The FTC's updated COPPA rule takes effect April 22, 2025. If your business collects data from children under 13 — or might unknowingly — there are specific changes that affect how you obtain consent, retain data, and respond to deletion requests.
This isn't a rule change that only affects toy companies and gaming apps. It affects any business with a website, mobile app, or digital service that could attract users under 13 — even if that's not your target audience.
What Changed
The original COPPA rule dates to 1998. The updated rule modernizes several key requirements:
- Stronger consent standards. Verifiable parental consent must now be more robust. Email-plus confirmation (the old standard) no longer suffices for most data uses.
- Data minimization. You can only collect personal information from children that is reasonably necessary for the specific purpose disclosed to parents.
- Retention limits. You must delete children's data when it's no longer needed for the purpose it was collected. The rule now requires you to have a defined retention policy.
- EdTech carve-outs tightened. Schools can authorize data collection on behalf of parents for educational purposes — but the operator cannot use that data for commercial purposes.
- Push notification consent. Sending push notifications to children now requires separate parental consent.
Key deadline: April 22, 2025. Operators that fail to comply after this date face civil penalties of up to $51,744 per violation per day.
Does COPPA Apply to Your Business?
COPPA applies if your website or online service is directed to children or if you have actual knowledge that you are collecting personal information from children under 13. Courts and the FTC use a multi-factor test to determine whether a service is "directed to children" — including subject matter, visual content, use of animated characters, music, and the age of models featured in advertising.
This is where many SMBs get caught. A local pediatric dental practice, a children's tutoring service, a youth sports league registration platform — all of these are likely covered. So is any app or site with broad appeal that doesn't have age-gating in place.
What You Need to Do Before April 22
- Audit your audience. Review your analytics. If any portion of your user base is under 13, COPPA likely applies.
- Update your privacy policy. Your policy must specifically address children's data, including what you collect, how you use it, and how parents can review and delete it.
- Implement or upgrade consent mechanisms. If you collect data from children, you need verifiable parental consent before collection — not after.
- Set retention policies. Define how long you keep children's data and when it gets deleted. Document it.
- Train your team. Anyone who handles customer data or manages your platform needs to understand what COPPA requires.
The Bottom Line
COPPA violations are among the FTC's most actively enforced privacy actions. The agency has collected hundreds of millions in penalties from companies ranging from TikTok to small app developers. April 22 is not a soft deadline.
If you're unsure whether COPPA applies to your business, the safer assumption is that it does. A brief compliance review now is significantly less expensive than an FTC investigation later.