US COPPA: FTC Updated Children’s Online Privacy Rules for EdTech Companies

The U.S. Federal Trade Commission (FTC) is revising the Children’s Online Privacy Protection Act (COPPA) rule to strengthen protections for children’s online data privacy. These changes are particularly impactful for the educational technology (EdTech) sector, which now faces new compliance challenges.

The COPPA Rule Revisions

On 16th Jan 2025, the final COPPA Rule was unveiled. The revised rule is designed to address advancements in technology, including:

Mandatory Parental Opt-In for Data Sharing

Companies must now get explicit and verifiable parental consent before sharing children’s personal information with third parties for purposes such as targeted advertising.

Data Retention Limitations

The new rules state that children's data can only be kept for as long as necessary to achieve the specific purpose for which it was collected. Companies are not allowed to retain this data indefinitely to ensure that information is not stored beyond its intended purpose.

Expanded Definition of Personal Information

The FTC has expanded its definition of "personal information" to include biometric and government-issued identifiers. The expansion covers newer forms of data collection such as fingerprints, retinal patterns, and facial templates, reflecting technological advances since the last update.

Enhanced Transparency for Safe Harbor Programs

FTC-approved Safe Harbor programs must now disclose their membership lists and report additional information to the FTC, designed to increase accountability and provide greater transparency around compliance with COPPA guidelines.

This shift places new obligations on EdTech providers, especially concerning how they collect, store, and process children’s personal information.

How EdTech Companies Can Prepare

The FTC’s recent revisions to the Children’s Privacy Protection Act have placed new burdens on EdTech companies, requiring them to rethink how they collect, process, and store children’s personal information. Compliance is now even more complex, with EdTech companies needing to revisit and redesign their data collection practices, advertising strategies, and backend systems to comply with the stricter requirements.

For smaller EdTech businesses, these changes can put a strain on resources, as additional financial and technological investments are required to remain compliant. Additionally, the inclusion of new data categories, such as biometric identifiers and government-issued IDs, requires enhanced data security measures, adding operational complexity.

As the FTC steps up its scrutiny of children’s privacy, companies face heightened liability and the imminent risk of audits or legal enforcement. Failure to comply not only risks significant fines, but also damages brand reputation and erodes user trust.

About UniConsent

UniConsent is a part of Transfon's privacy-first User Experience Platform, serving tens of millions of users daily to provide a seamless privacy experience for both users and publishers in the age of post-GDPR. Contact us to learn more: hello@uniconsent.com