COPPA's 2025 Amendments: What Actually Changed and What EdTech Operators Must Audit Now

What the FTC Changed and Why — The 2025 COPPA Rule Amendments in Context

The FTC's 2025 COPPA Rule amendments did not arrive overnight. The rulemaking arc began in July 2019, when the Commission published a Notice of Inquiry seeking comment on the Rule's application to the EdTech sector, voice-enabled connected devices, and general audience platforms hosting third-party child-directed content. The response was substantial — more than 175,000 comments. A January 2024 NPRM generated another 279. Six years after that first NOI, the FTC finalized amendments to 16 CFR Part 312 on January 16, 2025, publishing them in the Federal Register on April 22, 2025, under docket number 2025-05904.

The compliance deadline was April 22, 2026 — 365 days from Federal Register publication. That deadline has now passed. Operators who have not implemented the required changes are operating in enforcement exposure, not compliance runway.

The FTC's stated purpose was to "strengthen protection of personal information collected from children, and, where appropriate, to clarify and streamline the Rule since it was last amended in January 2013." That thirteen-year gap matters. The 2013 Rule predates widespread use of voice interfaces, facial recognition in classrooms, behavioral advertising infrastructure targeting minors, and the constellation of third-party data brokers now integrated into most digital products. The 2025 amendments address all of it.

The structural changes are substantive across multiple Rule provisions:

• Definitions: A new standalone definition for "mixed audience website or online service"; mobile telephone numbers added to "online contact information"; government-issued identifiers and biometric identifiers added to "personal information"; clarified "support for internal operations" definition
• Consent: Separate verifiable parental consent required for disclosures to third parties for targeted advertising or AI training
• Data retention: New written retention policy requirement with prescribed elements and a "reasonably necessary" standard
• Safe Harbor: New transparency and disclosure obligations for FTC-approved Safe Harbor programs

The rest of this article walks through each change in detail and identifies the specific compliance actions EdTech operators need to complete now that the deadline has elapsed. The COPPA Rule — codified at 15 U.S.C. § 6501 et seq. and implementing regulations at 16 CFR Part 312 — requires operators of websites or online services directed to children under 13, or with actual knowledge of collection from children, to provide direct and online notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information.

The EdTech School Authorization Exception — What Schools Can (and Can't) Authorize

EdTech operators expecting a codified school authorization exception from the 2025 COPPA Rule amendments did not get one. The FTC proposed it in the January 2024 NPRM — including new definitions of "School" and "School-authorized education purpose," provisions governing data collection from children in school environments, and a formal school authorization exception to the verifiable parental consent requirement. None of those provisions made it into the final rule.

The FTC's explanation was direct: "To avoid making amendments to the COPPA Rule that may conflict with potential amendments to DOE's FERPA regulations, the Commission is not finalizing the proposed amendments to the Rule related to ed tech and the role of schools at this time." The Department of Education had signaled in Fall 2024 its intention to propose FERPA amendments at 34 CFR 99 addressing non-consensual disclosures of personally identifiable information from education records. The FTC declined to codify a school consent framework that might collide with whatever DOE ultimately produces.

What this means for EdTech operators: the operative compliance reference for school-authorized data collection is not the CFR — it is FTC guidance. The Commission stated it "will continue to enforce COPPA in the ed tech context consistent with its existing guidance." That existing guidance — principally the FTC's May 2022 Policy Statement on EdTech and COPPA — permits schools to provide COPPA consent in lieu of parents, but only for services used solely for educational purposes, only for data limited to those purposes, and only where the school controls the operator's use of the data.

The compliance risk from this outcome is structural. Operators who rely on school authorization have no CFR provision to point to as a safe harbor. Enforcement is fully discretionary, and the FTC's tolerance of the school consent framework has never been codified into a regulation with the procedural weight that entails. If the FTC modifies its enforcement posture through a new guidance document — or brings an enforcement action against an EdTech operator on the theory that a given data practice exceeded what the school could authorize — there is no regulatory text to contest.

