Authors: Sarah Bruno and Stuart Cobb

Last month, the Federal Trade Commission (FTC) announced the finalized amendments to the Children’s Online Privacy Protection Act (COPPA Rule). The COPPA Rule imposes certain requirements on operators of websites or online services that are directed to or otherwise collect personal information from children under the age of 13. The changes impact any platform that is directed to children under the age of 13, including entertainment and streaming services, shopping sites, social media platforms, gaming, and educational services as well as educators. For the purposes of this alert, we summarize the COPPA Rule amendments that impact entertainment, gaming, and streaming services (Entertainment Platform).  

1. “Directed toward children”

The FTC has offered some guidance about what factors it may consider when determining whether an Entertainment Platform is directed toward children. The revised definition of “websites or online services directed toward children” now includes additional types of evidence the FTC may consider, including marketing or promotional materials or plans; representations to consumers or third parties; reviews by users or third parties; and the audience composition of similar or competitive websites or services.

Practical considerations: the formal expansion of factors the FTC may consider in determining whether a site or service is directed toward children codifies factors previously cited in enforcement actions and informal guidance. The inclusion of audience composition of similar sites or services is significant, as operators must now assess competitors’ audiences when determining whether to implement age-screening measures or other proactive compliance steps. Operators should also consider the marketing materials they are sending to promotional partners and potential customers as these also may be determinative in deciding whether the services were directed to children. Additionally, operators should evaluate representations in their privacy policies regarding the intended audience and whether children under 13 are permitted to use the site or service. Simply stating that children are not permitted while employing marketing strategies targeting younger demographics may lead to COPPA compliance issues. Operators should ensure their terms of service require users to meet a minimum age requirement and enforce those terms as necessary.

2. “Mixed audience websites” 

The FTC has introduced a new definition for “mixed audience websites” under the amended COPPA rule. These are defined as “a website or online service that is directed to children…but that does not target children as its primary audience and does not collect personal information from any visitor, [except for personal information that may be collected subject to an applicable exception], prior to collecting age information or using another means…to determine whether the visitor is a child.”

Practical considerations: while the “mixed audience website” concept previously appeared in informal FTC guidance – the COPPA FAQs – its formal inclusion provides greater clarity regarding compliance obligations for websites that do not primarily target children but may still be considered “directed toward children.” Under the amended rule, mixed audience websites must implement age screening for all users before collecting personal information that is not subject to an exception (personal information collected for obtaining verifiable parental consent, supporting internal operations, etc.). Otherwise, the site may be subject to the more stringent requirements applicable to child-directed websites. Mixed audience websites may avoid the general rule that child-directed websites must treat all users as children if they obtain verifiable parental consent only for users who indicate they are under 13, provided they use a neutral method for determining a user's age. Businesses should review any websites or service elements that may appeal to children under 13 to determine whether proactive age screening could reduce compliance burdens.

3. New layer of consent

Under the amended COPPA Rule, operators must obtain an additional layer of consent before disclosing personal information to third parties (unless the disclosure is integral to the website or online service). The amended rule requires operators to identify the specific categories of third parties (including the public if making the personal information publicly available) and the purpose for the disclosure, should the parent provide their consent.

Practical considerations: under the current COPPA Rule, parental consent is bundled, allowing operators to obtain consent for “collection, use, and disclosure” simultaneously. The amended COPPA Rule complicates this framework, requiring a separate consent step for disclosures that are not integral to the operation of the website or service. Businesses subject to the COPPA Rule should assess relationships with vendors and service providers to ensure contractual terms align with these new restrictions. If a business discloses personal information (including persistent identifiers) collected from children for targeted advertising, it must ensure the two-step consent process is in place before engaging in such disclosures.

4. “Text message plus” consent option 

The COPPA Rule prescribes approved methods for obtaining verifiable parental consent before collecting children’s personal information. The FTC has added additional methods for operators to obtain verifiable parental consent. “Text message plus” mirrors the existing “email plus” option and allows a website operator to request parental consent via text message and take additional steps to verify the recipient is the parent (e.g., sending a confirmatory follow-up message). Operators using this method must enable parents to revoke consent via text message. Operators may also use a knowledge-based authentication, where the operator provides dynamic multiple-choice questions that are of sufficient difficulty that a child aged 12 or younger could not reasonably ascertain the answers and enough possible answers that the probability of guessing the correct answer is low. Finally, operators are permitted to collect consent and verify the person providing consent is the parent by collecting an image of a government-issued identification and comparing it against an image of the parent’s face using facial recognition technology. 

