FTC Issues Long-Awaited Kids Privacy Rule Update

The commission voted 5-0 to issue a final rule updating regulations under the Children’s Online Privacy Protection Act (COPPA). Commissioner Andrew Ferguson, President-elect Donald Trump’s incoming chairman, issued a concurring statement saying the rule has “serious problems” that the new administration will need to address.

Under the update, websites and platforms will be required to “obtain separate verifiable parental consent to disclose children’s personal information to third-party companies related to targeted advertising or other purposes,” the agency said. New data retention limits will require companies to “only retain personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected.”

The final rule includes new definitions. Biometric identifiers and government-issued identifiers now fall under the definition for personal information. The rule also requires FTC-approved COPPA Safe Harbor programs to disclose membership lists and other information.

The Biden administration issued a proposed rule in December 2023. The prior Trump administration initiated the proceeding in July 2019. COPPA, which went into effect in 2000, applies to children under 13. Members of the Senate Commerce and House Commerce committees unsuccessfully pushed for legislation updating COPPA in 2024 (see 2411180046).

The FTC declined to adopt proposed requirements that would have limited the use of push notifications to children without parental consent, as well as changes involving requirements for educational technology companies operating in schools.

Changes to the regulations take effect 60 days after publication in the Federal Register. Entities subject to the final rule then will have a year to come into full compliance with most provisions, though compliance is required earlier for provisions involving COPPA Safe Harbor programs. An FR publication date has not yet been scheduled, the FTC said.

“By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission,” said Chair Lina Khan in a statement. “The FTC is using all its tools to keep kids safe online.” Further kids privacy protections are needed beyond the COPPA rule, so Congress should legislate, she said.

Ferguson said in his concurring statement that he approves of bipartisan measures included in the rule, such as transparency requirements for third parties collecting children’s data. However, he accused Democrats of leading an “irresponsible rush to issue last-minute rules two months after the American people voted to evict them from office. He argued parental consent should be transferable when a new company offers similar service to the same child, which would be beneficial for startup competitors. He also argued companies shouldn’t have to obtain consent when gathering data for the sole purpose of age-verification. The incoming Trump administration can address these and other matters, he said.

Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a concurring statement defending the rule’s prohibition on companies retaining children’s data indefinitely. She cited several FTC lawsuits dating back to 2022, in which companies showed no intention of deleting children’s data. “Claims from businesses that data must be indefinitely retained to improve algorithms do not override legal bans on indefinite retention of data,” she said. “Companies eyeing children’s data would do well to heed this lesson.”

The Electronic Privacy Information Center (EPIC) applauded the FTC’s action in a press release Thursday, and said the updated rule makes the commission better equipped to regulate kids online.

“We applaud the Commission’s unanimous effort to modernize the COPPA Rule and carry forward its commitment to protecting the privacy and safety of children online,” said Suzanne Bernstein, EPIC Counsel. “By requiring that operators implement a formal data security program—including data minimization obligations—the Commission has improved the power of COPPA to mitigate the risks that unrestrained personal data collection and retention pose to children online every day.”