Companies are bracing for heightened scrutiny of their privacy policies and vendor relationships as the Federal Trade Commission begins enforcing updates to its key online child safety regulation.
The updates—the first to the Children’s Online Privacy Protection Act rule since 2013—took effect last year, but the FTC gave companies until April 22 to come into compliance. Changes include a broader definition of personal information, like biometric identifiers and government-issued IDs. The FTC also requires companies to establish and maintain a data retention policy for children’s data.
“I think that the fact the rule has been out there and companies have had a longer time to come into compliance will factor into how quickly the FTC will take action,” said Monique Bhargava, a partner at Reed Smith. “Now they’re signaling, ‘Yes, we’re looking, we’re prepared to take action.’”
The FTC hammered home its focus on children’s privacy during a recent oversight hearing with Chair Andrew Ferguson and Commissioner Mark Meador, as well as within its 2026-2030 strategic plan.
“We continue to make COPPA Enforcement one of our principle priorities,” Ferguson told the Senate Commerce Committee.
The agency hasn’t been shy about bringing COPPA enforcement actions under Ferguson, including a $10 million settlement with Disney. And attorneys think the agency is likely to go full-throttle cracking down on new violations as well.
The first place the agency will be looking is at companies’ privacy policies, privacy professionals advising companies said.
“That’s the highest risk thing. It’s the lowest hanging fruit,” said Amy Lawrence, chief privacy officer and head of legal at marketing technology company SuperAwesome. Other violations would take deeper investigations from regulators, she said.
Lawrence’s process to make her company compliant with the new standards included auditing its information security program and updating its privacy policy.
Third-Party Risk
Companies’ relationships with third-party vendors are also an area of increased risk. The updated COPPA rule requires companies to disclose the identities of third-party vendors to parents and obtain parental consent before sharing children’s data. Businesses need to understand how service providers handle children’s data, particularly when vendors perform analytics, advertising, or parental consent functions, said Dona Fraser, senior vice president of privacy initiatives at BBB National Programs.
Both the company collecting the data and third party can face liability under COPPA if children’s information is mishandled, making vendor oversight and contract review critical compliance steps.
“That’s how a lot of first parties get in trouble—by not knowing exactly what their third parties are doing, not reviewing and assessing those contracts, and not ensuring that vendors are operating in compliance with COPPA,” said Fraser, whose organization offers an FTC-approved safe harbor for compliance.
FTC is also expected to home in on whether companies have clear mechanisms for tracking parental consent. The regulation no longer allows for bundled consent and requires separate consent for each new third-party data sharing agreement.
“They’re really emphasizing that they want parents to have greater, separate control over disclosures like advertising,” said Shelby Dolen, an associate at Troutman Pepper Locke.
Companies should make sure consent is documented, revocable, and easy for parents to manage to avoid scrutiny under the updated regulation, Fraser said.
The FTC has also indicated more updates to the rule are in the works. The agency issued a policy statement February that it won’t bring enforcement actions against companies collecting kids’ data without parental consent for the sole purpose of using age verification technologies.
The policy makes it easier for companies to use the technology and to have a more precise idea of which audiences their service is reaching, which is crucial to compliance with the kid’s privacy law, said Lawrence.
Eye on States
The FTC also isn’t the only enforcer companies are keeping an eye on. State attorneys general also have authority to enforce COPPA and have brought lawsuits under the statute.
“The big takeaway is that state attorneys general have that ability, so companies should be prepared for enforcement there as well,” Dolen said.
But being COPPA-compliant isn’t enough to avoid state scrutiny. Companies should be aware of a patchwork of state laws that protect kids over 13, require identity verification for some platforms, and impose additional data minimization practices including Maryland’s privacy law.
“States have moved past COPPA in a lot of ways,” said Lawrence.
To contact the reporter on this story:
To contact the editors responsible for this story: