Explainer: COPPA Rule Proposed Changes

Jan 3, 2024 by Rukiya Bonner, Director, Children’s Advertising Review Unit (CARU); Debra Policarpo, Senior Counsel, CARU; Khoury Trombetta, Privacy Counsel, CARU, BBB National Programs

As we enter the new year, the Federal Trade Commission (FTC) has given us a lot to think about by publishing its proposed changes to the Children’s Online Privacy Protection Act (COPPA) Rule. While the FTC does not propose many wholesale revisions to the COPPA Rule, it does call for some notable changes that would place more responsibility on providers and platforms to ensure digital privacy and safety for children. 

An underlying premise of the proposed changes seems to be that as technology evolves, protections must also. Accordingly, the FTC’s newest efforts seek to stop companies from exploiting children’s data for commercial gain.  

Proposed changes include expanding the definition of personal information, changes in connection with verifiable parental consent (VPC), and prohibiting companies from keeping children’s data indefinitely. 

Once the changes have been published in the Federal Register, a 60-day comment period will begin.

BBB National Programs’ CARU, the nation’s first and longest-running COPPA Safe Harbor, will submit timely and formal comments to the FTC. Meanwhile, please find a high-level explainer on what the FTC is proposing.


Expansion of the “Personal Information” Definition

When a company has actual knowledge (standard remains unchanged) that users under the age of 13 are interacting with their services, the company must take significant measures to protect children’s personal information (PI). 

Currently PI includes one’s full name, email address, street address, telephone number, persistent identifiers, geolocation, audio recordings, photos, and videos. If a company is collecting PI from a child (about that child or anyone), they must obtain VPC. 

Ten years ago, the definition of PI expanded to reflect cell phone usage in children, and the newest changes again reflect and adjust to new technology. Biometric information, including body movement, facial features, fingerprints or handprints, retina or iris patterns, genetic data, and data derived from voice data, gate data, or facial data will be considered PI with the proposed changes. 

This is certainly consistent with how children engage with technology, especially in gaming and Virtual Reality or Augmented Reality environments in the metaverse. 


Changes to Verifiable Parental Consent

The FTC’s changes provide increased options to satisfy the COPPA VPC requirement. New methods of obtaining VPC under the proposed changes would allow companies to collect consent through text messages, knowledge-based authentication (a series of questions too advanced for u13 users), and facial recognition in conjunction with a valid ID. Collecting a parent’s credit card information without an associated charge would satisfy the VPC requirement. Companies would no longer be required to charge parents a fee to confirm consent. 

For companies that share children’s data with advertisers or third parties, the proposed changes require those companies to obtain separate VPC prior to that disclosure. Further, access to the online services may not rely on this consent (i.e., parents should be able to provide VPC for their child to use the online service without having to consent to that data being disclosed to advertisers and other third parties).


Limitations to COPPA Exceptions

To the extent companies rely on the “Support for Internal Operations” exception (Section J, 5-8), the proposed rule would require operators to provide an online notice stating the internal operations purpose(s) for the collection and how they'll ensure the persistent identifier won't be used or disclosed to contact a specific individual, including through targeted advertising or to prompt/encourage a child to use their services. 

The proposed changes would also prohibit companies from being able to use contact information and persistent identifiers collected under COPPA’s multiple contact and support for internal operations exceptions to send push notifications and “nudges” to get children to stay online longer. 


New Security Requirements & Additional Required Documentation 

The proposed changes to the COPPA Rule would require companies to create, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children. 

In addition to requiring a written children’s personal information security program, the FTC proposes requiring companies to:

  • Designate employees to maintain the information security program;
  • Annually assess the information security program to identify any internal and external security risks to children’s data;
  • Safeguard against the risks identified;
  • Test and monitor the effectiveness of those safeguards; and
  • Make changes to the information security program to reflect the company’s assessment.


Additionally, to the extent companies share children’s data with other operators, service providers, or third parties, the FTC may require companies to take reasonable steps to determine whether those entities are maintaining reasonable data security over children’s data. Companies must obtain written assurances from these entities showing they can maintain the confidentiality, security, and integrity of the children’s data.

The FTC would further require companies to create, maintain, and publish a data retention policy for children’s data. In addition to a written retention policy, the FTC proposed changes that bar companies from retaining children’s data indefinitely, stating “children’s data may only be retained for as long as reasonably necessary for its intended purpose at the time of collection and the data cannot be used for additional purposes.”


What Hasn’t Changed

  • The proposed Rule does not increase the age of a “child.” Consistent with the COPPA statute, the Rule still applies to children under 13. 
  • The FTC rejected arguments for a constructive knowledge standard, as was proposed in the Kids’ Online Safety Act (KOSA) in 2023, and maintained the actual knowledge standard, relying on legislative history to point to Congress’ intent when passing COPPA.
  • The FTC will not allow operators to “rebut the presumption” that all users of child-directed content are children.
  • The FTC decided not to include “inferred data” in the definition of PI.
  • The FTC retained “persistent identifier” under the definition of PI.


Safe Harbor Requirements

The FTC’s proposed changes to the COPPA Rule seek to increase transparency and accountability for COPPA Safe Harbor programs, requiring additional responsibilities, including publicly disclosing their members. CARU takes great pride in providing COPPA protections to our safe harbor participants and we look forward to complying with the FTC’s new Rule changes and continuing to provide stellar service.

Suggested Articles


Robust Dispute Resolution: A Quiet Enforcer for Privacy Compliance

ICYMI, a procedural rule change to update the GDPR has been agreed upon by the European Parliament to provide EU citizens with greater legal certainty regarding enforcement of GDPR, improve the dispute resolution process, and streamline the handling of cross-border cases.
Read more

How Will Customers Know They Can Trust Your Business?

When customers trust you, they are more likely to do business with you. It is well past time for business leaders to “galvanize around trust and transparency.” When it comes to enhancing consumer trust, responsible business and nonprofit organizations can – and must – lead the way.
Read more

What to Know About California’s Lemon Law

Buying a new car should be exciting, not stressful, but the fear of ending up with a “lemon” – a car that’s more trouble than it’s worth – is on the rise. While purchasing a car with unfixable defects is uncommon, it is important to know what to do if you face persistent issues and suspect your car is a lemon.
Read more

Warning: Use Caution with AI in the Children’s Space

Children are engaging with various forms of artificial intelligence (AI), a technology that can provide significant benefits that can be accompanied by a series of risks. The Children’s Advertising Review Unit compliance warning regarding the use of AI in practices directed to children reminds industry of its special responsibilities to children.
Read more