FTC Finalizes COPPA Rule With 2026 Compliance Date

The final rule is set to take effect June 23, but companies will have a year to come into compliance with most provisions, according to a Federal Register notice scheduled for publication Tuesday.

President Donald Trump in January ordered a regulatory freeze, directing agencies to halt sending unpublished rules to the Federal Register, pending further review (see 2501220083). The FTC under Chair Lina Khan voted 5-0 to issue the final rule on Jan. 16.

Current Chairman Andrew Ferguson told us in March that he approved of what passed under the prior administration, but he wanted to amend some language. Monday’s finalization didn’t require a commission vote.

Stakeholders said the latest version of the rule largely mirrors what the Biden administration approved. Ferguson’s FTC opted to remove some education technology-related provisions to avoid conflicts with potential updates to the Family Educational Rights and Privacy Act (FERPA), a Department of Education-enforced law pertaining to student records.

Fairplay Executive Director Josh Golin welcomed the announcement, saying the rule “should serve as a wake-up call to an industry that far too often collects, uses and shares kids’ data in deceptive and exploitative ways.” Golin credited the commission for following some of Fairplay’s recommendations, “including requiring separate parental consent for sharing data with advertisers and other third parties; limiting data retention; and expanding the definition of personal information to include biometrics."

Updating COPPA has been a six-year process, so the Electronic Privacy Information Center is “thrilled” Ferguson is finally sending the rule to the Federal Register, said EPIC Counsel Suzanne Bernstein: “It does provide really significant privacy and data security protections for minors.” She said it’s particularly important given that federal courts have enjoined so many child-related laws at the state level.

She welcomed the FTC’s new information security program, which calls for websites and apps to maintain “reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” Bernstein also credited the commission for upholding requirements for additional consent prior to sharing data with third parties, a provision she said will have a significant impact on the behavioral advertising industry and in limiting data profiling of children.

"I am glad to see the FTC has finally allowed the updated COPPA rule to be published and take effect in June," said Eric Null, co-director of the Center for Democracy & Technology's Privacy & Data Program. "The age-old adage 'better late than never' applies here, but this rule could have been effective now if the FTC chair had allowed the rule to be published upon taking office."

The commission noted in its announcement that certain provisions will go into effect immediately on June 23, including annual reporting requirements under the COPPA Safe Harbor program and disclosures about collecting children’s audio. Websites will now have to publish a description of how they use children’s audio files. The commission said it also reserves the right to revoke and issue new Safe Harbor exemptions based on the new requirements.

The FTC said it removed the edtech provisions in part because DOE in 2024 announced plans to amend FERPA and provisions related to regulating nonconsensual disclosure of personally identifiable information from education records to third parties. The Parent Coalition for Student Privacy said in a statement Monday that there’s been no update since the 2024 announcement. FERPA is “hugely out of date and badly needs strengthening, given the rapid expansion of ed tech, the growing number of breaches, and the commercialization and abuse of personal student data,” said co-Chair Leonie Haimson.

Children and Screens Executive Director Kris Perry said in a statement Monday: “The changes represent significant progress, but COPPA’s scope remains limited. We still need comprehensive data protections for teenagers, stronger oversight of exploitative design practices, increased platform transparency, and greater support for research on how digital media impacts child development.”