Skip to main content
> COPPA

Children's Online Privacy Protection Act

Protecting children's personal information collected online

Established: 1998 (effective April 2000) Last Updated: 2025 (Final Rule, effective June 2025) Scope: United States
Under 13
Protected Age

What does the COPPA final rule require in 2025?

The FTC finalized significant COPPA amendments in January 2025 (Federal Register, April 22, 2025; FR 2025-05904). The rule took effect June 23, 2025, with full compliance required by April 22, 2026. The final rule expands the definition of personal information to include biometric identifiers, government-issued IDs, and mobile phone numbers. It requires affirmative opt-in parental consent before using a child's data for targeted advertising, and operators cannot condition participation on agreeing to ads. Data minimization and retention rules are also tightened: collect only what is necessary, delete it when done. The FTC has backed COPPA with nine-figure enforcement actions, so this is not a framework to monitor from a distance.

// What is COPPA?

COPPA imposes requirements on operators of websites, online services, and mobile applications that collect, use, or disclose personal information from children under 13. The law gives parents control over what information is collected from their children online.

COPPA applies not only to sites and services directed at children, but also to general audience sites that have actual knowledge they are collecting information from children under 13. This broad scope affects educational technology platforms, gaming companies, social media services, and any website with child users.

The FTC finalized significant COPPA rule amendments in January 2025. The final rule was published in the Federal Register on April 22, 2025 (FR 2025-05904), took effect June 23, 2025, and requires full compliance by April 22, 2026. The amendments expand the definition of personal information, mandate opt-in parental consent before targeting children with ads, and impose stricter data minimization and retention requirements.

The FTC actively enforces COPPA, with enforcement actions resulting in millions of dollars in civil penalties. The agency has pursued cases against major technology companies and smaller operators alike, making COPPA one of the most actively enforced online privacy regulations in the United States.

// Inside the Regulation

COPPA establishes a framework of notice, consent, and data protection requirements for operators collecting personal information from children under 13. The 2025 final rule amendments strengthen these requirements and expand the definition of covered information.

1

Covered Information

16 CFR § 312.2 (as amended 2025)

COPPA defines personal information broadly. The 2025 final rule expanded the definition to include additional categories.

Direct Identifiers

Name, address, email, telephone number, mobile phone number, Social Security number, and government-issued identification numbers.

Online Identifiers

Screen names, usernames, cookies, IP addresses, device identifiers, and other persistent identifiers used to recognize users over time.

Media Content

Photographs, videos, and audio files containing a child's image or voice.

Geolocation Data

Precise geolocation information sufficient to identify a street name and city.

Biometric Identifiers

Added by the 2025 final rule: biometric identifiers that can be used to identify a specific person, including fingerprints, handprints, retina or iris patterns, and voiceprints.

2

Notice and Consent

16 CFR § 312.4-312.5 (as amended 2025)

Operators must provide clear notice and obtain verifiable parental consent before collecting children's personal information. The 2025 rule adds a mandatory opt-in consent requirement for targeted advertising.

Privacy Policy

Clear, detailed privacy policy describing information practices, posted prominently and linked from every page where information is collected.

Direct Notice to Parents

Direct notice to parents before collecting information, describing what will be collected, how it will be used, and parental rights.

Verifiable Parental Consent

Obtain verifiable consent using reasonable methods: signed consent form, credit card transaction, video call, government ID check, or knowledge-based authentication.

Opt-In Consent for Targeted Advertising

The 2025 final rule requires affirmative opt-in parental consent before a child's personal information may be used for targeted advertising. Operators cannot condition a child's participation on consenting to targeted ads.

3

Data Protection Requirements

16 CFR § 312.8 (as amended 2025)

Operators must maintain reasonable security procedures protecting the confidentiality, security, and integrity of children's personal information. The 2025 rule strengthens data minimization and retention requirements.

Confidentiality

Establish and maintain procedures to protect confidentiality of personal information collected from children.

Security

Implement reasonable security measures to protect against unauthorized access, use, or disclosure.

Data Minimization

Collect only personal information reasonably necessary for the child's participation in the activity. The 2025 final rule strengthens this requirement, prohibiting collection of personal information beyond what the activity requires.

Retention Limits

The 2025 final rule imposes stricter retention limits: retain personal information only as long as reasonably necessary to fulfill the purpose for which it was collected, then delete it promptly.

