Children's Online Privacy Protection Act
Protecting children's personal information collected online
What does the COPPA final rule require in 2025?
The FTC finalized significant COPPA amendments in January 2025 (Federal Register, April 22, 2025; FR 2025-05904). The rule took effect June 23, 2025, with full compliance required by April 22, 2026. The final rule expands the definition of personal information to include biometric identifiers, government-issued IDs, and mobile phone numbers. It requires affirmative opt-in parental consent before using a child's data for targeted advertising, and operators cannot condition participation on agreeing to ads. Data minimization and retention rules are also tightened: collect only what is necessary, delete it when done. The FTC has backed COPPA with nine-figure enforcement actions, so this is not a framework to monitor from a distance.
// What is COPPA?
COPPA imposes requirements on operators of websites, online services, and mobile applications that collect, use, or disclose personal information from children under 13. The law gives parents control over what information is collected from their children online.
COPPA applies not only to sites and services directed at children, but also to general audience sites that have actual knowledge they are collecting information from children under 13. This broad scope affects educational technology platforms, gaming companies, social media services, and any website with child users.
The FTC finalized significant COPPA rule amendments in January 2025. The final rule was published in the Federal Register on April 22, 2025 (FR 2025-05904), took effect June 23, 2025, and requires full compliance by April 22, 2026. The amendments expand the definition of personal information, mandate opt-in parental consent before targeting children with ads, and impose stricter data minimization and retention requirements.
The FTC actively enforces COPPA, with enforcement actions resulting in millions of dollars in civil penalties. The agency has pursued cases against major technology companies and smaller operators alike, making COPPA one of the most actively enforced online privacy regulations in the United States.
// Inside the Regulation
COPPA establishes a framework of notice, consent, and data protection requirements for operators collecting personal information from children under 13. The 2025 final rule amendments strengthen these requirements and expand the definition of covered information.
Covered Information
16 CFR § 312.2 (as amended 2025)COPPA defines personal information broadly. The 2025 final rule expanded the definition to include additional categories.
Direct Identifiers
Name, address, email, telephone number, mobile phone number, Social Security number, and government-issued identification numbers.
Online Identifiers
Screen names, usernames, cookies, IP addresses, device identifiers, and other persistent identifiers used to recognize users over time.
Media Content
Photographs, videos, and audio files containing a child's image or voice.
Geolocation Data
Precise geolocation information sufficient to identify a street name and city.
Biometric Identifiers
Added by the 2025 final rule: biometric identifiers that can be used to identify a specific person, including fingerprints, handprints, retina or iris patterns, and voiceprints.
Notice and Consent
16 CFR § 312.4-312.5 (as amended 2025)Operators must provide clear notice and obtain verifiable parental consent before collecting children's personal information. The 2025 rule adds a mandatory opt-in consent requirement for targeted advertising.
Privacy Policy
Clear, detailed privacy policy describing information practices, posted prominently and linked from every page where information is collected.
Direct Notice to Parents
Direct notice to parents before collecting information, describing what will be collected, how it will be used, and parental rights.
Verifiable Parental Consent
Obtain verifiable consent using reasonable methods: signed consent form, credit card transaction, video call, government ID check, or knowledge-based authentication.
Opt-In Consent for Targeted Advertising
The 2025 final rule requires affirmative opt-in parental consent before a child's personal information may be used for targeted advertising. Operators cannot condition a child's participation on consenting to targeted ads.
Data Protection Requirements
16 CFR § 312.8 (as amended 2025)Operators must maintain reasonable security procedures protecting the confidentiality, security, and integrity of children's personal information. The 2025 rule strengthens data minimization and retention requirements.
Confidentiality
Establish and maintain procedures to protect confidentiality of personal information collected from children.
Security
Implement reasonable security measures to protect against unauthorized access, use, or disclosure.
Data Minimization
Collect only personal information reasonably necessary for the child's participation in the activity. The 2025 final rule strengthens this requirement, prohibiting collection of personal information beyond what the activity requires.
Retention Limits
The 2025 final rule imposes stricter retention limits: retain personal information only as long as reasonably necessary to fulfill the purpose for which it was collected, then delete it promptly.
Parental Rights and Data Retention
16 CFR § 312.6-312.10Parents retain ongoing rights over their children's data, and operators must limit data retention.
Parental Access
Allow parents to review personal information collected from their child.
Deletion Rights
Allow parents to request deletion of their child's personal information and revoke consent for future collection.
Retention Limits
Retain personal information only as long as reasonably necessary to fulfill the purpose for which it was collected. Delete information when no longer needed.
Note: The 2025 COPPA final rule (FR 2025-05904) is in effect as of June 23, 2025, with full compliance required by April 22, 2026. Key additions include expanded personal information (biometric identifiers, government IDs, mobile numbers), mandatory opt-in parental consent for targeted advertising, and stricter data minimization and retention rules. Educational technology operators should pay particular attention to the data minimization requirements for school-context data collection.
// Who Must Comply
- 1 Websites and online services directed to children under 13
- 2 General audience sites with actual knowledge of child users under 13
- 3 Mobile application developers with child audiences
- 4 Educational technology platforms used by K-12 students
- 5 Online gaming platforms accessible to children
- 6 Social media services used by children
- 7 Third-party plug-ins and ad networks operating on child-directed sites
// Key Requirements
Privacy Policy
Clear, detailed privacy policy describing children's information practices
Parental Consent
Verifiable parental consent before collecting personal information from children under 13
Data Security
Reasonable security procedures protecting confidentiality and integrity of children's data
Data Minimization
Collect only information reasonably necessary for the child's participation in the activity
Parental Access
Allow parents to review, delete, and revoke consent for their child's personal information
Vendor Oversight
Ensure third-party service providers maintain equivalent protections for children's data
// Enforcement & Penalties
The FTC enforces COPPA through civil penalty actions. Penalties can be substantial, with recent enforcement actions reaching tens of millions of dollars. The FTC has pursued both large technology companies and smaller operators.
Up to $50,120 per violation (adjusted annually for inflation)
Examples:
- Epic Games: $275 million (2022) for COPPA violations in Fortnite
- Google/YouTube: $170 million (2019) for tracking children without consent
- Musical.ly (TikTok): $5.7 million (2019) for collecting children's data
- Ongoing FTC enforcement sweeps targeting child-directed apps and websites
// Cyber Insurance Impact
Organizations handling children's data face elevated regulatory risk. Cyber insurers closely scrutinize COPPA compliance, and violations can result in coverage disputes. FTC enforcement actions typically include significant penalties that may exceed standard cyber liability coverage limits.
// How Breach Craft Helps
We help organizations achieve COPPA compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of COPPA.
// Common Questions
Is the 2025 COPPA rule in effect or still proposed?
What new categories of children's data does the 2025 COPPA rule cover?
Does COPPA now require opt-in parental consent for targeted advertising to children?
What data minimization and retention obligations does the 2025 COPPA rule add?
// Related Frameworks
// Industries That Need COPPA
These industries commonly require COPPA compliance as part of their regulatory obligations.
Guide last reviewed: June 15, 2026
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873