The Federal Trade Commission (FTC), the nation’s primary consumer protection agency, has finalized significant updates to the Children’s Online Privacy Protection Rule (COPPA), a federal law designed to protect the personal data of children under age 13.
The amended rule, released in 2024, will take effect June 23, 2025, with a compliance deadline of April 22, 2026.
What Is COPPA?
COPPA is a federal law that gives parents control over information that websites and online services collect from children under 13. The latest amendments mark the most significant changes since 2013 and are aimed at addressing concerns about data monetization, targeted advertising and cybersecurity, especially in educational settings.
The FTC is an independent federal agency whose mission is to promote competition and protect consumers. One of the FTC’s core responsibilities is enforcing rules and regulations that prohibit deceptive, unfair, or unsafe business practices including those involving data privacy. FTC rules are legally binding requirements, and violations can result in penalties, injunctions, or enforcement actions.
What Is the New Rule?
The updated COPPA Rule enhances protections for children’s online data in several key ways:
• Parental Consent for Targeted Advertising: Operators of websites and online services must now obtain separate verifiable parental consent before disclosing a child’s personal information to third parties for purposes such as targeted advertising or commercial profiling.
• Expanded Definition of Personal Information: The rule now includes biometric data (e.g., facial recognition) and government-issued identification numbers within its scope of protected data.
• New Data Retention Limits: Companies may only retain children’s data for as long as reasonably necessary to fulfill the specific purpose it was collected. Indefinite retention is prohibited.
• Direct Notice Requirements: Companies must give clear notice to parents—or to schools acting on parents’ behalf—about what data is being collected and how it will be used.
• Data Security Enhancements: Covered operators must implement stronger data protection measures, including annual risk assessments and safeguards for sensitive information.
• Safe Harbor Program Transparency: FTC-approved COPPA Safe Harbor programs must now publicly disclose membership lists and report additional compliance information.
How Does This Affect School Districts?
While the FTC did not adopt proposed restrictions specific to educational technology, Districts remain directly impacted in several important ways:
Parental Consent vs. School Consent:
- Districts may still consent on behalf of parents for the use of educational technology only when the data is used strictly for educational purposes.
- If any data is used for advertising, analytics beyond the classroom, or shared with third parties for non-educational reasons, separate parental consent must be obtained.
New Notice Requirements:
- Districts should expect more detailed notices from technology providers outlining exactly what data is being collected, how it is used, how long it is retained, and with whom it is shared.
Due Diligence in Vendor Selection:
- Schools must ensure that education technology providers are in full compliance with the new data security and retention requirements.
- This includes reviewing vendor privacy policies, asking how student data is safeguarded, and confirming that companies are not retaining data beyond its instructional purpose.
Policy and Contract Updates:
- Contracts with third-party vendors may need to be revised to align with the new definitions of personal information, stricter data retention timelines, and consent procedures.
- Districts may consider updating internal policies to clarify how consent is handled and how vendor compliance is monitored.
Cybersecurity Preparedness:
- The rule is partly in response to recent data breaches involving ed tech companies. Schools should take this as a cue to review their own cybersecurity protocols, especially those involving cloud services and student information systems.
Bottom Line For Schools
Why does this matter? The FTC’s updated rule reflects growing concern over the ways companies collect, share, and monetize children’s data. As digital learning tools become more central to education, school districts are uniquely positioned to serve as gatekeepers of children’s online privacy.
By staying informed and proactive, school districts can ensure they are not only in legal compliance, but also upholding the trust of families who rely on them to protect their children’s information.
If your school has a question, please consult your local legal counsel or one of the Education attorneys at KingSpry.
School Law Bullets are a publication of KingSpry. They are meant to be informational and do not constitute legal advice. John E. Freund, III, Chair Emeritus of Education Law Practice Group is our editor.