The practical compliance action: review any school data processing agreement or authorization mechanism against the FTC's existing EdTech guidance, not a proposed regulation that was never adopted. FERPA/COPPA alignment remains an open regulatory question; EdTech operators should not build product architecture around a safe harbor that does not yet exist in the CFR.

New Consent Requirements — Biometrics, Mobile Numbers, and Targeted Advertising

The 2025 COPPA amendments did not create a tiered consent regime triggered by specific data types. There is no new separate consent requirement for push notifications — the FTC declined to adopt one, citing First Amendment concerns and statutory inconsistencies, though it stated it "remains deeply concerned" about engagement-enhancing techniques and will pursue them through Section 5 of the FTC Act. Geolocation information identifying a child's street name and city or town has been personal information under COPPA since 2013 and was not modified. Neither data type now carries a standalone consent trigger it did not carry before.

What actually changed are three things EdTech operators need to understand precisely:

1. Biometric identifiers are now expressly personal information under 16 CFR 312.2. The amended definition covers "a biometric identifier that can be used for the automated or semi-automated recognition of an individual," with an enumerated list that includes fingerprints, handprints, retina patterns, iris patterns, genetic data (including DNA sequences), voiceprints, gait patterns, facial templates, and faceprints. Any EdTech operator collecting these inputs — voice-activated learning tools, facial recognition attendance systems, emotion-tracking software, proctoring tools with gaze detection — now has an unambiguous consent obligation. This is not a proposed change or an FTC guidance position. It is codified at 16 CFR 312.2.

2. Mobile telephone numbers are now "online contact information." The amended Rule adds mobile numbers to the definition, which means EdTech platforms that use SMS verification for parent notification, account setup, or student authentication must treat phone number collection as triggering the full COPPA consent framework.

3. Separate consent is required for targeted advertising disclosure — and the trigger is purpose, not data type. Under the amended Rule, operators must obtain separate verifiable parental consent before disclosing children's personal information to third parties for targeted advertising, for AI training, or for other purposes not integral to the service. This is a purpose-based trigger. An EdTech operator disclosing student interaction data to an advertising network — or to an AI vendor for model training — must obtain this separate consent in addition to the general COPPA consent already required. No consent means no disclosure.

The FTC's decision not to codify push notification restrictions does not immunize operators who use algorithmic nudges or engagement maximization on children. Section 5 of the FTC Act still reaches unfair or deceptive practices, and the FTC has been explicit that it intends to use it in this space.

Prohibition on Targeted Advertising to Children — The New Default Rule

The 2025 COPPA amendments do not prohibit targeted advertising outright. What they create is a default-off regime: without separate verifiable parental consent, any disclosure of children's personal information to third parties for targeted advertising is off-limits. The mechanism is § 312.5(a)(2), which requires operators to obtain that separate consent — distinct from the general COPPA consent already required — before any such disclosure occurs. The absence of consent is, in practice, a prohibition.

This is not limited to advertising networks. The Fenwick analysis of the final rule confirms that the separate consent requirement applies to disclosures "to advertisers and other third parties for monetary or other consideration, for targeted advertising purposes, or for training or otherwise developing artificial intelligence technologies." That last category matters for EdTech. An operator that feeds student interaction data — reading patterns, response times, error frequencies — to a third-party AI vendor for model training needs separate parental consent before that disclosure. This is the provision that catches the most operators off guard.

The contextual advertising carve-out is real and matters for EdTech operators running content-matched ad placements. Under the "support for internal operations" exception at 16 CFR 312.5(c), operators may collect persistent identifiers from children without separate consent for fraud detection, security, site operations, and contextual advertising — meaning ads matched to content, not to individual user profiles or behavioral history. Contextual advertising is not targeted advertising. The line is whether the ad placement relies on individual characteristics or past online behaviors (targeted) versus content type alone (contextual).

