In April 2025, the Federal Trade Commission (FTC) published amendments to the Children’s Online Privacy Protection Act (COPPA), which is intended to safeguard the digital privacy of children under 13. These amendments became effective June 23, 2025. The amendments aim to strengthen personal data protections as children’s use of digital platforms has grown exponentially since COPPA was first enacted in 2008. The most recently available Gallup data from 2023 reflects that 13-year-olds spend an average of 4.1 hours per day on social media, often far more time than their parents realize.

The latest revisions to COPPA broaden the kinds of personal information that require protection, now explicitly covering biometric and genetic identifiers (like fingerprints, facial scans and DNA), as well as government-issued IDs. Website operators are now required to obtain parental approvals for data collection and for sharing that data with third parties, ensuring transparency and more precise control for parents.

Operators must now create formal documentation detailing their data security and retention policies. These plans must designate responsible personnel, include annual risk evaluations and define how long data is retained, with the retention period strictly tied to the purpose for which it was collected.

The new rules also refine the criteria used to identify whether a site is aimed at children, with the FTC factoring in marketing strategies, audience demographics of similar services and content tone. For sites not exclusively directed at children, but still attracting them, limited data collection is allowed only for specific, justified reasons—such as communicating with parents or ensuring safety.

Additionally, parental notifications must now be more specific. Notices must outline how children’s data will be used, with whom it will be shared and under what circumstances. Parents can now authorize the collection of data without agreeing to have it shared externally unless sharing is essential to the service’s function.

To enhance consent verification, the FTC has approved new tools such as identity-based questions, official ID uploads and verification through follow-up communications. These options aim to bolster reliability in confirming a parent’s identity while giving companies more flexibility as to how to comply with the FTC rules.

Businesses must now not only update their internal systems for data collection, security and retention, but also create thorough and publicly accountable compliance frameworks. The expanded parental rights and clearer transparency requirements reflect the FTC’s growing focus on data accountability in an increasingly complex digital environment.

These updated rules underscore that COPPA is just one layer of protection; organizations must also steer clear of broader practices that could pose risks to children, as general consumer protection laws still apply. With enforcement penalties potentially exceeding $50,000 per violation, the cost of non-compliance can be steep. Ultimately, these changes aim to ensure that children’s online experiences are safer and that their personal information is handled responsibly.