Contact Us Today For Your Legal Needs, Call (917) 768-0166
FTC Underscores Commitment to Protect Children’s Data Following Major Data Privacy Overhaul; Technology and Internet-Based Companies Especially Vulnerable to the Amended COPPA Rule
A major federal update has changed how children’s data must be protected online, and companies across industries should take notice.
For the first time since 2013, the Federal Trade Commission (FTC) completed a significant overhaul of the Children’s Online Privacy Protection Act (COPPA), the primary U.S. law governing how companies collect, use, and disclose children’s data online. The final COPPA Rule amendments were published in the Federal Register on April 22, 2025, and went into effect on June 23, 2025.
Regulated operators were given a one-year compliance period, which means most covered businesses had until April 22, 2026, to fully comply with updated requirements related to what data can be collected, how long it can be retained, and how clearly parents must be informed before giving consent.
Businesses that are not yet in compliance should be concerned. FTC commissioners have signaled a continued willingness to pursue enforcement against companies that fail to protect children’s personal information.
The amended COPPA Rule introduces several important updates for companies that operate websites, apps, platforms, connected devices, games, software, and other online services that may collect personal information from children under 13.
The definition of “personal information” under COPPA has been broadened to include additional categories of sensitive data. This includes biometric identifiers such as retina or iris patterns, genetic data, faceprints, voiceprints, and fingerprints.
The amended Rule also addresses government identifiers and geolocation information, expanding the kinds of data that may trigger COPPA obligations.
Indefinite data retention is now expressly prohibited under the amended COPPA Rule.
Operators must carefully monitor how long they retain children’s personal information and delete that data when it is no longer reasonably necessary for the purpose for which it was collected. Businesses also need to clearly explain their data retention practices in their online privacy notices.
This means companies should not rely on vague internal practices or informal deletion timelines. Written data retention policies should identify what children’s data is collected, why it is retained, and when it will be deleted.
The amended COPPA Rule expands acceptable methods for obtaining verifiable parental consent. These methods may include knowledge-based authentication, submission of government-issued identification, text messaging combined with additional verification steps, and other methods designed to confirm that the person providing consent is an adult.
Although these methods are permitted, companies must also provide parents with clear notice. When children’s personal information may be disclosed to third parties, the parental notice must identify either the specific names or specific categories of those third parties.
The amended Rule includes new guidance for “mixed audience” websites and online services. These are services that are not primarily directed to children but may still attract or reach children.
For companies that operate platforms, games, apps, or services with both adult and child users, this change is especially important. Operators may need to determine whether a user is a child before collecting personal information, even if children are not the primary audience for the service.
On February 25, 2026, the FTC announced that it would not pursue enforcement against certain operators that collect personal information solely for age verification purposes, provided that specific conditions are met.
This exception is limited. The information collected for age verification cannot be repurposed, and operators must still provide appropriate notice, safeguard the information, and ensure that third parties involved in age verification can protect the confidentiality, security, and integrity of the data.
COPPA compliance is not limited to companies that clearly market to children. The amended Rule may affect a wide range of businesses whose digital properties, platforms, tools, campaigns, or third-party integrations reach children or collect information from users who may be under 13.
Technology and internet-based companies face some of the highest risk exposure under the amended COPPA Rule.
This includes companies providing apps, SaaS platforms, gaming services, connected devices, interactive websites, educational technology, online communities, and other digital services. The addition of a definition for “mixed audience website or online service” means operators that direct their services to children may need to determine whether users are children before collecting their personal information, even when children are not the primary intended audience.
For technology, SaaS, and internet-based businesses, COPPA risk often arises through embedded software development kits, analytics tools, ad tech, user accounts, chat features, geolocation services, or third-party integrations. These data flows should be reviewed carefully.
Consumer brands that operate websites, apps, loyalty programs, promotions, games, online communities, or digital campaigns directed at or likely to attract children may face both regulatory and reputational exposure.
The FTC may consider a company’s marketing plans, representations to consumers or third parties, user reviews, third-party reviews, and the age of users on similar services when determining whether a service is directed to children.
Brands whose marketing materials reference “family audiences,” promote products popular with younger users, or create digital experiences that appeal to children should carefully evaluate whether their online properties cross the COPPA threshold.
Advertising and marketing agencies should also pay close attention to the amended COPPA Rule.
Agencies that operate on behalf of clients or run data-driven campaigns may create COPPA obligations for both their clients and themselves. If an agency operates a website or online service directed to children, or has actual knowledge that a campaign collects personal information from children under 13, the agency may be treated as an operator under COPPA.
For agencies, this makes campaign planning, audience targeting, tracking pixels, analytics, lead capture, and vendor relationships especially important. COPPA risk can arise even when the agency is not the brand owner.
Large companies and in-house legal teams should review vendor contracts, privacy notices, data retention policies, consent flows, and third-party data-sharing practices.
Third-party compliance is especially important. Businesses should evaluate whether vendors, platforms, service providers, and technology partners are capable of protecting children’s personal information and whether written assurances are in place.
Companies should also remember that COPPA compliance does not eliminate broader FTC enforcement risk. Organizations may still be subject to enforcement under Section 5 of the FTC Act for unfair or deceptive acts or practices.
The bottom line: failure to comply with the amended COPPA Rule can create serious risk for businesses whose digital footprint touches children’s data.
That risk may exist even when a business does not intentionally target children. A company’s exposure may come from third-party integrations, embedded SDKs, analytics platforms, advertising tools, user-generated content, online communities, or data-sharing arrangements designed for general audiences.
Businesses should take practical steps now to assess their COPPA compliance, including:
With the FTC continuing to signal close scrutiny of children’s privacy practices, organizations should treat COPPA compliance as an ongoing governance issue, not a one-time policy update.
Navigating children’s privacy compliance can be complex, and the stakes are higher than ever.
Uncommon Counsel works with technology companies, consumer brands, agencies, and businesses of all sizes to build practical, defensible data privacy compliance strategies. That work may include privacy policy updates, data governance frameworks, vendor contract review, consent flow analysis, regulatory risk assessments, and internal compliance planning.
If your business has a digital footprint, now is the time to assess whether the amended COPPA Rule applies to your operations.
Book a Legal Consultation with Uncommon Counsel today.
This blog post is for informational purposes only and does not constitute legal advice. Reading this post does not create an attorney-client relationship with Uncommon Counsel or Attorney Anjali Sareen.
Fill out the form below to schedule a 1-to-1 consultation call with me!
