The FTC’s three settlements with Microsoft, Amazon and educational technology company Edmodo, resulting in $51 million in penalties, broke new ground on enforcement of the Children’s Online Privacy Protection Act Rule – with privacy compliance implications for all companies. These cases expand on what counts as children’s personal information, show the FTC’s growing focus on data minimization and biometrics, and impose a new third-party notification obligation. This second article in a two‑part series discusses these new expectations and other takeaways, with insights from former FTC officials at BakerHostetler and Wilson Sonsini. Part one offered three lessons on negotiating with the FTC over algorithm disgorgement and other penalties. See “Examining the Intersection of Voiceprints and Data Privacy Laws” (Sep. 22, 2021).