The FTC's enforcement record validates that the targeted advertising restriction carries real penalty exposure. A Cognosphere settlement in January 2025 resulted in a $20 million payment for COPPA violations. A Disney settlement in September 2025 produced $10 million for enabling third-party collection of children's personal data without proper consent mechanisms. These are not outlier enforcement actions against obviously bad actors — they are structural enforcement signals that monetization of children's data, without appropriate consent architecture, will be pursued aggressively.

EdTech operators with any third-party data sharing in their product stack — advertising SDKs, analytics platforms, AI co-processors, or data enrichment vendors — need to map every disclosure and determine whether it falls inside or outside the "integral to the service" carve-out. If it is outside, a separate parental consent mechanism is required before the disclosure occurs.

Data Retention Limits — The New 'Reasonably Necessary' Standard

The amended COPPA Rule at 16 CFR 312.10 prohibits indefinite retention of children's personal information. Operators must retain children's data "only for as long as is reasonably necessary to fulfill the purpose(s) for which the information was collected." Indefinite retention will rarely, if ever, satisfy that standard. General retention language — "for as long as necessary" or "for the duration of the relationship" — is expressly prohibited by the rule's framework. Specific, justified timeframes are required.

The compliance mechanism is a written data retention policy with three mandatory elements: (1) the purposes for which children's personal information is collected; (2) the business need for retaining the information; and (3) a timeframe specifying when the information will be deleted. Critically, this policy must be incorporated directly into the operator's online privacy notice. Linking to a separate document is not sufficient.

For EdTech operators, the "reasonably necessary" standard maps most naturally to service activity. An acceptable retention timeframe might specify deletion a defined period after the child has last used the service, or after a subscription has ended — provided the operator can document the business justification for that specific window. The retention period must be anchored to the collection purpose. If personal information was collected for a specific instructional activity, the retention timeframe must reflect that scope, not an open-ended operational need.

The retention obligation runs alongside the security obligation at 16 CFR 312.8, which requires operators to maintain reasonable procedures protecting the confidentiality, security, and integrity of children's personal information. Both apply to the same data. An operator cannot satisfy one without satisfying the other — data that cannot be securely held should not be retained beyond what the retention schedule mandates.

A practical gap in the rule's current text: it does not specifically address whether backup systems, archived copies, or data warehouse snapshots fall within the deletion obligation. The rule's text does not carve them out. Operators who maintain secondary copies of children's personal information should treat that question as open compliance risk and consult counsel before assuming backup retention practices satisfy "reasonably necessary."

The immediate compliance action: draft the written retention policy, map it to each category of children's personal information collected, document the business justification for each retention window, and update the privacy notice to incorporate the policy text — not a hyperlink to it.

Expanded Definition of Personal Information — What's New

The most consequential definitional change in the 2025 amendments is the addition of biometric identifiers to the personal information definition at 16 CFR 312.2. The amended definition covers "a biometric identifier that can be used for the automated or semi-automated recognition of an individual," and enumerates: fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; and faceprints. If your EdTech product collects any of these inputs from children, those inputs are now COPPA-covered personal information requiring verifiable parental consent.

The practical scope for EdTech is wide. Voice-activated learning tools that process student audio and derive voiceprints. Facial recognition attendance systems that generate facial templates. Physical education apps with gait pattern tracking. Proctoring software that analyzes eye movement and facial geometry. Emotion-detection tools that process facial data for engagement scoring. Every one of these product categories now has an unambiguous biometric consent obligation.

The FTC explicitly declined to extend the definition further to include "data derived from" biometric inputs — inference outputs such as reading level scores derived from voice interaction, engagement scores derived from facial analysis, or behavioral profiles derived from gait data. The Commission concluded that derived data "may be overly broad and include some data that cannot currently be used to identify and contact a specific individual." This is a meaningful boundary: the raw biometric input triggers the consent requirement; the inference generated from that input does not — unless the inference is combined with another personal identifier, which would fall under the catch-all category.

