The last time COPPA was updated was 2013. A lot has changed since then - mobile apps, biometric data, AI-powered products, SDK ecosystems that track users across dozens of services. The 2025 amendments catch the law up to that reality.
The FTC finalized the updated rule on January 16, 2025. It went into effect June 23, 2025. Full compliance deadline: April 22, 2026. If you've been assuming the 2013 version still covers you, here's what you need to know.
What stayed the same
The core of COPPA hasn't changed. You still need verifiable parental consent before collecting personal information from children under 13. Schools can still authorize data collection on behalf of parents for educational use. The basic framework - notice, consent, access rights, security obligations - is intact.
What changed is the scope, the specificity, and the accountability requirements.
What changed - the 6 most important updates
1. Personal information now explicitly includes biometric data
The 2013 rule didn't specifically address biometrics. The 2025 amendments explicitly add facial recognition templates, voiceprints, fingerprints, retina scans, and similar identifiers to the definition of personal information.
If your product uses any biometric data - for attendance, identity verification, reading assessment, or AI personalization - that data is now regulated under COPPA. You need parental consent to collect it and can't retain it beyond its collection purpose.
2. Separate parental consent required for third-party data sharing
Under the 2013 rule, general consent covered most data uses. Under the updated rule, you need separate, explicit, verifiable parental consent before sharing children's data with third parties for targeted advertising or other commercial purposes.
You cannot bundle this consent into general terms of service. If you share data with advertising networks, analytics platforms, or marketing partners, you need a separate consent flow specifically for that purpose.
3. Stricter data retention - no more indefinite storage
The updated rule makes explicit what was previously implied: you can only retain children's personal information for as long as reasonably necessary to fulfill the specific purpose for which it was collected. Indefinite retention is prohibited.
This means you need a written retention policy with specific timelines. "We keep data until users delete their accounts" is no longer acceptable. You need to define when data is deleted and automate that deletion.
4. You are now accountable for your sub-processors
This is the change that catches most edtech companies off guard. Under the updated rule, primary operators - meaning you - are expected to monitor and restrict how third-party services use children's data you share with them.
Your SDK inventory is your compliance responsibility. Analytics tools, crash reporters, A/B testing platforms, advertising SDKs - if they touch children's data, you need to ensure they're operating within COPPA's requirements. "We didn't know what the SDK was doing" is not a defense.
5. Stricter notice requirements
When seeking parental consent, your notice must now include the identities or specific categories of third parties receiving children's data and the purposes for such disclosure. You can't use vague language like "trusted partners" - you need to be specific about who gets the data and why.
6. Safe harbor programs now require public disclosure
If your company is part of a COPPA Safe Harbor program, those programs are now required to publicly disclose their membership lists and submit additional reports to the FTC. This increases transparency and accountability across the entire safe harbor ecosystem.
What the FTC declined to change
The FTC chose not to finalize several proposed amendments related specifically to edtech, citing concerns about potential conflicts with upcoming FERPA regulation updates. This means the school authorization exception - which allows schools to consent on behalf of parents for educational technology services - remains in place under existing guidance rather than being codified in the rule.
This is good news for edtech companies in the short term. But the FTC explicitly stated it will continue to enforce COPPA in the edtech context and may revisit these provisions depending on how FERPA regulations evolve.
What this means if you were compliant under the 2013 rule
Being compliant in 2024 does not mean you're compliant now. The specific areas to review:
- Do you collect or use any biometric data? That's newly regulated.
- Do you share student data with any third-party services? You now need explicit consent and accountability measures.
- What is your data retention policy? Indefinite retention is now prohibited.
- Have you audited your SDKs and sub-processors against the new accountability requirements?
If the answer to any of these is "not sure" - that's your compliance gap.
FAQ
Did the FTC change what counts as a "child-directed" service?
Yes - the updated rule added examples of evidence the FTC may consider when determining if a service is child-directed, including marketing materials, representations to consumers, and the nature of the content. If you've been operating in a gray area on this, the updated guidance makes it easier for the FTC to establish that your service targets children.
We use Google Analytics on our platform. Is that a problem?
It depends on whether Google Analytics is active in parts of your product that students use and what data it collects. Google offers a version of Analytics with data collection restrictions for sites directed to children. Review your implementation and consult the terms of your agreement with Google.
Does the school authorization exception still apply after the 2025 updates?
Yes. Schools can still authorize data collection on behalf of parents for educational technology services. But this exception only covers educational use - you still cannot use school-authorized data for advertising or commercial purposes, and the updated accountability requirements for sub-processors apply regardless of how consent was obtained.
What's the penalty for non-compliance?
COPPA violations carry penalties up to $51,744 per violation. In cases involving children's data, the FTC has historically calculated penalties based on the number of affected children. The Cognosphere (Genshin Impact) settlement in 2025 was $20 million. YouTube's COPPA settlement was $170 million.
Top comments (0)