What changed in the 2025 COPPA amendments?

The FTC's January 2025 final rule expanded the definition of personal information to include biometric identifiers, required a written data retention policy, required a written information security program, and restricted disclosure of children's data to third parties without separate verifiable parental consent.

When does COPPA 2025 take effect?

The amended rule was published January 16, 2025 and took effect April 22, 2026, with compliance required by that date.

Does COPPA apply to schools?

Schools themselves are not regulated by COPPA, but vendors that knowingly collect personal information from children under 13 are. Schools may authorize vendors to collect PII on their behalf for educational purposes, but must still ensure FERPA and state-law compliance.

Effective April 22, 2026

COPPA 2025 Amendments — What Ed-Tech Vendors and Schools Need to Know

The FTC\'s final rule amending the Children\'s Online Privacy Protection Rule (16 CFR Part 312) was published January 16, 2025 (90 Fed. Reg. 2034) and took effect April 22, 2026. The amendments expand the definition of "personal information" to include biometric identifiers, require a written data retention policy, require a written information security program, and mandate separate verifiable parental consent before disclosing a child\'s personal information to third parties. For ed-tech providers serving K-12 students under 13, the practical compliance shift is substantial.

Who does COPPA apply to?

COPPA (15 U.S.C. §§6501-6506) applies to operators of commercial websites and online services (a) directed to children under 13, or (b) that have actual knowledge they are collecting personal information from a child under 13. Schools are generally not regulated directly but may contract with vendors that are; the FTC has long recognized a "school authorization" framework under which schools may provide consent on behalf of parents for educational-purpose PII collection, while still requiring the vendor to satisfy COPPA\'s substantive protections.

What does the 2025 amendment require?

Expanded PII definition — Adds biometric identifiers (e.g., fingerprint, voice print, retinal scan, facial template) and expands persistent identifier language. Persistent device identifiers used for any purpose beyond internal operations now require parental consent.
Written data retention policy — Operators must adopt, publish in the online notice, and adhere to a written retention policy that limits retention to only what is reasonably necessary for the specific purpose of collection.
Written information security program — Must include administrative, technical, and physical safeguards appropriate to the sensitivity of the information and operator size; must be reviewed at least annually.
Separate disclosure consent — Parental consent for collection is insufficient to authorize disclosure of a child\'s PII to third parties; separate, specific verifiable consent is required for disclosures.
Enhanced notice — Online privacy notice must describe categories of PII, purposes, disclosure practices, retention policy, and parental rights in clear and understandable language.

Key Deadlines

January 16, 2025 — FTC final rule published (90 Fed. Reg. 2034).
April 22, 2026 — Effective date. Full compliance required.
Annually — Review information security program (§312.8).

Penalties for Non-Compliance

The FTC enforces COPPA and is authorized to seek civil penalties. The current statutory maximum per violation is adjusted annually for inflation and has historically approached $50,000 per violation (15 U.S.C. §45(m)). State attorneys general also have independent COPPA enforcement authority. Recent enforcement actions have produced settlements in the hundreds of millions of dollars (e.g., Fortnite / Epic Games $275M, 2022; TikTok $5.7M, 2019).

How IncluShift complies

IncluShift is architected for alignment with the 2025 amendments: students are identified by UUID only, student reading and communication content is never transmitted off-device, engine-layer stripPII() sanitizes all AI/LLM calls before network transmission, AES-256-GCM encrypts sensitive content at rest, TLS 1.3 is enforced in transit, and a written data retention policy and written information security program are maintained and reviewed annually. The corporate site runs zero analytics, zero cookies, and zero third-party tracking scripts. See Privacy Policy.

Official Sources

FERPA COPPA (glossary) FERPA (glossary)

Educational information, not legal advice. For COPPA compliance counsel, consult a qualified attorney. Penalty figures are historical; current maxima are adjusted annually for inflation.