The second significant definitional expansion: government-issued identifiers. The amended Rule covers "a government-issued identifier, such as a Social Security, State identification card, birth certificate, or passport number." This expansion is directly relevant to EdTech operators who collect student enrollment documentation, request state-issued student IDs, or process identification numbers as part of identity verification or age verification workflows.

The amended Rule also introduces a narrow exception for audio files: operators who collect "an audio file containing a child's voice" solely to respond to a specific verbal request may proceed without parental consent — but only if the file is deleted immediately and used for no other purpose. Any voice assistant or interactive learning tool that logs audio, stores voice data, or uses voice interactions for model training does not qualify for this exception.

One definitional boundary to note: COPPA's biometric category may be narrower than state biometric privacy equivalents under Illinois BIPA or Texas CIPA. The compliance requirement under those statutes may exceed what the amended COPPA Rule requires. Multi-state EdTech operators should assess state-law obligations independently.

Post-Deadline Compliance Audit — What Operators Must Do Now

The April 22, 2026 compliance deadline has passed. Operators who have not implemented the required changes are now subject to FTC enforcement with civil penalties of up to $53,088 per violation. The FTC has identified children's privacy as a top enforcement priority for 2026. The Edmodo enforcement action (August 2023) — in which the FTC pursued an EdTech platform for collecting student data for advertising purposes without consent — remains the most directly on-point enforcement precedent for the EdTech sector. The Disney settlement ($10 million, September 2025) and the NGL Labs action (July 2024, resulting in a ban from serving minors under 18) confirm the FTC is not treating this as an abstract regulatory update.

The compliance audit breaks into six parallel workstreams:

1. Privacy Notice Update
Incorporate the written data retention policy directly into the online privacy notice — not a hyperlink to a separate document. The notice must now disclose third-party data recipients, the purposes of disclosure, and the documented retention timeframe for each category of children's personal information collected. Review the notice against the current requirements at 16 CFR 312.4.

2. Consent Flow Revision
Audit every consent mechanism in the product for targeted advertising disclosure. Any disclosure of children's personal information to third parties for advertising, for AI model training, or for other non-integral purposes requires a separate verifiable parental consent — distinct from the general COPPA consent. If no separate consent mechanism exists and the product discloses data to advertising SDKs, analytics vendors, or AI processors, that disclosure must stop until the consent infrastructure is in place.

3. Product Feature Audit
Map every feature that could collect biometric data: voice interfaces, facial recognition, gait analysis, attention tracking, proctoring tools. Each biometric input is now expressly personal information under 16 CFR 312.2. Confirm consent exists for collection, or disable the feature for users under 13. Audit age-gating mechanisms — the amended Rule requires that age-screening be neutral and not default to a set age or encourage falsification.

4. Third-Party Vendor Contracts
Obtain written assurances from every third-party data recipient that the recipient will maintain the confidentiality, security, and integrity of children's personal information and will not use it for any purpose other than those specified in the agreement. Review data processing agreements against the permitted-use requirements and confirm that recipients are not using children's data for advertising or AI training without separate consent.

5. School Authorization Agreement Review
Review any school data processing agreement or authorization mechanism against FTC's existing EdTech guidance — not the proposed but unadopted codified exception. Confirm that the scope of authorized data collection and use aligns with what the existing guidance permits schools to authorize: data limited to the specific educational purpose and controlled by the school.

6. Data Retention Policy Documentation
Draft the written retention policy with all three required elements: collection purposes, business need justification, and specific deletion timeframes. Anchor timeframes to service activity (e.g., deletion within 90 days of last active use or account termination). Assess whether backup systems and archived copies fall within the deletion obligation. Treat that question as open compliance risk until you have a defensible position.

For operators participating in or considering a COPPA Safe Harbor program, the 2025 amendments add new transparency requirements: Safe Harbor programs must now publicly disclose their membership lists and provide additional reporting to the FTC. Verify that your program has implemented these requirements.