Phosra
Get Started
United States (Federal)In Force

Federal Trade Commission COPPA Rule (FTC COPPA Rule)

The FTC's COPPA enforcement rule requiring verifiable parental consent for data collection on children under 13. The FTC finalized major amendments in January 2025 (5-0 vote), published in the Federal Register on April 22, 2025, with legal effect June 23, 2025 and a full compliance deadline of April 22, 2026. The 2025 amendments add mandatory information security programs, data retention/deletion policies, enhanced direct notice requirements, expanded personal information definitions (biometrics, government IDs), new consent methods, and separate consent for third-party data sharing.

Compliance Coverage7/8

What FTC COPPA Rule Requires

Key provisions of Federal Trade Commission COPPA Rule

Verifiable Parental Consent (VPC)

Operators must obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13. Acceptable methods include signed consent forms, credit card verification, government ID checks, knowledge-based authentication, facial recognition matching, and text-plus verification (added in 2025 amendments).

Separate Consent for Third-Party Data Sharing

The 2025 amendments require operators to obtain separate verifiable parental consent before sharing children's data with third parties. Disclosures for advertising, AI model training, and data monetization are explicitly defined as never being 'integral' to the service, meaning blanket consent cannot cover these uses.

Mandatory Written Information Security Program

Operators must establish and maintain a comprehensive written information security program to protect the confidentiality, security, and integrity of personal information collected from children. This is a new mandatory requirement under the 2025 amendments.

Mandatory Data Retention and Deletion Policy

Operators must implement a written data retention and deletion policy with defined retention limits. Children's personal information must be deleted when no longer necessary for the purpose for which it was collected.

Enhanced Direct Notice to Parents

The 2025 amendments require enhanced direct notice to parents that must disclose the identities or categories of all third parties receiving children's personal information, providing greater transparency about data flows.

Expanded Definition of Personal Information

The definition of personal information is expanded to include biometric identifiers (voiceprints, facial templates, gait patterns) and government-issued identification numbers, broadening the scope of data subject to COPPA protections.

Clear Privacy Policy for Children

Operators must post clear, comprehensive, and prominently linked privacy policies describing their data practices for children, including what information is collected, how it is used, and with whom it is shared.

Parental Review and Deletion Rights

Parents have the right to review all personal information collected from their child, request its deletion, and refuse further collection. Operators must honor these requests in a timely manner.

Data Minimization

Operators may not condition a child's participation in an activity on the child providing more personal information than is reasonably necessary for that activity.

FTC Enforcement and Safe Harbor

The FTC enforces COPPA with civil penalties of up to $53,088 per violation. Industry self-regulatory programs can apply for safe harbor status, with new transparency requirements under the 2025 amendments requiring public reporting and accountability.

How Phosra Helps

FTC COPPA Rule provisions mapped to Phosra features

Each FTC COPPA Rule requirement is addressed by a specific Phosra capability. Integrate once, and your platform is covered.

Verifiable parental consent

Parent Account Ownership

Phosra's parent/guardian account model ensures that all child profiles are created and managed by a verified adult, satisfying VPC requirements through account ownership verification.

REST API — Verify parental consent
bash
curl -G https://api.phosra.com/v1/families/fam_7xK2m/consent-status \
  -H "Authorization: Bearer sk_live_..."

Privacy policy compliance

Minimal Data Collection

Phosra collects only first name, birth date, and age group for child profiles — no email, phone, photos, or biometrics — making privacy disclosures simple and compliant.

REST API — Child data inventory
bash
curl -G https://api.phosra.com/v1/children/ch_emma_01 \
  -H "Authorization: Bearer sk_live_..." \
  -d "include=data_inventory"

Parental review and deletion

Data Deletion Request

data_deletion_request

The data_deletion_request rule category triggers deletion workflows on connected platforms. Parents can also fully delete child profiles from Phosra via the dashboard or API.

REST API — Parental data deletion
bash
curl -X POST https://api.phosra.com/v1/children/ch_emma_01/data-deletion \
  -H "Authorization: Bearer sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "scope": "all_platforms",
    "reason": "parental_request",
    "include_phosra_profile": false
  }'

Targeted ad protection

Targeted Ad Block

targeted_ad_block

The targeted_ad_block rule disables all behavioral advertising and ad profiling for children under 13 across connected platforms, preventing COPPA-prohibited commercial data use.

REST API — Block ads for under-13
bash
curl -X POST https://api.phosra.com/v1/enforcement \
  -H "Authorization: Bearer sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "child_id": "ch_emma_01",
    "rules": ["targeted_ad_block"],
    "platforms": ["youtube", "roblox"]
  }'

Data security

AES-256-GCM Encryption

All sensitive data is encrypted at rest using AES-256-GCM. Platform credentials are encrypted with per-family keys, and all API communication uses TLS 1.3.

REST API — Encryption verification
bash
curl -G https://api.phosra.com/v1/compliance/encryption-status \
  -H "Authorization: Bearer sk_live_..."

Enforcement documentation

Compliance Audit Trail

Every enforcement action is logged with timestamps, platform responses, and rule snapshots, providing documentary evidence for FTC safe harbor and compliance reviews.

REST API — FTC compliance audit
bash
curl -G https://api.phosra.com/v1/enforcement/audit \
  -H "Authorization: Bearer sk_live_..." \
  -d "law=ftc_coppa" \
  -d "format=ftc_report"

Coverage Assessment

FTC COPPA Rule compliance checklist

Compliance Coverage

Verifiable parental consent obtainedParent account ownership verification
Clear privacy policy postedMinimal data collection with transparent disclosures
Parental review and deletion rightsdata_deletion_request + dashboard profile management
Targeted advertising blocked for under-13targeted_ad_block rule category
Data security measures in placeAES-256-GCM encryption, TLS 1.3, per-family keys
Data minimization enforcedMinimal child profile schema (name, DOB, age group only)
Third-party data sharing restrictedNo child data shared with third parties
Safe harbor program participationFTC safe harbor application (planned)

Start building FTC COPPA Rule-compliant features today

Phosra handles the complexity of multi-platform compliance so you can focus on building great products for families.

Get Started FreeRead the Docs