New COPPA Rule Expands Data Transparency and Security Obligations

On June 23, the Federal Trade Commission’s latest amendments to the Children’s Online Privacy Protection Act (COPPA) Rule took effect, marking a significant shift in how online operators must handle children’s data. As outlined by attorneys at Bass, Berry & Sims, the new COPPA Rule amendments aim to increase transparency, strengthen parental control, and reinforce data security requirements. While the amendments are now in effect, businesses have until April 22, 2026, to achieve full compliance.

Originally enacted in 1998 and last updated in 2013, COPPA requires operators of websites and online services targeting children under 13, or knowingly collecting their data, to obtain verifiable parental consent, provide detailed notices, and allow parental control over data. The 2025 amendments add notable obligations. Operators must now provide more detailed direct notices to parents, including naming third-party recipients and explaining specific data use purposes. Separate parental consent is required before disclosing a child’s data to third parties for targeted advertising unless the disclosure is integral to the service.

The amendments also authorize new verification mechanisms, like knowledge-based questions and facial recognition, and require written data retention policies. Operators must not retain children’s data longer than necessary and must disclose deletion timelines. Additionally, operators must implement comprehensive information security programs, conduct annual risk assessments, and ensure third-party data security.

New definitions clarify “mixed audience” sites and broaden the scope of “personal information” to include biometric and government-issued identifiers. Safe Harbor programs must also meet transparency requirements by October 22, 2025.