As of 2025, the Children’s Online Privacy Protection Act (COPPA) has undergone its most substantial update in over a decade, reshaping how businesses handle children’s data online. The FTC finalized significant amendments to COPPA on January 16, 2025. The new rules finalized by the Federal Trade Commission (FTC) mark a dramatic shift from static compliance checklists to dynamic, proactive data governance. With new regulatory definitions, mandatory controls, and broader enforcement authority, apps and websites that generate revenue from collecting, sharing, and selling children’s personal information must rethink how they manage consent, data retention, security, and advertising practices for users under 13.
Let’s dive into the latest COPPA rule changes, what they mean for your business, and what future legislation may be on the horizon.
Key 2025 COPPA Rule Changes: What’s New and What’s Changed
The FTC published the final amendments to the COPPA Rule on April 22, 2025. The effective compliance date for the published amendments is June 23, 2025, and operators will have until April 22, 2026, to reach full compliance. Below are the new changes to COPPA.
1. Mandatory Opt-In for Targeted Advertising
Under the updated rule, businesses must obtain separate, verifiable parental consent before using a child’s data for targeted advertising. This applies to first-party and third-party ad systems and requires granular consent mechanisms.
What it means: Businesses can no longer bundle consent into general terms of service or rely on implied consent for monetization. Separate workflows for core functionality vs. advertising are now essential.
2. Expanded Definition of Personal Information
COPPA now explicitly includes geolocation data and biometric identifiers, such as facial recognition, voiceprints, fingerprints, and retina scans, under its scope.
What it means: Platforms that capture video and audio or use AI/ML for personalization or moderation must treat these inputs as regulated data and ensure they are collected, stored, and used only with valid consent.
3. Mandatory Written Security Programs
Organizations must implement and maintain a formal, written data security program that includes administrative, technical, and physical safeguards.
What it means: Businesses can no longer claim vague or ad-hoc security practices. Regulators will look for documented policies, audits, breach logs, and evidence of technical controls protecting children’s data.
4. Stricter Retention and Deletion Policies
COPPA now requires companies to retain personal information only as long as necessary for the specific purpose it was collected and mandates secure disposal afterward.
What it means: Indefinite storage is no longer acceptable. Businesses must have policy-based data retention and automated deletion workflows.
5. Limits on School Authorization
The updated rule clarifies that schools cannot authorize data use beyond educational purposes, and any use of child data for commercial purposes still requires parental consent.
What it means: EdTech providers must revisit how they use data obtained through schools and separate learning-related use from monetization or analytics.
6. Enforcement of Third-Party Data Sharing
The FTC emphasized accountability for third-party partners that receive child data. Primary operators are now expected to monitor and restrict downstream use.
What it means: Cookie syncing, analytics, and plug-ins must be vetted, and data sharing agreements must reflect COPPA limitations.
The Future of COPPA: Legislative Watch and Industry Trends
While the 2025 rule changes are significant, they may only be the beginning. Here’s what may come next:
1. Potential Congressional Rewrites (COPPA 2.0 or KOSA)
Multiple proposals have been floated, including COPPA 2.0 and the Kids Online Safety Act (KOSA). These aim to:
- Raise the age of protection to 16
- Ban targeted advertising to minors entirely
- Impose duty-of-care standards for algorithmic harm
- Expand private rights of action
- While KOSA has stalled in Congress, state-level momentum could reignite interest.
2. State-Level Child Privacy Laws
- States like California and Connecticut are advancing their versions of children’s data laws, often exceeding COPPA in scope.
- Businesses serving U.S. children may soon need to comply with a patchwork of laws, requiring adaptive governance.
3. Increased FTC Enforcement and Penalties
- The FTC has stated its intention to vigorously enforce the new rules. Previous settlements (e.g., Epic Games, TikTok, YouTube) reached hundreds of millions.
- With a broadened definition of personal information and higher visibility into violations, enforcement actions are likely to increase.
4. Cross-Border Influence: GDPR-K and International Law
- Global trends such as the GDPR’s protections for children (especially Article 8) and similar UK, South Korea, and India rules may shape future U.S. regulatory action.
What It Means for Your Business
Businesses that operate child-directed services or collect data from users under 13 must now:
- Revisit and separate consent workflows
- Audit and map data flows for child data
- Monitor third-party integrations and ad tech usage
- Implement formal security and retention policies
- Build audit-ready systems for consent, deletion, and breach reporting
Those who treat compliance as a one-off project are at increasing risk. Privacy is now an operational function that must be integrated across product, marketing, engineering, and legal teams.
How BigID Helps You Prepare for the Future of COPPA
The future of COPPA will demand more visibility, accountability, and control. Whether you’re a tech platform, game developer, educational app, or content provider, your approach to children’s data must evolve.
BigID is the first and only data security and privacy platform that helps organizations discover, manage, and protect children’s data across their entire ecosystem. Here’s how BigID supports compliance with COPPA:
- Discover and classify children’s personal and sensitive data – including identifiers, biometric, and geolocation data
- Automate parental consent workflows with auditable logs
- Manage third-party sharing risks with data flow mapping
- Applying policy-based retention and secure deletion
- Supporting written security program implementation with risk reporting and incident tracking
Get ahead of compliance risk and build digital trust with BigID. Schedule a 1:1 to learn more about how BigID supports COPPA compliance.
Author
