(Editor’s note: This article has been updated to reflect finalization of proposed rule on Jan. 16, 2025.)
Growing concerns from parents surrounding children’s online safety have prompted updates to federal regulation to limit the information that can be collected from and about minors. These evolving regulations necessitate robust compliance strategies to safeguard young users’ data effectively. Ryan Smyth, Marygrace Jay and Michael Spadea of FTI Consulting explore the regulation around children’s online privacy.
Amid an uptick in use of new technologies and platforms that use personal data to customize experiences, organizations, especially those in the social media and gaming industries, must navigate compliance surrounding children’s privacy regulation while still accomplishing their core business missions. In addition to penalties and fines, failure to comply with children’s privacy regulations could jeopardize an organization’s operations and reputation, with noncompliance potentially leading to the suspension of certain business activities and public perception that the organization is irresponsible or untrustworthy.
Current regulations
In keeping with the global trend of increasing data protection regulation and enforcement, many governments are tightening regulations relating to protecting the privacy of children. For example, the UK’s Online Safety Act, passed in October 2023, requires social media platforms to prevent children from accessing harmful and inappropriate content and provides parents and children with clearer processes for reporting content issues.
In the U.S., several states have privacy laws specific to the collection of personal information of minors, but the primary regulation regarding this topic is the Children’s Online Privacy Protection Act (COPPA). Updates to COPPA include new information disclosure restrictions, reflecting a global trend toward stricter data protection standards for minors.
Issued in 1998 by the Federal Trade Commission (FTC), the COPPA regulates how websites, apps and other online operators collect data and personal information from children under the age of 13. In January 2025, the FTC finalized several changes to the rule; notable new requirements include:
- Separate opt-in consent prior to disclosure of a child’s personal information to third parties.
- Expanding the definition of personal information to include biometric data, such as Face ID, and online contact information, such as a cell phone number.
- Increasing security program requirements surrounding children’s information and requiring annual risk assessments for organizations possessing this information.
Regulatory challenges
Organizations often face challenges complying with COPPA, as the requirements can be difficult to follow and to enforce on users. A few examples include:
Age verification
While it is necessary for organizations to verify the age of their users for compliance with COPPA, ensuring that users are of appropriate age without collecting excessive data poses a significant challenge. In other words, it is simple for children to misrepresent their age, yet the verification burden falls on the organization collecting this information.
Data minimization
Balancing the need to collect data for functional and legal reasons with the principle of collecting the least amount of data necessary is complex, especially when dealing with children’s information. Organizations must also consider how to adjust data rules for individuals when they age out of COPPA restrictions.
Data encryption
Certain data must be properly maintained to show compliance with regulatory requirements. This data must be encrypted, as a data breach exposing children’s data could have serious and far-reaching implications.
Securing consent
Obtaining verifiable parental consent in a manner that is compliant with laws like COPPA can be technically and administratively challenging.
Effectively complying with children’s privacy regulations
Organizations should focus their efforts on several key areas when determining whether their policies around children’s digital privacy are compliant. They should consider:
- Collecting only necessary data for the service provided and regularly review data retention policies to ensure data is not retained longer than necessary.
- Developing clear and straightforward methods for obtaining verifiable consent using interfaces that are easy for parents to understand and navigate. Note that a check box stating “I am over 13” was deemed ineffective by the FTC, and best practice is to ask for a birthdate with month, date and year.
- Ensuring any data that cannot be deleted is encrypted.
- Establishing controls to mitigate risks associated with children’s privacy.
- Performing regular independent assessments to examine the effectiveness of privacy controls.
Children’s privacy is a serious and growing concern that needs to be addressed by organizations that children regularly interact with online. Companies developing general-use technology that could be repurposed for the educational environment should also closely follow the progress of proposed COPPA updates. By implementing best practices and adhering to regulations, organizations can successfully and compliantly deliver their products and services to young users, reduce legal, operational and reputational risk and play a vital role in keeping children safe online.
Ryan Smyth
Marygrace Jay
Michael Spadea
