The Federal Trade Commission (“FTC”) on December 20, 2023[1] proposed a set of revisions to its rules implementing the Children’s Online Privacy Protection Act (“COPPA Rule”).[2] The COPPA Rule, which became effective in 2000, and was amended in 2013, serves as the FTC’s primary means to enforce the Children’s Online Privacy Protection Act of 1998 (“COPPA”), the principal regulation protecting children (and their personal information) online. At a high level, the COPPA Rule requires operators of websites online services (i) directed to children[3] or (ii) when not directed to children, that have actual knowledge that they are collecting personal information online from a child; to provide notice to parents and obtain verifiable parental consent before collecting, using or disclosing personal information from their children, as well as to provide parents with opportunities to review, delete and prevent further use or future collection of such information.
The FTC proposal, which remains subject to a sixty (60) day public notice and comment period, is aimed at strengthening the COPPA Rule’s restrictions imposed on website operators’ processing of children’s personal information to account for the evolving technological landscape, particularly in light of advancements relating to the ed-tech sector, voice-enabled connected devices and general audience platforms that host third-party child-directed content. The key revisions proposed by the FTC in the current rulemaking package include:
- Expanding COPPA’s scope. The proposed changes would expand COPPA’s scope by changing some definitions and increasing the factors the FTC may consider in determining COPPA’s applicability to a particular website. One such definition is “personal information”, which, if the proposal is adopted, would include biometric identifiers. The proposal indicates that the FTC will, when determining whether a website or online service is directed to children, consider additional factors such as marketing materials, representations to consumers or third parties, reviews by users or third parties and the age of users on similar websites or services.
- Separate opt-in consent for third-party information disclosures, including for targeted advertising. One of the major suggested changes is a requirement that covered entities seek additional, separate consent from parents before disclosing a child’s information to third parties, particularly third-party advertisers. In essence, these revisions would prevent behavioral advertising to children without parents separately opting in to such sharing. Disclosure without separate consent would only be permitted if it is “integral” to the website or online service.
- Enhanced restrictions against conditioning participation on collection of personal information. Nodding toward data minimization principles that are largely present in several state data protection statutes, the revisions reinforce COPPA’s restrictions on collecting more information than is necessary in order to permit a child to take part in online activities. Currently, the COPPA Rule prohibits covered entities from conditioning a child’s participation in a game, the offering of a prize, or another activity on the child’s disclosing more personal information than is reasonably necessary to participate in such activity (e.g., participating in online games, offering a prize). The proposed revisions purport to expand the definition of what constitutes an “activity” subject to include “any activity offered by a website or online service, whether that activity is a subset or component of the website or online service or is the entirety of the website or online service” (emphasis added).
- Limiting use of “engagement-enhancing techniques” that encourage children to remain online. Another key change would restrict covered entities from using online contact information and persistent identifiers collected pursuant to the internal operations exception (discussed below) in connection with engagement-enhancement techniques such as push notifications that encourage children to spend longer periods of time online and use the covered entity’s service more. Where such personal information is used in connection with push notifications, covered entities would also be required to include disclosures regarding this practice in notices to parents.
- Reinforcing data retention limitations. The proposal also seeks to emphasize the existing COPPA standards by reinforcing that covered entities are not permitted to retain children’s information beyond what is necessary for the stated purpose of collection. Children’s information cannot be held beyond that purpose—whether it be an indefinite period of time or for a purpose beyond what is stated. The proposal also includes requiring covered entities to publicly post their data retention policies.
- Limiting the “support for internal operations” exception. The COPPA Rule currently permits covered entities to collect persistent identifiers without parental consent if (i) the entity does not collect any additional personal information and (ii) the persistent identifiers are only used to support internal operations. The proposal limits this suggestion by requiring covered entities that claim the exception to post an online notice explaining (a) the specific internal operations for which the operator has collected the persistent identifier and (b) how the entity will protect the identifiers to prevent targeted advertising and other specific contact.
- Regulating ed tech. The proposal seeks to codify the FTC’s current guidance for ed tech, which articulates that schools and school districts may authorize ed tech providers to collect, use and disclose students’ personal information solely for school-authorized educational purposes.
- Disclosure of Safe Harbor programs. COPPA’s Safe Harbor programs[4] would be required to disclose their membership lists and submit additional information to the FTC, among other changes, to increase transparency and accountability for the programs.
- Strengthening data security requirements. COPPA’s existing data security requirements would be strengthened through a mandate that requires covered entities to implement and maintain a separate, written personal information security program for children’s data, and to subsequently implement the program. This should explicitly include safeguards appropriate for the heightened sensitivity of children’s information.
As noted above, the current revisions to the COPPA Rule remain a proposal at this stage; once the Notice of Proposed Rulemaking is published in the Federal Register, the sixty (60) day public comment period will begin, allowing stakeholders and any interested parties to provide feedback to the FTC. We will continue monitoring these developments and provide updates once the final revisions are released.
[1] The FTC press release announcing the proposed revisions to the COPPA Rule can be found here.
[2] The FTC’s proposed revisions to the COPPA Rule can be found here.
[3] COPPA defines children as individuals under the age of thirteen (13).
[4] COPPA safe harbor programs allow industry groups to self-regulate their member-operators and establish and enforce their own guidelines and requirements. Their self-regulation, though, must guarantee the same or greater protection for children as compared to the standards promulgated by COPPA.