On January 16, 2025, the Federal Trade Commission (FTC) published its Final Rule officially adopting updates to the Children’s Online Privacy Protection Act (COPPA). For a comprehensive overview of these changes, be sure to watch out for our upcoming alert.

A key question for industry stakeholders was whether avatars would fall under the definition of “personal information” in the Final Rule. In its Notice of Proposed Rulemaking, the FTC sought to understand whether an avatar generated from a child’s image should be considered personal information under COPPA, even if the avatar was not actually generated through an actual photograph of the child. Public feedback was divided as an expanded definition would add more restrictions on what companies can currently collect while other commenters expressed concerns about the possibility that companies might “collect data from an avatar to analyze and influence a child’s behavior”¹ including through targeted advertising.

After carefully considering the record and comments, the Commission found that a child’s avatar alone does not fall into the definition of “personal information” because there was no clear evidence that avatars are inherently identifiable. The FTC pointed out and agreed with many commenters that avatars are often temporary, customizable, and do not necessarily resemble the person who created them.

There is a very large “however” to that conclusion, though. Notwithstanding the FTC’s conclusion that an avatar alone is not “personal information” under COPPA, the FTC pointed to its 2023 settlement with Microsoft. In that case, the order resolving the claims clarified that an avatar when generated using a child’s image—as well as biometric and health information—would be considered personal information under COPPA when collected alongside other data about the child.

Arguments Supporting Inclusion of Avatars as Personal Information

Concerns were raised about the potential risks of companies collecting sensitive data from avatars, such as whether a person is wearing glasses or religious clothing. If avatars are generated using biometric data or designed to resemble a user’s likeness, companies could potentially analyze and use this information to target children with advertising or influence their behavior. This could also enable individual identification when combined with other data sources.

State attorneys general and consumer groups recommended expanding COPPA’s definition of personal information to include avatars created from a child’s image or likeness, regardless of whether a photo or video was uploaded. This was due to the potential for reverse engineering biometric data from avatars.

Arguments Against Treating Avatars as Personal Information 

The majority opposed treating avatars as personal information, arguing that avatars are typically temporary, customizable, and not inherently linked to identifiable data. Several commenters highlighted that avatars often do not meet COPPA’s statutory definition of individually identifiable information or enable physical or online contact with children.

Technical considerations were also emphasized. For example, if avatar creation involves local processing on a device without uploading data online, neither the original image nor the avatar would fall within COPPA’s scope. Industry stakeholders raised practical concerns, noting the compliance burden of determining whether avatars are derived from a child’s image when images are not directly collected. They argued that avatars often serve as privacy-enhancing proxies, allowing users to express themselves without revealing personal information.

Looking Ahead

While the Commission opted against expanding COPPA’s definition of personal information to include avatars, it underscored its commitment to monitoring technological and marketplace developments in this area. Future amendments remain a possibility as evidence emerges and technologies evolve.

In the meantime, companies should remain vigilant about how they collect and use children’s personal information, ensuring compliance with existing COPPA requirements.

Footnotes