4

Parental Rights and Data Retention

16 CFR § 312.6-312.10

Parents retain ongoing rights over their children's data, and operators must limit data retention.

Parental Access

Allow parents to review personal information collected from their child.

Deletion Rights

Allow parents to request deletion of their child's personal information and revoke consent for future collection.

Retention Limits

Retain personal information only as long as reasonably necessary to fulfill the purpose for which it was collected. Delete information when no longer needed.

Note: The 2025 COPPA final rule (FR 2025-05904) is in effect as of June 23, 2025, with full compliance required by April 22, 2026. Key additions include expanded personal information (biometric identifiers, government IDs, mobile numbers), mandatory opt-in parental consent for targeted advertising, and stricter data minimization and retention rules. Educational technology operators should pay particular attention to the data minimization requirements for school-context data collection.

// Who Must Comply

  • 1 Websites and online services directed to children under 13
  • 2 General audience sites with actual knowledge of child users under 13
  • 3 Mobile application developers with child audiences
  • 4 Educational technology platforms used by K-12 students
  • 5 Online gaming platforms accessible to children
  • 6 Social media services used by children
  • 7 Third-party plug-ins and ad networks operating on child-directed sites

// Key Requirements

Privacy Policy

Clear, detailed privacy policy describing children's information practices

Parental Consent

Verifiable parental consent before collecting personal information from children under 13

Data Security

Reasonable security procedures protecting confidentiality and integrity of children's data

Data Minimization

Collect only information reasonably necessary for the child's participation in the activity

Parental Access

Allow parents to review, delete, and revoke consent for their child's personal information

Vendor Oversight

Ensure third-party service providers maintain equivalent protections for children's data

// Enforcement & Penalties

The FTC enforces COPPA through civil penalty actions. Penalties can be substantial, with recent enforcement actions reaching tens of millions of dollars. The FTC has pursued both large technology companies and smaller operators.

Maximum Penalty

Up to $50,120 per violation (adjusted annually for inflation)

Examples:

  • Epic Games: $275 million (2022) for COPPA violations in Fortnite
  • Google/YouTube: $170 million (2019) for tracking children without consent
  • Musical.ly (TikTok): $5.7 million (2019) for collecting children's data
  • Ongoing FTC enforcement sweeps targeting child-directed apps and websites

// Cyber Insurance Impact

Organizations handling children's data face elevated regulatory risk. Cyber insurers closely scrutinize COPPA compliance, and violations can result in coverage disputes. FTC enforcement actions typically include significant penalties that may exceed standard cyber liability coverage limits.

// How Breach Craft Helps

We help organizations achieve COPPA compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of COPPA.

// Common Questions

Is the 2025 COPPA rule in effect or still proposed?

It is final and in effect. The FTC finalized the COPPA rule amendments in January 2025. The rule was published in the Federal Register on April 22, 2025 (FR 2025-05904) and took effect June 23, 2025. Full compliance is required by April 22, 2026. Any page or guide describing these changes as 'proposed' is out of date. See the FTC COPPA Rule page for the current text.

What new categories of children's data does the 2025 COPPA rule cover?

The 2025 final rule expands the definition of personal information to include biometric identifiers (fingerprints, retina patterns, voiceprints), government-issued identification numbers, and mobile phone numbers. These additions reflect the data types now routinely collected by apps and services that were not addressed in the original 1998 rule or the 2013 amendments. If your platform collects any of these from child users, you need explicit verifiable parental consent before doing so.

Does COPPA now require opt-in parental consent for targeted advertising to children?

Yes. The 2025 final rule adds a mandatory opt-in requirement: operators must obtain affirmative parental consent before using a child's personal information for targeted advertising. Consent cannot be made a condition of the child's participation in the service. This is a direct prohibition on the ad-supported model many child-directed platforms have used, and it applies to third-party ad networks operating on child-directed sites as well.

What data minimization and retention obligations does the 2025 COPPA rule add?

The 2025 final rule strengthens both requirements. On minimization: operators may collect only the personal information reasonably necessary for the child's participation in the specific activity; collecting extra data for other purposes is not permitted. On retention: personal information must be deleted as soon as it is no longer reasonably necessary to fulfill the purpose for which it was collected. Organizations that have held children's data indefinitely as a default will need to establish deletion schedules and enforce them.

// Industries That Need COPPA

These industries commonly require COPPA compliance as part of their regulatory obligations.

Guide last reviewed: June 15, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873