By Susan Hintze, Emily Litka, and Amy Lanchester 

This is Part 2 in a series of blog posts about the 2025 COPPA Final Rule. It provides a comprehensive review of the revised definitional changes to the Rule.  Subsequent posts in the coming days will delve more deeply into the direct and online notice, parental consent, and data governance requirements. Our unofficial redlined copy of the Final Rule can be found here.   

The Final COPPA Rule (the “Final Rule”) adds “mixed audience website or online service” to the COPPA Rule; and revises “online contact information,” “personal information,” “support for the internal operations of the website or online service,” and “website or online service directed to children.” 

“Mixed audience website or online services” 

The Final Rule formally adds the defined term “mixed audience website or online service” meaning:  

a website or online service that is directed to children under the criteria set forth in paragraph (1) of the definition of website or online service directed to children, but that does not target children as its primary audience, and does not collect personal information from any visitor, other than for the limited purposes set forth in § 312.5(c), prior to collecting age information or using another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child. Any collection of age information, or other means of determining whether a visitor is a child, must be done in a neutral manner that does not default to a set age or encourage visitors to falsify age information. 

The Commission states in comments that the new definition of “mixed audience” websites and online services is not intended to expand the scope of child-directed websites and online services. The 2013 COPPA Rule first established the concept of mixed audiences under the definition of “Website or online service directed to children.” The Commission has described "mixed audiences” as an exception to the requirement to conduct verified parental consent on all visitors to online services primarily directed to children. (Although, some have criticized the “exception” as an attempt to expand the reach of COPPA to sites directed to teens).  

Examples of online services that the FTC has recently considered to be mixed audience include the games Fortnite, operated by Epic Games, and Genshin Impact, operated by Cognosphere. While the Commission did not refer to these games as “mixed audience” in their complaints, they indicated mixed audience treatment by allowing age gating for services where children are not a primary audience within their respective orders. 

Two-step test to determine if the website/service is mixed audience 

The new “mixed audience” definition also reflects the two-step analysis clarified under the COPPA FAQs for determining whether a website or online service is mixed audience. The analysis requires operators to first determine whether their website or online service is “directed to children,” based on an evaluation of the factors set forth in COPPA Rule. If the website or online service is directed to children, then the second step requires operators to determine whether they target children as their primary audience. The Commission in its comments states that both steps will be analyzed based on a ‘totality of the circumstances and the multi-factor test set forth in the amended definition of “website or online service directed to children.”  

The Commission replaced the reference to mixed audience in the definition of “Website or Online Service Directed to Children with a statement that mixed audience sites “shall not be deemed directed to children with regard to children not identified as under 13.” The Commission also provided helpful comments that merely including content that is appropriate for children does not make a general audience site directed to children. It also clarified in comments that a portion of a website or online service may be mixed audience even if the website or online service as a whole is general audience; and that an operator in this scenario can choose to age screen and apply COPPA’s protections to visitors identified as under 13 just for that portion of the site. 

Age Screening Methods and Criteria 

The concept of “mixed audience” in the 2013 COPPA Rule provided an exception that allowed age screening visitors “who identify themselves as under 13” and the COPPA FAQs described that operators could accomplish this age screening by collection of age information to determine whether or not a user is a child under 13 (note, the FTC forbids age screening of sites primarily directed to children).  Beyond self-identifying by visitors or collection of age information for age screening, the Commission adds that it allows operators to “[use] another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child.” The Commission stated that this expansion of methods of determining age allows operators “to innovate and develop additional mechanisms that do not rely on a user’s self-declaration.” 

The new definition also codifies expectations that the Commission currently sets forth in the COPPA FAQs that age gates and other mechanisms used to determine age must be implemented in a “neutral manner that does not default to a set age or encourage visitors to falsify age information.”  

“Website or online service directed to children” 

In addition to moving the criteria of mixed audience into its own definition, the Commission added to the definition of “website or online services directed to children” additional factors that the Commission will consider in determining whether a website or online service is child-directed. The Commission maintained factors such as the subject matter, visual content, and the use of animated characters on the website or online service and added marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services.  

Marketing and promotional materials and representations

In adding this factor, the Commission stated in its comments to the Final Rule that marketing materials and similar representation “often provide compelling direct evidence” regarding whether an Operator intended audience. The addition of this factor is consistent with past COPPA enforcement cases that looked to such evidence when determining child-directedness (see e.g., FTC v. Google LLC and YouTube, LLC). 

Reviews by users or third parties; the age of users on similar websites or online services 

More controversially, the Commission included the reviews by users or third parties and the age of users on similar websites or online services as factors it will consider when determining whether a website or online service is child-directed. In the Final Rule, the Commission noted that it received feedback from commenters that such evidence is not “reliable empirical evidence” of audience composition, that they would not have access to the age of users of similar sites, and that it was unclear what “similar” means. 

