COPPA 2.0 Reintroduced – What You Need to Know
Rukiya Bonner, Director, Children’s Advertising Review Unit (CARU), BBB National Programs
Protecting children in the online environment is bipartisan common ground. “How” is the prevailing question.
In 2024, COPPA 2.0 was appended to the Kids Online Safety Act (KOSA), another children’s online safety framework developed over the past few Congresses. The synthesis between these two bills, known as KOSPA, would go on to pass in the Senate with strong 91-3 bipartisan support, but found a chillier reception when sent over to the House. The 118thCongress adjourned with COPPA 2.0 unresolved.
Seeking movement in the new session of Congress, last week, Senators Ed Markey (D-MA) and Bill Cassidy (R-LA) reintroduced COPPA 2.0, the Children and Teens’ Online Privacy Protection Act, claiming it will “ensure children and teenagers are protected online.”
BBB National Programs’ Children’s Advertising Review Unit (CARU), the first Federal Trade Commission (FTC)-approved COPPA Safe Harbor in the U.S., compared this newly reintroduced bill to previous versions of COPPA 2.0 and found them to be quite similar, if not identical, to 2024’s KOSPA.
For instance, the new version of COPPA 2.0 continues to raise the age for COPPA’s legal protections and ban targeted advertising. The knowledge standard (i.e., actual knowledge) also remains unchanged.
Currently, the Children’s Online Privacy Protection Act (COPPA), protects information collected from children under 13. COPPA 2.0 would update the age range to include teens, establishing protections for data collected about individuals under 17. To collect and process the data of 13- to 16-year-olds, companies would be required to obtain opt-in consent from those teenaged users.
COPPA 2.0 would also ban targeted advertising that is audience-based, user-based, or identifier-based – and would not provide for a parental consent override. This could lead to potential misalignment with various state laws, which generally allow for targeted advertising to be served to children under 13 with verifiable parental consent (VPC) and served to teens with their opt-in consent.
Specifically, the definition of targeted advertising, or “individual-specific advertising,” put forward in COPPA 2.0 excludes three categories of activities:
COPPA 2.0 would preempt state laws that directly conflict with its requirements. While the bill states that any state law or rule that conflicts with a provision of this title is preempted, nothing prohibits states from enacting a law or rule that provides greater protection to children or teens.
The recent COPPA Rule update, released by the FTC in January 2025 but not yet in effect, included a new definition of “Biometric Identifier” as a subcategory of personal information. Notably, the rule’s definition included the potentially more expansive language of information that “can be used” for automated or semi-automated recognition of an individual. COPPA 2.0, instead, uses more limiting language, only including information that “is used” to identify an individual.
As noted by a few commenters on the new COPPA Rule, this particular difference in phrasing, while seeming slight, has potential implications for interoperability across different data privacy laws, as most comprehensive state privacy laws in the US use a definition of biometric data or biometric information with more-limiting “is used” language rather than the new COPPA Rule’s “can be used” approach.
The revised COPPA Rule requires a more robust VPC system, potentially requiring consent multiple times. In contrast, COPPA 2.0 provides for “Common VPC ,” which would allow a single operator to use VPC obtained from a parent on behalf of a child, or a parent or teen, on behalf of a teen, or on behalf of multiple operators that provide a joint or related service.
In addition, COPPA 2.0 adds a definition for “Educational Agency or Institution,” helping to flesh out the section first seen in KOSPA related to applicability under agreements with educational agencies, largely codifying the in parentis loco approach to school consent that the Chair Khan FTC supported.
The FTC’s revised COPPA Rule has not yet been published in the Federal Register and is subject to a regulatory pause under one of President Trump’s Executive Orders. This means that the COPPA Rule revisions have not yet gone into effect, and the FTC may make additional modifications. If and when the revised COPPA Rule is published in the Federal Register, it will go into effect within 90 days. But if COPPA 2.0 becomes law, the FTC would have to amend the rule again to conform to the updated statute.
Companies in the children’s space grappling with “what do I do next?” and “what steps should I be taking now?” can turn to the team at CARU. Reach out to us at infoCARU@bbbnp.org with your questions or for more information about our COPPA Safe Harbor Program.
Protecting children in the online environment is bipartisan common ground. “How” is the prevailing question.