Practical considerations: the FTC is increasing flexibility in obtaining parental consent, and in some instances, “text message plus” may be preferable to “email plus.” Text messages may be more accessible to parents, providing a faster and more convenient means of responding to consent requests. Additionally, short codes’ widespread availability makes text messaging a practical consent method for operators. Operators should still consider the requirements of the Telephone Consumer Protection Act when sending text messages. Although the knowledge-based authentication method may be easier to implement practically than some of the other methods allowed under the rule, operators should carefully evaluate the requirements of the rule (i.e., multiple questions; enough choices that it would be difficult to guess the right answer; and the questions are too difficult for a 12-year-old to reasonably determine the correct answer) and consider the difficulties in designing such a process that would pass muster under close FTC scrutiny. Additionally, knowledge-based authentication may degrade user experience if the questions are too difficult because some parents may not be able to determine the correct answer. Finally, note that the photo identification method requires collection of sensitive information to authenticate the parent’s identity (e.g., facial geometry, government-issued identification documents). Operators should consider the implications of collecting this information under other state privacy laws such as the Illinois Biometric Information Privacy Act, which requires specific disclosures regarding the collection of facial geometry data, and state consumer privacy laws, which may provide additional restrictions on the collection of sensitive personal information. 

5. Exceptions to consent

Under the amended COPPA Rule, parental consent is not required if an operator collects an audio file containing the child’s voice, and no other personal information, for use in responding to a client’s specific request so long as the information is not used for any other purpose, is not disclosed, and is deleted immediately after responding to the child’s request.  

Practical considerations: businesses that provide this option to children should confirm they fall within this exception and ensure their privacy notice includes the appropriate description of the use, and its purpose and retention, in line with the notice requirements delineated by the COPPA Rule.

6. “Personal information” 

The FTC expanded the definition of personal information in the COPPA Rule to include any government identifier (Social Security number, passport number, etc.) and biometric information “that can be used for automated or semi-automated recognition.”

Practical considerations: The expanded definition limits operators’ ability to use certain authentication and age-verification technologies without first obtaining verifiable parental consent. Some businesses employ age-verification technologies that analyze facial geometry to estimate a user’s age. Because the broad definition of biometric information includes any data that can be used to identify an individual (even if an operator does not use it for that purpose), age-verification technology screening for users under 13 may be prohibited unless the operator first obtains verifiable parental consent. 

7. Privacy notice

The amended COPPA Rule now includes the requirement that privacy notices include the identities and specific categories of any third parties to which an operator discloses personal information, and the purposes for such disclosures, as well as the operator’s data retention policy. In addition, the privacy notice must now identify the specific internal operations for which the operator has collected a persistent identifier and the means the operator uses to ensure that such an identifier is not used or disclosed to contact an individual, including through behavioral advertising, to amass a profile on a specific individual or for any other purpose (except providing support for internal operations).

Practical considerations: Businesses should revisit their privacy policies and confirm that these disclosures are included. Also, a routine audit for the use of personal identifiers is always recommended but given these disclosure requirements, it should be mandated to ensure the policy remains accurate. 

8. Data retention requirements

The amended COPPA Rule prohibits operators from retaining children’s personal information for secondary purposes unrelated to the original collection purpose or retaining it indefinitely. Operators collecting personal information from children must implement a data retention policy specifying retention periods for such data.

Practical considerations: Operators should consider the disclosed purposes for collecting children’s personal information to ensure that anticipated uses align with such purposes. Businesses subject to COPPA should also review existing data retention policies to ensure that children’s personal information is specifically addressed and consider documenting the business justifications for retaining a child’s personal information for any given period. The FTC noted that compliance with this part of the COPPA Rule may be achieved by providing a written data retention policy that encompasses children’s personal information and otherwise meets the requirements. 

9. Written information security program 

The amended COPPA Rule mandates that operators establish, implement, and maintain a written information security program with safeguards to protect children’s personal information. The program must undergo annual assessments and be updated to address identified risks. Operators must also conduct due diligence on third parties receiving children’s personal information to assess their security practices.

Practical considerations: These requirements are generally similar to the requirement to provide reasonable security measures and contractually obligate third parties to provide symmetrical security measures under state consumer privacy laws. Operators should consider existing security programs and make plans to conduct annual assessments and reviews, to the extent these are not already in place. Additionally, operators should add COPPA-related risks to their third-party risk management matrices to ensure proper diligence and oversight are being conducted. 

10. “Avatars” 

The FTC declined to include “Avatars generated from a child’s image” in the definition of personal information. 

Practical considerations: If a website or online service allows users to create avatars (e.g., video game avatars, avatar profile pictures), the FTC has clarified that the mere creation of avatars (without combining them with other personal information collected from a child) does not trigger COPPA’s parental consent requirements. This has long been an area of ambiguity, and the FTC provided some much-needed clarity in this area.