FTC Proposes Significant Changes to Online Protection Rules for Children

Children using technology covered under COPPA
The Federal Trade Commission has proposed changes to the Children’s Online Privacy Protection Act (COPPA) that would place new restrictions on the use and disclosure of children’s personal information and limit companies from profiting from children’s data.

With these proposed changes, the FTC intends for the Act to reflect technological changes and aims to provide young children with greater protections for their personal data. The FTC also wants to ensure that parents will retain control regarding their children’s data and that website operators will be held accountable for their failure to maintain the safety and security of digital services for children.

FTC Seeking Comments on Proposed Changes

In a notice of proposed rulemaking, the FTC is seeking comment on proposed changes to the COPPA Rule aimed at addressing the evolving ways personal information is being collected, used, and disclosed, including to monetize children’s data, and clarifying and streamlining the rule.

The COPPA Rule, which first went into effect in 2000, requires certain websites and other online services that collect personal information from children under the age of 13 to provide notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information from these children. The current Act places several obligations on the website operator, including:

  • The incorporation of a detailed privacy policy that describes the information collected from its users.
  • Acquisition of a verifiable parental consent prior to collection of personal information from a child under the age of 13.
  • Disclosure to parents of any information collected on their children by the website.
  • A Right to revoke consent and have information deleted.
  • Limited collection of personal information when a child participates in online games and contests.
  • A general requirement to protect the confidentiality, security, and integrity of any personal information that is collected online from children.

“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” said FTC Chair Lina Khan. “The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children. By requiring firms to better safeguard kids’ data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents.”

The FTC initiated the latest review of the COPPA Rule in 2019 and received more than 175,000 comments on its request for public comment on whether changes were needed to the rule. The agency also held a workshop in October 2019 on whether to update the COPPA Rule in light of evolving business practices in the online children’s marketplace, including the increased use of voice-enabled connected devices, educational technology, and general audience platforms hosting third-party child-directed content.

The FTC last made changes to the COPPA Rule in 2013 to reflect the increasing use of mobile devices and social networking by, among other things, expanding the definition of personal information to include persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings.

FTC’s Proposed COPPA Amendments

The FTC has proposed several changes to the rule, including:

  • Requiring Separate Opt-In for Targeted Advertising: Building off the existing consent requirement in section 312.5, website and online service operators covered by COPPA would now be required to obtain separate verifiable parental consent to disclose information to third parties including third-party advertisers—unless the disclosure is integral to the nature of the website or online service. Firms cannot condition access to services on disclosure of personal information to third parties.
  • Prohibition against conditioning a child’s participation on collection of personal information: The proposal reinforces the current rule’s prohibition on conditioning participation in an activity on the collection of personal data to make clear that it serves as an outright ban on collecting more personal information than is reasonably necessary for a child to participate in a game, offering of a prize, or another activity. In addition, the FTC is considering adding new language to this section to clarify the meaning of “activity.”
  • Limits on the support for the internal operations exception: The current rule allows operators to collect persistent identifiers without first obtaining verifiable parental consent as long as the operator does not collect any other personal information and uses the persistent identifier solely to provide “support for the internal operations of the website or online service.” The proposed rule changes would require operators utilizing this exception to provide an online notice that states the specific internal operations for which the operator has collected a persistent identifier and how they will ensure that such identifier is not used or disclosed to contact a specific individual, including through targeted advertising.
  • Limits on nudging kids to stay online: Operators would be prohibited from using online contact information and persistent identifiers collected under COPPA’s multiple contact and support for the internal operations exceptions to send push notifications to children to prompt or encourage them to use their service more. Operators that use personal information collected from a child to prompt or encourage use of their service would also be required to flag such usage in their COPPA-required direct and online notices.
  • Changes related to Ed Tech: The FTC has proposed codifying its current guidance related to the use of education technology to prohibit commercial use of children’s information and implement additional safeguards. The proposed rule would allow schools and school districts to authorize ed tech providers to collect, use, and disclose students’ personal information but only for a school-authorized educational purpose and not for any commercial purpose.
  • Increasing accountability for Safe Harbor programs: The proposed rule would increase transparency and accountability of COPPA Safe Harbor programs, including by requiring each program to publicly disclose its membership list and report additional information to the Commission.
  • Strengthening data security requirements: The FTC has proposed strengthening the COPPA Rule’s data security requirements by mandating that operators establish, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children.
  • Limits on data retention: The FTC also would strengthen the COPPA Rule’s data retention limits by allowing for personal information to be retained only for as long as necessary to fulfill the specific purpose for which it was collected. The proposed change would also prohibit operators from using retained information for any secondary purpose, and it explicitly states that operators cannot retain the information indefinitely. The Rule would also require operators to establish, and make public, a written data retention policy for children’s personal information.

In addition, the FTC has proposed changes to some definitions in the rule, including expanding the definition of “personal information” to include biometric identifiers, and stating that the Commission will consider marketing materials, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services when determining whether a website or online service is directed to children.

Those who are interested in weighing in on the proposed rule changes will have 60 days to submit a comment to the FTC after the notice is published in the Federal Register, which should happen in the next two weeks.   end slug


Jacob Horowitz is a contributing editor at Compliance Chief 360°

Leave a Reply

Your email address will not be published. Required fields are marked *