices and closes loopholes exploited by connected devices and AI-driven services.

Enhanced Parental Consent Requirements
Parental opt in consent is now specifically required for third-party advertising, including targeted advertising, and other disclosures to third parties. Operators collecting, using, or disclosing children’s data must now obtain clear, specific, and verifiable parental consent for each discrete activity. Notably, consent for disclosure to third parties must be obtained separately from consent for internal data use. The FTC has offered greater flexibility in approved consent mechanisms, including knowledge-based authentication and biometric verification, to facilitate compliance without undermining privacy.

Data Security and Retention Mandates
The amended rule imposes robust data minimization obligations, requiring companies to develop written security policies and limit retention of children's personal information strictly to what is necessary for the stated business purpose. The requirements reflect the FTC’s focus on both data protection and responsible stewardship.

Safe Harbor Modifications
Safe harbor programs, historically offering members a streamlined compliance path, are now subject to additional oversight. The FTC mandates transparency in operations, annual reporting, and continued adherence to the evolving rule. Organizations leveraging these programs should closely monitor ongoing developments to ensure continuous compliance.

Regulatory Enforcement and Recent Actions
The FTC remains highly vigilant in this enforcement, along with other regulators remaining interested in this area about minors’ privacy. Some FTC actions include:

• Disney agreed to a $10 million civil penalty for alleged unlawful collection of children’s data without parental notification or consent, violating the COPPA rule. The FTC claimed Disney failed to properly label individual child-directed videos as “Made for Kids,” which enabled data collection and targeted advertising to children under 13. As part of the settlement, Disney must comply with COPPA, notify parents before collecting information from children, and implement a program to ensure accurate labeling of “Made for Kids” videos unless YouTube deploys effective age assurance technologies.

• The FTC also pursued further actions against a toy manufacturer over failures to secure valid parental consent. As part of the settlement, the company owes steep fines and is required to guarantee that any third-party software remains compliant with the COPPA Rule.

• A video game developer agreed to pay $20 million and to block players under 16 from buying loot boxes without parental consent, settling FTC allegations that it violated children’s privacy laws and misled users about the true cost and odds of in-game prizes. The FTC complaint charged the company with deceptive practices, including obscuring real costs, odds for five-star loot box prizes, and utilizing manipulative virtual currency and marketing tactics that targeted and confused children and teenagers. The company must now disclose odds, provide direct payment options, delete improperly collected children’s data, and comply with COPPA parental consent requirements.

These enforcement actions signal a renewed regulatory emphasis and highlight the real risks, both financial and reputational, of non-compliance.

Implications for Businesses
Entities subject to COPPA must act promptly to:

• Audit and update privacy policies and data collection practices,

• Implement robust age-screening and parental consent systems,

• Train staff on the new legal and technological requirements, and

• Review third-party relationships and data-sharing arrangements to ensure alignment with the enhanced consent rules.

With the final compliance deadline for most of the amended COPPA rule set for April 22, 2026, and no indication of regulatory leniency, timely and comprehensive preparation is imperative. Companies should also note that the original pre-2025 COPPA rule is still in effect, and certain provisions of the new 2025 rule have an earlier compliance deadline.

Conclusion
The FTC’s 2025 amendments to COPPA represent a shift in U.S. children's data privacy regulation, expanding both the breadth of protected information and the rigor of compliance duties. Businesses operating online platforms or services targeting children—or collecting data from users known to be under 13—should view these changes as both a legal requirement and a reputational imperative. Inaction or delay exposes organizations to increased regulatory scrutiny and significant financial penalties.

FAQs

What key data types are now protected under COPPA?
Biometric identifiers, genetic information, persistent identifiers, and government-issued IDs are now protected alongside traditional personal data.

How has parental consent changed?
Parental consent must be specific and separate for data sharing with third parties, and new verification methods have been authorized.

What are the main data minimization requirements?
Operators may only retain children's data for as long as necessary for stated purposes and must implement formal data security policies.

What is the compliance timeline for these changes?
Businesses are expected to be in full compliance by April 22, 2026 for most of the additional rule requirements (with earlier deadlines for certain sections of the amended rule), with no transition period extensions anticipated.

What are the risks of non-compliance?
The FTC continues to enforce COPPA aggressively, imposing substantial penalties and mandatory corrective actions, as recent high-profile cases demonstrate. These issues also implicate potential state regulator enforcement, private class actions, and PR considerations.

If your business is looking to stay ahead of evolving privacy requirements, contact us today through our online submission form. Our firm regularly assists clients with privacy compliance, and we are ready to guide you and your business through the latest regulatory changes.