What the New COPPA Rule Means for Kids’ Data Privacy 2025

In January 2025, the Federal Trade Commission (FTC) finalized major updates to the Children’s Online Privacy Protection Rule (COPPA), introducing the most substantial changes to the regulation in over a decade. The new rule reflects growing concerns over how companies collect, use, and profit from children’s data, and imposes stricter limits on those practices.

The changes shift the emphasis from placing the burden on parents to protect their children’s privacy to holding companies directly responsible for how they handle data from users under 13.

Key Changes Under the New Rule

The FTC’s updated rule includes several new restrictions and requirements that will significantly impact how online services operate in child-focused spaces.

1. Tighter Limits on Data Use and Monetization
   Companies can no longer use children’s data for targeted advertising, even with parental consent. Behavioral profiling is effectively prohibited. The rule makes it clear that monetizing kids’ personal information is not an acceptable trade-off for access to digital services.
2. Stronger Data Minimization Standards
   Services must now collect only the data necessary to provide a specific activity or feature. The practice of gathering broad sets of user data for possible future use is no longer allowed under COPPA.
3. Increased Oversight on Third Parties
   Companies are now responsible not only for their own data practices but also for how third-party partners handle children’s data. Any analytics, advertising, or backend services used in a child-directed product must also meet COPPA’s stricter standards.
4. Revised Guidelines for EdTech
   For educational technology platforms, the rule clarifies that schools can consent to data collection on behalf of students, but only for educational purposes. Companies cannot use student data for marketing, profiling, or unrelated product development.
5. Enhanced Data Security Requirements
   The updated rule requires stronger protections for children’s data. Companies must implement robust safeguards and regularly assess and update their security practices.

Implications for the Industry

The impact of the new COPPA rule will be wide-ranging, particularly for app developers, gaming platforms, content creators, and edtech providers. Businesses that previously relied on ad-based revenue models tied to behavioral data will need to rethink their strategies or avoid the under-13 market altogether.

Services directed at general audiences may also be affected if they knowingly attract younger users. The distinction between general and child-directed content is narrowing, and the FTC is expected to pursue enforcement more aggressively.

Broader Context

The FTC’s revisions bring COPPA closer in line with international privacy frameworks such as the EU’s General Data Protection Regulation (GDPR) and the UK’s Age Appropriate Design Code. This reflects a broader global movement toward stronger protections for children in digital spaces.

With these changes, the United States takes a significant step in redefining digital rights for children, recognizing them as individuals entitled to specific and enforceable privacy protections.