Reminder: Amended COPPA Rule Compliance Date is Approaching
Charlie Germano, Counsel, Senior Technologist, BBB National Programs
When the Federal Trade Commission (FTC) published the final amendments to the amended COPPA Rule in 2025, companies were given until April 22, 2026, to comply with those changes.
What seemed to be a far-off compliance date is suddenly near. As you approach the deadline, BBB National Programs’ Children’s Advertising Review Unit (CARU) is here to help. See below for a summary of the changes as well as a look at the steps companies should take now to ensure compliance with the amended Rule.
Need help? The Children's Advertising Review Unit, or CARU, is here to guide you through these new requirements and keep children safe online. Remember to look for the COPPA Safe Harbor seal to confirm that products you use comply with COPPA.
When the Federal Trade Commission (FTC) published the final amendments to the amended COPPA Rule in 2025, companies were given until April 22, 2026, to comply with those changes.
What seemed to be a far-off compliance date is suddenly near. As you approach the deadline, BBB National Programs’ Children’s Advertising Review Unit (CARU) is here to help. See below for a summary of the changes as well as a look at the steps companies should take now to ensure compliance with the amended Rule.
Here’s what is changing.
- Personal Information: The definition of Personal Information now includes biometric identifiers such as face templates, fingerprints, retina scans, and voiceprints. Additionally, government-issued identifiers, phone numbers, audio recordings, and certain geolocation information are now considered personal information.
- Online Privacy Notice: Online privacy notices must now include the identities and specific categories of third parties the company shares personal information with. Additionally, if a company collects audio files containing a child’s voice, the notice must describe how the company uses the audio file and how the audio file is deleted.
- Parental Consent: The amended rule allows for additional methods of Verifiable Parental Consent. A parent’s identity may now be verified by either a sufficiently complex set of multiple-choice questions, or by having the parent submit a government-issued ID verified against a photo of the parent’s face.
Written Data Security Program
A significant new requirement in the amended rule is the written data security program. The Rule requires this program to perform certain actions, including:- Identify who is responsible for coordinating the program
- Identify risks regarding the safety of Personal Information collected from children
- Create safeguards to manage those risks
- Regularly evaluate the effectiveness of the safeguards
- At least annually, evaluate and update the program based on new or improved methods to control for identified risks
Data Retention and Deletion
Another significant new requirement, if children’s personal information is collected, is the written data retention policy, which must be published on the company’s website or online service. The policy must describe what personal information is collected, the purpose for the collection, and the timeframe for the information’s deletion. Personal Information from a child may not be retained indefinitely and must be deleted when it is no longer reasonably necessary for the purpose for which it was collected.Steps Companies Should Take Now
- Audit Data Practices: Identify all sources of biometric information, including voiceprints, faceprints and facial templates, whether collected via apps, devices, or third-party tools. Follow the data through its entire lifecycle, from collection and processing, to sharing and deletion. Ensure that the type of data collected, whom it is shared with, and how long it is retained, are consistent with your published policies.
- Ensure published retention/privacy policies accurately reflect actual practices. The FTC has historically taken the stance that companies must “do what you say and say what you do.” This approach applies to retention policies and privacy policies alike.
- Create Information Security Policy: If your company collects personal information from children, the amended Rule requires a written information security policy. The policy must identify who is responsible for managing it, as well as the type of risks the policy must safeguard.
- Update Privacy Policies: Clearly disclose collection of biometric information. Where applicable, also disclose any third parties that data is shared with and for what purposes.
- Implement Parental Consent Mechanisms: Verify consent in easily understood language. There are several methods to obtain parental consent under COPPA, including newly approved methods such as text messages and knowledge-based authentication.
- Update Data Subject Access Request (DSAR) Processes: When a parent asks to review personal information provided by or about their child, ensure that your internal processes include disclosure of biometric data such as voiceprints, faceprints, and facial templates as part of that request.
- Review Third-Party Agreements: Ensure vendors comply with COPPA’s requirements. You are responsible for how third parties use children’s personal information you share with them.
- Train Staff: Educate any staff involved in the collection, access, and processing of children’s data.
Need help? The Children's Advertising Review Unit, or CARU, is here to guide you through these new requirements and keep children safe online. Remember to look for the COPPA Safe Harbor seal to confirm that products you use comply with COPPA.