September is off to a busy start for the Federal Trade Commission (FTC) with two Children’s Online Privacy Protection Rule (COPPA Rule) cases involving Disney and Apitor Technology announced within two days. With these actions, the FTC is making good on Chairman Andrew Ferguson’s day-one promise that protecting children’s privacy online would be a top priority. Here’s what to know.

Key takeaways:

• Protecting children’s privacy is a key priority for the Trump-Vance FTC, and the agency won’t shy away from aggressive enforcement actions against large businesses.
• COPPA Rule violations can be costly. The FTC can seek civil penalties of up to $53,088 per violation per day, in addition to equitable monetary relief for injured consumers.
• Marketers should take the announcement of these two cases as a timely reminder to ensure they’re complying with the recent updates to the COPPA Rule.

The updated COPPA Rule is in full effect, and the FTC is on the beat. 

Although there was some question what would happen with updates to the COPPA Rule announced under the previous administration, the final rule went into effect as planned on June 23, 2025, and the FTC is wasting no time in enforcing it. Before diving into the enforcement actions, it’s worthwhile to step back for a little refresher on the COPPA Rule and what’s new.

At the heart of the COPPA Rule are requirements that covered operators (1) provide clear, direct notice to parents of the information they collect from children, how they use it, and how and to whom they may disclose it and (2) get parents’ verifiable consent before they collect, use, or disclose children’s information. The latest updates keep these basic requirements in place.

However, they include several clarifications and a few new requirements. First, it’s now clear that the COPPA Rule applies to the collection of biometric and government-issued identifiers. There’s also enhanced clarity on what the FTC considers a covered “mixed audience” website. Additionally, the updated COPPA Rule now places limits on the length of time operators can retain the data they collect. And it requires operators to get separate, verifiable parental consent before disclosing children’s personal information to third parties for targeted advertising or other purposes, which is important to the recent round of enforcement actions.

The FTC alleges certain videos Disney uploaded to a third-party platform were not marked as made for kids, which resulted in collection and sharing of children’s personal information without parental notice or consent. 

On September 2, the FTC announced a $10 million settlement with Disney. The crux of the complaint is the FTC’s allegation that Disney did not notify a third-party platform that certain videos it uploaded were child-directed. Specifically, the FTC claims that because Disney didn’t select a “made for kids” designation, the platform didn’t apply built-in settings to ensure child-directed channels complied with COPPA.

The proposed settlement, filed by the Department of Justice (DOJ) on the FTC’s behalf, specifies that Disney neither admits nor denies the allegations of the complaint. In addition to the civil penalty, it contains requirements that Disney comply with COPPA and establish a 10-year “Audience Designation Program” to review whether each video Disney uploads is a child-directed video and to ensure that such videos are designated appropriately. Disney is required to review the efficacy of this program annually.

Chairman Ferguson issued a separate statement in this matter highlighting the agency’s commitment to COPPA enforcement. The statement also acknowledged that the Audience Designation Program is burdensome, and explained that the order allows for relief if technology advances. Specifically, it permits Disney to phase the program out if the platform implements, and Disney uses, “age assurance technology that can ensure COPPA compliance.”

The FTC alleges Apitor collected and shared children’s geolocation data with a Chinese third party without parental notice or consent.

On September 3, the FTC announced an action against Apitor Technology alleging the company collected geolocation data of children under 13 through its Android app without providing notice of the data it collected, and without getting verifiable parental consent prior to collection.

In a nutshell, Apitor sold a robot toy that children could program and control through an app. Although the toy was designed for children and required users to download an app with location information permissions enabled, the FTC alleges that at no point during the download and registration process did Apitor prompt users to provide verifiable parental consent to the collection of geolocation information. 

Although not explicit, the complaint strongly implies that this was particularly problematic because the app had a software development kit called JPush integrated into it. JPush, the FTC alleges, is offered by a Chinese mobile developer and analytics provider that collects and uses location data for advertising purposes and shares such data with third parties. There is no specific count tied to this relationship, but the FTC highlighted it in the press release.

The proposed settlement, which the DOJ filed on the FTC’s behalf, specifies that Apitor neither admits nor denies the allegations of the complaint. It requires Apitor to comply with COPPA and take steps to correct the alleged past violations. It also contains a $500,000 civil penalty, which is suspended based on Apitor’s inability to pay. That means that if Apitor told the truth in sworn financial statements submitted to the FTC, it won’t ever have to make any payments in connection with this action.

Practical guidance:

Although these cases demonstrate the FTC is serious about the COPPA Rule and won’t hesitate to enforce it, companies with strong COPPA compliance programs won’t find much to worry about. If you offer a child-directed website or service or a “mixed audience” website – or know that children under 13 use your website or service – here are a few tips:

• Provide clear notice on your website or online service of the information you collect from children, how you use it, and how and to whom you may disclose it.
• Get verifiable parental consent before you collect, use, or disclose a child’s personal information.
• Make sure you have a reasonable way for parents to review the personal information you collect, and give them an opportunity to refuse to permit you to use or keep it.
• Review the necessary disclosures and prompts on your website or online service to ensure they are understandable to children.
• Don’t collect more information from children than you really need.
• Have reasonable procedures in place to protect children’s personal information.
• If you’re uploading materials to third-party sites, be sure to review and select settings that accurately describe your content so the third party can apply appropriate default controls.
• If you incorporate third party software development kits into your site or service, make sure you confirm they comply with COPPA. Be sure to understand how they operate and the privacy policies they employ.
• Consider using reliable age assurance technologies to identify users’ ages. According to the FTC, such technologies can “ease the burden on parents, allow kids to have an age-appropriate experience online, and protect kids from harmful content online.”

Last but not least, we can help. If you have any questions, reach out to any of the authors of this article, or your Reed Smith contact.