Starting Today: The FTC Begins Enforcing the Updated COPPA Rule
Charlie Germano, Counsel, Senior Technologist, BBB National Programs
Today, the Federal Trade Commission (FTC) will begin enforcing the updated Children’s Online Privacy Protection Act (COPPA) Rule.
The FTC has made clear that children’s privacy is a top enforcement priority and, beginning today, it is backing that up. The updated COPPA Rule is now in force for companies of all sizes.
And it is important to note that enforcement does not rest solely with the FTC. Companies are now exposed to 50+ state and territorial attorneys general with independent authority to enforce COPPA and related consumer protection laws, many of whom are already bringing actions and advancing parallel state privacy regimes.
Regulators will now look beyond whether proper age gates, consent mechanisms, and privacy measures are in place, to also assess whether they are meaningfully implemented, effective in practice, documented, and continuously maintained.
So, for companies operating child-directed or mixed-audiences services, today is not merely a compliance deadline, but a shift in how regulators expect brands to operationalize child data protection in an increasingly complex digital ecosystem.
BBB National Programs’ COPPA Safe Harbor Services team is here to help. Our January blog outlines everything you need to know about the updates and new company responsibilities. Take a look and let us know how we can support you.
If you feel behind, contact our COPPA Safe Harbor Services team today. We are here to guide you through these new requirements and keep children safe online.
Today, the Federal Trade Commission (FTC) will begin enforcing the updated Children’s Online Privacy Protection Act (COPPA) Rule.
The FTC has made clear that children’s privacy is a top enforcement priority and, beginning today, it is backing that up. The updated COPPA Rule is now in force for companies of all sizes.
And it is important to note that enforcement does not rest solely with the FTC. Companies are now exposed to 50+ state and territorial attorneys general with independent authority to enforce COPPA and related consumer protection laws, many of whom are already bringing actions and advancing parallel state privacy regimes.
Regulators will now look beyond whether proper age gates, consent mechanisms, and privacy measures are in place, to also assess whether they are meaningfully implemented, effective in practice, documented, and continuously maintained.
So, for companies operating child-directed or mixed-audiences services, today is not merely a compliance deadline, but a shift in how regulators expect brands to operationalize child data protection in an increasingly complex digital ecosystem.
BBB National Programs’ COPPA Safe Harbor Services team is here to help. Our January blog outlines everything you need to know about the updates and new company responsibilities. Take a look and let us know how we can support you.
COPPA Update Readiness Checklist
As of today, companies should have the following in place:- Audited Data Practices: Identify all sources of biometric information, including voiceprints, faceprints and facial templates, whether collected via apps, devices, or third-party tools. Follow the data through its entire lifecycle, from collection and processing, to sharing and deletion. Ensure that the type of data collected, whom it is shared with, and how long it is retained, are consistent with your published policies.
- Published Retention/Privacy Policies: The FTC has historically taken the stance that companies must “do what you say and say what you do.” This approach applies to retention policies and privacy policies alike.
- An Information Security Policy: If your company collects personal information from children, the amended Rule requires a written information security policy. The policy must identify who is responsible for managing it, as well as the type of risks the policy must safeguard.
- Updated Privacy Policies: Clearly disclose collection of biometric information. Where applicable, also disclose any third parties that data is shared with and for what purposes.
- Parental Consent Mechanisms: Verify consent in easily understood language. There are several methods to obtain parental consent under COPPA, including newly approved methods such as text messages and knowledge-based authentication.
- Updated Data Subject Access Request (DSAR) Processes: When a parent asks to review personal information provided by or about their child, ensure that your internal processes include disclosure of biometric data such as voiceprints, faceprints, and facial templates as part of that request.
- Reviewed Third-Party Agreements: Ensure vendors comply with COPPA’s requirements. You are responsible for how third parties use children’s personal information you share with them.
- Trained Staff: Educate any staff involved in the collection, access, and processing of children’s data.
If you feel behind, contact our COPPA Safe Harbor Services team today. We are here to guide you through these new requirements and keep children safe online.