Recent changes to the FTC’s Children’s Online Privacy Protection Act Rule (COPPA Rule) will require brands to consider new strategies when marketing offers that may be appealing to children under the age of 13. The amended COPPA Rule takes effect on April 24, 2025, and introduces stricter definitions and requirements that may impact online retail businesses (Amended Rule). The text of the Amended Rule is available on the Federal Register website. Below, we break down four key areas of the Amended Rule that will require retailers to amend their practices when digitally marketing content that could be appealing to children: (1) the updated “child-directed” criteria; (2) the new “mixed-audience” definition; (3) the two-step parental consent for targeted ads; and (4) the updated requirements for the privacy notice. We also discuss important exemptions to the COPPA Rule for retailers and provide practical steps for adapting to these changes.
 

1.            Broader criteria for child-directed websites and content. The Amended Rule broadens the definition of what is considered a “website or online service directed to children.” In determining whether a site is child-directed, the FTC will still look at traditional factors (subject matter, visual content, use of animated characters, child-oriented activities, music, language, etc.). But new criteria have been added in the Amended Rule, that will require businesses to take a more holistic view of marketing practices, content, and the brand’s audience.

Specifically, the Amended Rule has added the following considerations:

• Marketing and promotional materials or plans: Marketing and advertising strategies and content are now factors in determining whether a brand is directed to children. For example, if a retailer runs ads for its website during Saturday morning cartoons, promotes products using influencers who are popular with children, or designs an engaging holiday campaign with the Easter bunny delivering treats, those actions may indicate a child-directed intent.
• User or third-party reviews: Reviews and comments concerning a retailer’s digital offerings that mention its appeal to children may now be considered as a factor in determining whether a brand’s products or services are child-directed. For instance, a consumer review stating “my 10-year-old loves this app” or “I gave this to my 10-year-old grandson and he uses it every day!” could contribute to a child-directed classification.
• Audience composition of similar or competitor services: The Amended Rule now formalizes the fact that the FTC can look at the demographics of the users on competitors’ websites or services. If your competitors or others in your niche have large child audiences, the FTC can use this factor in finding that your products and services are also attractive to children and therefore should have an age-gate or restrictions on the personal information that is collected.

2.            New mixed-audience definition and age screening requirements. Under the Amended Rule, the FTC has formally introduced a definition for “mixed audience websites or online services.” A mixed-audience site or service is a sub-category of sites that are directed toward children but do not target children as the primary audience. This means the website or service has content that is appealing to children but that it also has content that is aimed specifically at older teens or adults. Crucially, the Amended Rule requires mixed-audience websites and services to implement age screening before collecting any personal information from consumers unless the personal information is subject to an exception as described in section 312.5(c) of the COPPA Rule.

The COPPA Rule provides eight different exceptions to the requirement of parental consent. These exceptions are narrowly viewed by the FTC and should be relied upon only with a coordination between marketing, legal, and IT. Of the nine, there are a few exceptions that will be most relevant for retailers.

1. Support for internal operations: Parental consent is not needed when a retailer collects persistent identifiers to enable “support for internal operations.” Specifically, brands may collect a persistent identifier – provided that it collects no other personal information – without first obtaining parental consent so long as the persistent identifier is used for internal purposes. The internal purposes are defined by the COPPA Rule and include the following services: maintaining and improving the functionality of the site or app; serving contextual advertisements; performing network communications; authenticating users of, or personalize content on, the website or service; or maintaining site security. 
    
2. One-time contact exception: The one-time contact exception allows a retailer to collect a child’s online contact information to respond directly to a single request – and then delete it – without obtaining parental consent prior to responding. For example, if a child emails with a product question, such as “When will this baseball bat be released?!” the brand may respond to the question one time but must delete the child’s personal information after the response.

It is important for retailers to carefully consider the applicability of the exceptions to the COPPA Rule. Under the Amended Rule and pursuant to one of the eight delineated exceptions, website operators are required to specify in a privacy notice where personal information is collected. If relying on the support for internal operations exception, the operator must identify the specific internal operations the personal information is required to support. For retailers, the strategy should be to use these exemptions to enable common-sense interactions.

3.            Two-step parental consent for targeted advertising. One of the most significant amendments to the COPPA Rule is the requirement of separate parental consent for certain data disclosures. Under the original COPPA Rule, a parent’s singular consent would allow for the brand’s collection, use, and sharing of a child’s information. But now, the Amended Rule requires retailers to unbundle this consent, mandating an additional layer of consent before the company can share a child’s personal information with third parties for purposes that are not integral to the website or online service. This means, for example, that a disclosure for the fulfillment of a prize in a promotion or to a third party hosting a promotion with an influencer may require an additional layer of parental consent.
 

4.            Update privacy notices. Finally, the Amended Rule requires retailers to delineate in their privacy notices the identities and specific categories of third parties that receive a child’s personal information. In addition, in the privacy notice, the retailer must explain the purpose for the disclosure and must state that the parent can consent to the use of the child’s personal information without consenting to the disclosure of the personal information to a third party (unless, of course, it is integral to the website or service). This will require retailers to review the personal information that is collected from children, to consider when and why that personal information is disclosed to third parties, and to update their privacy policies to address these elements.

5.            Practical considerations.

Retail businesses should proactively consider assessing their COPPA compliance posture and addressing any relevant gaps prior to the Amended Rule taking effect on April 24 of this year. Below are some practical matters that retailers should consider in conducting an assessment.

• Consider marketing strategies. Legal teams should meet with marketing teams to understand the plan for promotion of a product or service, as marketing plans will now be determinative as to whether a brand is child-directed.
• Perform a content audit for kid appeal. Retailers should review websites, mobile apps, promotions and loyalty programs, and social media platforms and engagements to identify content that might be particularly appealing to children and determine what data is collected.
• Assess your audience data. Brands should use analytics to understand the age demographics for your brand and also keep an eye on competitors and whether they use age gates.
• Train your team and update documentation. Ensure that your content creators, web designers, and marketing teams are all aware of the broadened COPPA criteria.
• Implement age screening early. For platforms that have content or marketing that may be child-directed, develop a plan for implementing age-screening steps in sign-up flows for accounts and loyalty programs.
• Offer a no-data experience for kids. Consider providing an alternative experience for users who do not pass the age-screening step, such as providing a “read-only” experience that allows users to view product listings, but prevents account sign-ups or checkouts.
• Audit your data flows. Map out all instances where your retail business discloses data about children to any third party and ensure that proper guardrails are in place to limit targeted advertising to children or implement robust notice and consent mechanisms.
• Update your privacy policy. Revise your privacy policy to include additional disclosures related to collection of personal information subject to an exception, and identify the categories of third parties to whom children’s personal information may be disclosed.
• Focus on contextual and first-party marketing. Shift your strategy toward contextual advertising and first-party marketing content for child users. Under the “support for internal operations” exception (as discussed above), retailers may collect persistent identifiers (such as IP addresses) from a child to serve contextual advertisements without obtaining verifiable parental consent.