The Commission’s guidance on how it intends to apply these factors is unclear. On the one hand, they state that these factors are “not intended to impose a burdensome requirement that operators identify and continuously monitor all such information.” However, on the other hand, they don’t state what the expectation to monitor is but where an operator does have “knowledge” of relevant information, it may be relevant to the Commission’s determination. The Commission reinforces that the determination or child-directedness “requires consideration of a totality of the circumstances.” 

Lastly, we also note that the Commission declined to specifically include an explicit survey exception it previously considered in the 2024 Proposed Amendments. The exception would have exempted websites or online services directed to children where the operator conducts an analysis on its audience composition and determines that no more than a specific percentage of its users are likely to be children under 13 – although arguably this remains a factor to be considered provided that an operator can show such surveys are “competent and reliable empirical evidence regarding audience composition.”  

“Personal Information”  

Biometric Identifiers 

The Final Rule adds “biometric identifiers” to the definition of “personal information” under COPPA. The Final Rule does not add substantial new obligations for “biometric identifier” data processing, they only require the Operator to provide appropriate notice and obtain verifiable parental consent before collecting, using, or disclosing it, consistent with the obligations for personal information handling generally. 

Personal information means ... A biometric identifier that can be used for the automated or semi-automated recognition of an individual, such as fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints;   

There are two notable features of this definition: 

"Biometric identifiers” is broad in scope 

First, the definition is quite broad in scope. It includes a representative example of the types of data that will be considered “biometric identifiers” but leaves the door open for additional categories of data where they can be “used for the automated or semi-automated recognition of an individual.” The use of the word “can” is notable, as “biometric identifiers” will be treated as personal information regardless of whether it is actually used or collected with the intent to be used to identify an individual. The Commission maintained that this broad definition is consistent with the COPPA statute which defines personal information to mean “individually identifiable information about an individual collected online” rather than an alternative such as “information used to identify an individual.”  

The Commission neither defined “automated or semi-automated" nor did they provide any representative examples of what that type of processing would include. 

There are no exceptions to “biometric identifiers” 

Second, the definition does not include exceptions. In the 2024 Proposed Rule, the Commission solicited comments on whether it should include an exception for when biometric data “has been promptly deleted.” The Commission ultimately declined to include any exceptions in the Final Rule, stating that even limited storage can increase the risk of the data being exposed in a security incident and that “the burden placed on operators to obtain verifiable parental consent are outweighed by the benefit of providing greater protection for this sensitive data and enhancing control for parents.”  

We note that the definition in the 2024 Proposed Rule also included “data derived from voice data, gait data, or facial data” in the definition. The Commission ultimately removed this from the final definition because “it may be overly broad and include some data that cannot currently be used to identify and contact a specific individual.”  

Government –Issued Identifiers. 

The Final Rule also adds “government-issued identifiers” to the definition of “personal information.” The prior definition of “personal information” already included Social Security numbers; the Final Rule adds, as a non-exhaustive list, “state identification card, birth certificate, or passport number.” 

Avatars 

Separately, the Commission also considered adding “an avatar generated from a child’s image” to the definition of “personal information.” The Commission ultimately declined to treat an avatar on its own as personal information but noted in comments that where avatars are combined with other personal information, they are considered personal information under the existing rule. This conclusion is consistent with the Commission’s order against Microsoft’s Xbox platform where it found avatars created from a child’s image in conjunction with other identifiers to be personal information. The Commission stated that it will continue to monitor technological developments in relation to avatars and may revisit amendments related to avatars in the future. 

“Support for the internal operations of the website or online service”  

The Final Rule revises the definition of “support for the internal operations of the Web site or online service,” which is currently defined to include seven activities, including activities necessary to: enable a site or service to continue to function, protect the security of the user or site/service, perform user authentication, and serve contextual advertising. The Final Rule clarifies that the personal information collected pursuant to the exception can be used and disclosed in connection with those internal operations.  

Notably, the Commission declined to amend the definition’s exception for contextual advertising. In the 2024 Proposed Rulemaking it solicited comments on whether it should revise the exception “due to the current sophistication of contextual advertising.” It stated that the Final Rule’s new requirements to provide notice specifying the types of internal operations for which persistent identifiers are used will enhance the Commission’s ability to “monitor operators’ use of the support for the internal operations exception to the COPPA Rule’s verifiable parental consent requirement for contextual advertising and other purposes.” 

“Online contact Information” 

In conjunction with the new “text plus” verifiable parental consent method, which we will discuss more deeply in our next blog post, the Commission revised the definition of “online contact information” to include “a mobile telephone number provided the operator uses it only to send text messages to a parent in connection with obtaining parental consent.” The Commission made this amendment to enable Operators to collect and use a parent’s mobile phone number to initiate the process of seeking parental consent. 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.  

Susan Hintze is Co-Managing Partner at Hintze Law PLLC, appointed to IAPP’s Board of Directors, and is also a Westin Emeritus Fellow with the IAPP.

Amy Lanchester is a Senior Data Consultant at Hintze Law PLLC and the Director of Hintze Data Advisors. With over ten years of experience working on global data protection matters, she consults with organizations on privacy and data security issues and compliance programs.