New COPPA Rules and New York State Law Create Complex Compliance Landscape for Children’s Privacy

Want to receive these privacy recaps in your inbox each week? Subscribe here.

United States

COPPA Rule Changes and New York Child Data Protection Act Both Take Effect

Amendments to the Children’s Online Privacy Protect Act (COPPA) Rule, published by the FTC in April 2025, are now in effect, as of June 23, 2025. Operators have until April 22, 2026 to comply with most of the new rules, however. Key changes include the following:

• Expanded definition of personal information to include biometric identifiers and government-issued identifiers
• Modification of the definition of “Website or online service directed to children” to add marketing or promotional materials or plans, representations to consumers or to third parties reviews by users or third parties, and the age of users on similar websites or services as examples of evidence the Commission may consider in determining a service’s audience composition and intended audience.  
• Requirements to obtain parental consent before collecting, using or disclosing children’s personal information and to obtain consent for certain third-party sharing (e.g. for marketing or AI training), separately from general use, but allowing for text messages to initiate parental consent and for use of facial recognition for parent identity verification. 
•  More detailed parental notice requirements, including how the operator will use the child’s personal information, the specific third parties receiving it, and the purposes of its disclosure. 
• Requirement to maintain a written data retention policy, which cannot involve retention of children’s personal information indefinitely. 
• Enhanced security requirements, including designation of a security coordinator, annual risk assessments, regular testing and oversight of service providers; 
• New reporting and disclosure requirements for Safe Harbor Programs; 
• Expanded factors for determining whether a website is directed to children; and
• A new standalone definition for “mixed audience website or online service” as (in summary) a service directed to children but not as its primary audience that does not collect personal information except for certain limited purposes prior to determining whether the visitor is a child, which must be done in a neutral manner that does not default to a set age or encourage visitors to falsify age information.

The New York Child Data Protection Act took effect June 20, 2025, requiring services primarily directed to (or with actual knowledge, including through browsers or device signals, of) minors under age 18 obtain consent for the collection, use, sharing or sale of personal data of such minors, among other requirements and restrictions.  

TAKEAWAY

The COPPA rule changes arrive at an interesting time for children’s privacy, considering the number of state laws (like New York) that have recently been enacted addressing children’s privacy, whether as a standalone law or as part of a broader comprehensive privacy law.  Many of these state laws impose requirements on a larger set of websites and services either directed to, or likely to be accessed by, children younger than 16, 17 or 18 (COPPA applies to websites or online services directed to children under 13) and impose more stringent requirements than COPPA, including, in some cases, outright prohibitions on certain uses of children’s data (without an option for consent). The next year (as websites and services directed to children look to implement the new COPPA requirements) will therefore likely involve a much deeper analysis of a patchwork of laws and a need for flexible solutions as more laws addressing children’s and teens’ privacy incrementally come into effect. 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• UK ICO Issues Draft Guidance on IOT Products and Services
• UK Data Act Receives Royal Assent 
• CNIL Publishes Two Sets of Guidance:
  • Reliance on Legitimate Interest for AI Training
    Collection of Personal Data Via Web Scraping

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.