Dive Brief:
- Updates to the Children’s Online Privacy Protection Rule are to take effect on June 23, but companies have until April 22, 2026, to fully comply, according to the amended final rule published by the Federal Trade Commission earlier this week.
- It remained unclear for months when — or if — the expanded COPPA Rule would go into effect after the FTC announced the finalized changes in January, just four days before President Donald Trump would be inaugurated.
- Though the Children’s Online Privacy Protection Act itself does not explicitly mention schools, the updated rule will impact how K-12 leaders interact with ed tech companies, according to student data privacy experts.
Dive Insight:
COPPA is a 26-year-old federal law that gives parents control over the data that websites can collect from children ages 13 or younger. Its regulations and enforcement are overseen by the FTC, which is required by law to review the COPPA Rule every five years.
One of the key changes in the latest COPPA Rule is that companies must obtain parental consent before using children’s data for targeted advertising or disclosing their information to third parties, according to the April 22 notice published in the Federal Register. However, school districts are still allowed to give consent to ed tech companies in lieu of parental consent as long as that data is solely used for educational purposes and not commercially.
Schools should expect to see more transparency from ed tech companies, given that they are required under the new COPPA Rule to provide a direct notice to parents — or in this case school districts — about how they plan to collect and use children’s data upon receiving consent.
The new rule also states that companies must put limits on retaining children’s data and cannot hold onto it indefinitely. Though the FTC did not specify a duration, it said companies can retain data “for only as long as is reasonably necessary to fulfill the specific purpose(s) for which the information was collected.”
In another update, companies collecting children’s data have to bolster cybersecurity plans by, for instance, conducting annual risk assessments and implementing safeguards to protect children’s sensitive information.
The FTC also expanded its definition of any collected “personal information” to include biometric data such as facial recognition or fingerprints. Online contact information and government-issued IDs like Social Security numbers are also now considered personal information.
The updates come as companies increasingly try to profit off children’s data, the FTC said when announcing the finalized changes to the COPPA Rule in January.
The new requirements also come as ed tech companies like PowerSchool have been targeted this year by cybersecurity incidents that have led to mass breaches of sensitive student data.
Dive Awards
