On December 20, 2023, the Federal Trade Commission (FTC) announced proposed revisions to its rules administering the Children’s Online Privacy Protection Act (COPPA). The updates both expand the universe of businesses subject to COPPA restrictions and strengthen the parental consent requirements surrounding the collection of data from children under the age of 13.
The proposed updates, if codified, would be the first significant change to the FTC’s approach to COPPA since 2013. That earlier overhaul also strengthened rules governing parental consent around the collection of data generated by children under 13.
EXPANDED SCOPE
The FTC’s COPPA Rule currently applies to websites or online services directed in part to children or to those operators with actual knowledge that they are collecting personal information directly from users of a child-directed website or online service. The proposed revision would expand the scope of businesses subject to COPPA by removing the word “directly.”
This deletion would bring under COPPA’s scrutiny those operators that knowingly collect children’s data from a separate site or service that is aimed in part at children, without directly interfacing with those children online themselves. The update is intended to address “ad exchanges that receive data from an ad network that has collected information from users of a child-directed site or service.” Currently, such entities may avoid the requirements accompanying COPPA.
The proposed change aims to avoid straying outside of the statutory authority delegated to the FTC. In considering expanding the scope of the COPPA Rule, the FTC received comments suggesting that the relevant standard be changed from actual knowledge to constructive knowledge. The proposal was rejected as going beyond the Commission’s authority based on COPPA’s legislative history. In fact, Congress originally drafted COPPA using a constructive knowledge standard but subsequently modified the legislation to an actual knowledge standard after consideration of witness testimony.
Additionally, the proposed rules would clarify which websites or online services would be classified as “directed to children.” The FTC is not proposing any substantive changes to the current multi-factor test; however, it is attempting to clarify the types of operators that would fall under this category by providing concrete examples of evidence it may look to in an evaluation.
The proposed change would cite the following as examples of the type of evidence the FTC may consider in determining whether an online service is child-directed: “marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services.”
UPDATED CONSENT REQUIREMENTS AND METHODS
Parental Opt-In
The current COPPA Rule requires parental consent for the collection, use, and disclosure of a child’s personal information. Today, a website or online service may solicit such approval through a single, combined request for consent.
The new proposed COPPA Rule would bifurcate this solicitation, requiring the operator to obtain two separate consents—one consent for the collection and use of children’s personal information and another consent for the disclosure of that data to third-parties.
In order for a child to be subjected to targeted advertising under the new proposed rule, a parent would need to affirmatively opt in on behalf of his or her child. However, websites or online services where such data disclosure is integral to their nature are exempted from this dual consent requirement (e.g., “if the website or online service is an online messaging forum through which children necessarily have to disclose their personal information, such as online contact information, to other users on that forum.”).
Parental Consent Methods
The proposed COPPA Rule revisions expand the methods by which a parent may provide verifiable consent before an operator collects, uses, or a discloses a child’s personal information.
The proposal seeks to allow the use of text messages, facial recognition technology, and knowledge-based authentication for parents to provide the required consents. In addition, the FTC is proposing the that a parent no longer needs to actually make a purchase with their credit or debit card when they seek to provide consent via use of that card.
Notable Exceptions to Parental Consent
There are two notable exceptions to the standard parental consent model in the proposed rule.
First, the proposed COPPA Rule revisions would obviate the need for parental consent for a child to submit an audio file to an operator. These audio files could consist of a simple voice directive that a child uses in lieu of written text, like talking to Siri, or vocal engagement with a game or service, such as practicing foreign language pronunciation on a learning app. Nevertheless, substantial limits continue to apply to the use of such an audio file and the duration that such audio can be retained by the operator.
Second, the proposal includes a broad “school authorization exception,” which allows schools to provide consent to operators using their student’s personal information for education purposes. While this contrasts with the letter of the current rule, which vests consent authority with parents, the FTC has had in place longstanding guidance that permitted operators to rely on school authorization in limited circumstances rather than on parental consent.
However, the COPPA statute does not itself make clear whether schools have the power to provide the required consents historically entrusted to parents. By formally codifying the school authorization exception, the FTC may find itself in a legal battle over the breadth of its rulemaking authority.
BROADENED DEFINITION OF PERSONAL INFORMATION
The existing COPPA Rule defines a child’s “personal information” as standard identifying data including name, email address, and social security number. The newly proposed COPPA Rule would dramatically expand the information covered under COPPA to include biometric data – specifically any “biometric identifier that can be used for the automated or semi-automated recognition of an individual, including fingerprints or handprints; retina and iris patterns; genetic data, including a DNA sequence; or data derived from voice data, gait data, or facial data.”
Commenters did not raise objections to the FTC’s authority to expand the definition of personal information to biometric data. Indeed, the text of COPPA defines personal information broadly enough to allow the Commission, at its discretion, to periodically update the term’s meaning in order to keep pace with technological developments.
ADMINISTRATIVE REQUIREMENTS
In addition to modifying the manner in which operators can interact with children and their parents, the newly proposed COPPA Rule also creates more comprehensive recordkeeping requirements with regards to children’s data.
Operators of websites and online services directed at children would be required to establish, implement, and maintain a comprehensive security program to protect children’s data. This requirement must be formally codified in a written statement and would likely include annual risk assessments as well as procedures for evaluating the effectiveness of any protections in place.
Such operators would also be tasked with authoring a data retention policy that specifies the commercial need for holding onto children’s data. By extension, such operators would need to outline the time frame in which they would delete that data.
KEY TAKEAWAYS AND WHAT TO EXPECT NEXT
Although these are only proposed changes to the COPPA Rule, businesses should begin to consider how their operations could be impacted by such revisions, if adopted. There are four broad takeaways we see as particularly relevant:
1. The proposed rule changes continue a decade-long pattern of continued strengthening by the FTC of COPPA's requirements.
2. Some businesses that did not previously consider themselves subject to the COPPA Rule may now have to deal with the rule's requirements, with the FTC specifically highlighting the likelihood of ad exchanges soon falling within the scope of COPPA’s jurisdiction.
3. If the proposed rule changes are finalized, businesses will need to pay attention to the new parental consent requirements, and ensure that they are not disclosing data without obtaining the separate consent.
4. Businesses should also pay more careful attention to the types of data they are collecting, given the proposed rule's expansion of the type of personal data that is subject to COPPA.
Once the proposed COPPA Rule is published to the Federal Register, the FTC will begin the process of accepting public comments. Following publication, parties have 60 days to submit comments.