Top 5 impacts of the new COPPA Rule

The Children's Online Privacy Protection Rule received a long-awaited update from the U.S. Federal Trade Commission in mid-January, days before the end of the Biden administration. The FTC announced the final rule revising COPPA's implementing regulations on approximately the 12th anniversary of the last update in 2013.

The amended COPPA Rule takes effect 60 days after publication in the Federal Register.

Though the timing of the final rule is uncertain following the Trump administration's stay of new regulations, the FTC adopted the final rule on a bipartisan, unanimous basis, with new Chair Andrew Ferguson supporting the improved "data privacy and security protections for children" and reminding the public that the "amendments to the old COPPA Rule are the culmination of a bipartisan effort initiated when President Trump was last in office."

Although the final rule's publication may be delayed and deadlines may shift, companies should plan compliance strategies now. There are five key areas to focus on.

1. Separate consent for third-party "non-integral" disclosures

COPPA has long required companies to obtain verifiable parental consent from parents before they can collect, use, and disclose children's personal information. The final rule requires companies to "give the parent the option to consent to the collection and use of the child’s personal information without consenting to disclosure of … personal information to third parties, unless such disclosure is integral to the website or online service." Verifiable parental consent for such disclosure must be obtained separately.

The FTC explained "a separate consent requirement for non-integral disclosures to third parties, such as for third-party advertising, enhances transparency and enables parents to make more deliberate and meaningful choices." But questions remain; what is an integral disclosure? Who is a third party? How does this disclosure interplay with existing COPPA exceptions?