New FTC COPPA Rule Update Does Little for Parents to Protect Children Online
After a five-year wait, the Federal Trade Commission (FTC) released an update to its Children’s Online Privacy Protection Act (COPPA) Rule (the Rule) on January 16, 2025. This update aims to give parents more control over their children’s data. But instead of accomplishing this, it imposes higher compliance costs and unnecessary burdens on businesses that already comply with COPPA, which will hinder innovation and negatively impact users. Specifically, the update wrongfully includes a complex system of obtaining verifiable parental consent and creates nebulous and confusing classifications for online services. The updated Rule is currently in limbo following the new administration’s freeze on proposing or initiating new rules. Rather than proceed with the proposed Rule, which would undercut President Trump’s pledge to eliminate 10 regulations for each new one issued, the FTC should revise the Rule to give parents more control over their children’s data while also protecting digital innovations for children.
This most recent update of the Rule comes 25 years after COPPA first went into effect and 12 years after it was last amended. As enforced by the FTC, COPPA imposes certain requirements on online services directed to children under the age of 13 and online services that have actual knowledge that they are collecting personal information online from a child under 13. But the new Rule includes multiple changes that would unnecessarily increase businesses’ compliance burden for little to no payoff for parents and children.
First, the Rule update does not modify COPPA’s treatment of contextual advertising. Contextual advertising is very different from targeted advertising, though both are key aspects of the digital economy. Targeted or personalized advertising provides users ads based on individual characteristics, such as showing an advertisement for a university to local young adults, or past online behaviors, such as displaying ads for a university to users who visited a fan site for one of the school’s sports teams. In contrast, contextual advertising places ads alongside content, including search results, related to the product or service being advertised. For example, the same university might advertise on college prep websites or in search results about student loans. These different forms of advertising carry different privacy implications. Targeted advertising relies on collecting users’ personal information, whereas contextual advertising only requires information about the webpages on which ads appear. Therefore, treating targeted and contextual advertising the same in privacy regulations makes little sense.
Second, the FTC’s new Rule would require parental consent before their children’s data can be shared with third parties for targeted advertising purposes. To obtain this consent, the FTC outlines various methods that may be overly burdensome and confusing for parents. One of the proposed new methods is a set of questions that must have a low “probability of correctly guessing the answers” and are of “sufficient difficulty that a child aged 12 or younger could not reasonably ascertain the answers.”
The FTC’s new Rule would also permit companies to obtain parental consent through several methods, including having parents “call a toll-free telephone number,” “connect to trained personnel via video-conference,” or “use a text message coupled with additional steps to provide assurances that the person providing the consent is the parent.” These methods are time- and labor-intensive, in addition to being overly broad and burdensome. Lastly, companies can allow parents to submit a government-issued ID and a selfie to be verified via facial recognition. However, some Americans do not have a government-issued ID, and others may be averse to turning over their personal information in the name of protecting their children’s personal information. While giving parents more control over their children’s online experience is a welcome change, this requirement would create unnecessary friction for both operators and parents, which would ultimately discourage many companies from using targeted advertising. As a result, children will likely have fewer ad-supported free online services, disproportionately hurting children in low-income families.
Third, the Rule modifies certain terminologies, with the addition of a “mixed audience website,” which the FTC defines as a website or online service that is “child-directed” under COPPA’s multi-factor test but does not target children as the primary audience and does not collect personal information from users prior to verifying their age. While it makes sense to have different standards for online services that target children as the primary audience and those that target children along with adults, this nebulous and confusing definition will muddy compliance, leaving it open to interpretation and, therefore, leaving online services open to undeserved punishment if they fail to guess the correct interpretation. The FTC notes that many of the responses it received in its public comment period highlighted that this may cause confusion. Still, it has ignored this feedback, stating it “believes the proposed definition is sufficiently clear.”
Fourth, the Rule will not provide an exemption for operators from being deemed a child-directed website or online service if such operators undertake an analysis of their audience composition and determine no more than a specific percentage of its users are likely to be children under 13. This would have allowed operators of sites with a small percentage of users under 13 to avoid unnecessary compliance costs, better tailor their services to their audience, and provided the FTC with greater insight into online services’ audiences—representing a serious missed opportunity.
Lastly, the Rule clarifies that operators are prohibited from retaining children’s personal information indefinitely. The FTC claims this change will give parents greater transparency into how their children’s data is collected and shared, but in practice, it will damage children’s online experience. For example, now, operators are not considered to have collected personal information if they take reasonable measures to delete all or virtually all personal information from a child’s posts before they are made public and delete this information from their records. But in reality, without this data, online services will be unable to accurately tailor algorithms to show children age-appropriate content.
Notably, the new Rule rightly adds biometric identifiers to its definition of “personal information,” defining them as information “that can be used for the automated or semi-automated recognition of an individual including fingerprints or handprints; retina and iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints.” The FTC removed from its definition “data derived from voice data, gait data, or facial data,” in response to feedback from several commentators—including ITIF—who argued that the original definition was overly broad, as it included information that does not individually identify individuals.
The FTC also stated it would like further evidence of how variations in the definition of biometric identifiers would be overly costly and burdensome, explaining that “the [FTC] has concluded at this time that the impact on such uses and the burden placed on operators to obtain verifiable parental consent are outweighed by the benefit of providing greater protection for this sensitive data and enhancing control for parents.” When businesses have to comply with a patchwork of different state and federal regulations, compliance costs go up. This would create confusion for consumers and impose duplicative compliance costs on businesses—to the detriment of the digital economy.
The final version of the Rule also did not include proposals that would have barred edtech companies from using children’s data gathered in educational settings for commercial purposes. The agency revealed this proposal was omitted due to presumed upcoming changes to the U.S. Department of Education’s Family Educational Rights and Privacy Act (FERPA) rules. The FTC is right to wait for these changes, as it should maintain its role in providing an overarching privacy standard through COPPA rather than creating duplicative and complex compliance requirements for educational settings.
Parents need reliable tools to ensure their children are safe online, but the FTC should not make online services face overly burdensome requirements that also affect their users. Given the new FTC chair and the presidential freeze on new rules pending review by the new administration, there is still time to adjust the COPPA Rule to better protect children and empower parents without creating unnecessary burdens and costs on businesses and users.