In 2024, COPPA 2.0 was appended to the Kids Online Safety Act (KOSA), another children’s online safety framework developed over the past few Congresses. The synthesis between these two bills, known as KOSPA, would go on to pass in the Senate with strong 91-3 bipartisan support, but found a chillier reception when sent over to the House. The 118thCongress adjourned with COPPA 2.0 unresolved.
Seeking movement in the new session of Congress, last week, Senators Ed Markey (D-MA) and Bill Cassidy (R-LA) reintroduced COPPA 2.0, the Children and Teens’ Online Privacy Protection Act, claiming it will “ensure children and teenagers are protected online.”
BBB National Programs’ Children’s Advertising Review Unit (CARU), the first Federal Trade Commission (FTC)-approved COPPA Safe Harbor in the U.S., compared this newly reintroduced bill to previous versions of COPPA 2.0 and found them to be quite similar, if not identical, to 2024’s KOSPA.
For instance, the new version of COPPA 2.0 continues to raise the age for COPPA’s legal protections and ban targeted advertising. The knowledge standard (i.e., actual knowledge) also remains unchanged.
Currently, the Children’s Online Privacy Protection Act (COPPA), protects information collected from children under 13. COPPA 2.0 would update the age range to include teens, establishing protections for data collected about individuals under 17. To collect and process the data of 13- to 16-year-olds, companies would be required to obtain opt-in consent from those teenaged users.
COPPA 2.0 would also ban targeted advertising that is audience-based, user-based, or identifier-based – and would not provide for a parental consent override. This could lead to potential misalignment with various state laws, which generally allow for targeted advertising to be served to children under 13 with verifiable parental consent (VPC) and served to teens with their opt-in consent.
Specifically, the definition of targeted advertising, or “individual-specific advertising,” put forward in COPPA 2.0 excludes three categories of activities:
- Advertising in response to an individual’s specific request for information or feedback (often referred to as search advertising);
- Contextual advertising (where an advertisement is displayed based on factors related to the content of the online service); and
- Processing personal information solely for the purpose of measuring and reporting advertising performance (often referred to as attribution).
COPPA 2.0 would preempt state laws that directly conflict with its requirements. While the bill states that any state law or rule that conflicts with a provision of this title is preempted, nothing prohibits states from enacting a law or rule that provides greater protection to children or teens.
The recent COPPA Rule update, released by the FTC in January 2025 but not yet in effect, included a new definition of “Biometric Identifier” as a subcategory of personal information. Notably, the rule’s definition included the potentially more expansive language of information that “can be used” for automated or semi-automated recognition of an individual. COPPA 2.0, instead, uses more limiting language, only including information that “is used” to identify an individual.
As noted by a few commenters on the new COPPA Rule, this particular difference in phrasing, while seeming slight, has potential implications for interoperability across different data privacy laws, as most comprehensive state privacy laws in the US use a definition of biometric data or biometric information with more-limiting “is used” language rather than the new COPPA Rule’s “can be used” approach.
The revised COPPA Rule requires a more robust VPC system, potentially requiring consent multiple times. In contrast, COPPA 2.0 provides for “Common VPC ,” which would allow a single operator to use VPC obtained from a parent on behalf of a child, or a parent or teen, on behalf of a teen, or on behalf of multiple operators that provide a joint or related service.
In addition, COPPA 2.0 adds a definition for “Educational Agency or Institution,” helping to flesh out the section first seen in KOSPA related to applicability under agreements with educational agencies, largely codifying the in parentis loco approach to school consent that the Chair Khan FTC supported.
The FTC’s revised COPPA Rule has not yet been published in the Federal Register and is subject to a regulatory pause under one of President Trump’s Executive Orders. This means that the COPPA Rule revisions have not yet gone into effect, and the FTC may make additional modifications. If and when the revised COPPA Rule is published in the Federal Register, it will go into effect within 90 days. But if COPPA 2.0 becomes law, the FTC would have to amend the rule again to conform to the updated statute.
Companies in the children’s space grappling with “what do I do next?” and “what steps should I be taking now?” can turn to the team at CARU. Reach out to us at infoCARU@bbbnp.org with your questions or for more information about our COPPA Safe Harbor Program.