About Alice
Link Dump
Link Guides
Trust & Safety Resources
Alice Links/
COPPA 2.0
Search

COPPA 2.0

Created time
Apr 27, 2025 12:11 PM
Link
https://derekebaird.medium.com/coppa-2-0-modernizing-childrens-privacy-protection-6020e1e338a5
Posted?
Posted?

COPPA 2.0: Modernizing Children’s Privacy Protection

Key Updates to the FTC’s Children’s Online Privacy Protection Rule and What Organizations Need to Know by 2026

notion image
Derek E. Baird, M.Ed.
3 min read
·
4 days ago
  • -
Photo by Tim Gouw on Unsplash
notion image
The Federal Trade Commission has unveiled significant updates to the Children’s Online Privacy Protection Act (COPPA) Rule, marking the most comprehensive overhaul since 2013.
These amendments, published in the Federal Register on April 22, 2025, respond to evolving technologies and digital practices that have transformed how children interact online.
I was pleased to provide feedback to the FTC on these changes while working as the Chief Youth Privacy Officer at BeMe Health.

Key Changes to the COPPA Rule

With new provisions addressing biometric data, mobile communications, data retention requirements, and enhanced parental consent mechanisms, the revised Rule aims to strengthen privacy protections for children under 13 while providing clearer guidance for website operators and online service providers.

Effective Dates

  • The amended COPPA Rule will be effective June 23, 2025
  • Operators have until April 22, 2026, to comply with most provisions (a 1-year compliance period)

New and Modified Definitions

🔹Biometric Identifiers are now included as “personal information” and include:
  • Fingerprints, handprints, retina patterns, iris patterns, genetic data
  • Voiceprints, facial templates, faceprints, and gait patterns
🔹Mobile Phone Numbers are now considered “online contact information” when used to send text messages to parents for consent purposes
🔹Government-Issued Identifiers are expanded to include state ID cards, birth certificates, and passport numbers (not just Social Security numbers)
🔹Mixed Audience Websites/Services now have a stand-alone definition for sites that are directed to children but don’t target them as the primary audience

Parental Consent Changes

🔹Separate Consent Required for disclosing a child’s information to third parties, unless such disclosure is integral to the website or service
🔹“Text-Plus” Method added as a new verifiable parental consent mechanism, similar to “email-plus” but using text messages
🔹New Consent Methods codified, including:
  • Knowledge-based authentication (multiple-choice questions)
  • Face matching to verified photo identification
🔹Audio File Exception added to allow collection of a child’s voice recording without parental consent if:
  • It’s only used to respond to a specific request
  • No other personal information is collected
  • Audio is deleted immediately after responding

Expanded Disclosure Requirements

🔹Direct Notices must include:
  • How the operator uses collected information
  • Third parties receiving information (by name and category)
  • Purposes for such disclosures
🔹Online Notice must include:
  • The operator’s data retention policy
  • If applicable, how are persistent identifiers used for internal operations
  • How audio files are used (if applicable)

New Data Security and Retention Requirements

🔹Information Security Program must be established and include:
  • Companies must designate an employee(s) to coordinate the program
  • Risk assessments at least annually
  • Regularly tested safeguards
  • Written assurances from third parties
🔹Data Retention Policy must:
  • Specify why information is collected
  • Document the business need for retention
  • Establish a timeframe for deletion
  • Be included in the online notice
🔹Prohibition on Indefinite Retention explicitly stated in the Rule

Safe Harbor Program Enhancements

🔹Increased Transparency for FTC-approved COPPA Safe Harbor programs:
  • Must publicly post lists of all member operators and their certified websites/services
  • Annual reports must include additional details about disciplinary actions
  • New triennial reporting requirements
These updates aim to strengthen children’s privacy protections in light of technological developments since the last major update in 2013. They particularly address biometrics, data security, and retention practices.
Derek E. Baird, M.Ed., is the former Chief Youth Privacy Officer at BeMe Health and the award-winning producer of BeingMe: A Teen Mental Health Podcast. A Disney Inventor Award recipient and co-author of ‘The Gen Z Frequency,’ Derek brings 25+ years of expertise in children’s media, technology, and educational technology.
His research, patents, and innovations in youth digital culture, online learning, and digital trust and safety have shaped industry practices and appeared in numerous peer-reviewed publications.