On January 18, 2024, the Federal Trade Commission (FTC) discussed its long-anticipated proposed changes for the Children’s Online Privacy Protection Rule (COPPA) in an open meeting. Released in a notice of proposed rulemaking the month prior, these proposed changes would add new restrictions on using and disclosing children’s personal information, as well as new limitations on access and monetization, in the first changes to COPPA since 2012.1
The comment period for the proposed changes closes March 11, 2024.
Background
First enacted in 1998, COPPA was created to establish requirements for Operators of websites or online services regarding how they collect, use and share personal information of children under 13 years of age, in order to give parents more control over information collected from their children.
The COPPA Rule, which was issued by the FTC in 1999 and first went into effect in 2000, requires certain websites and other online services that collect personal information from children under the age of 13 (called “Operators”) to provide notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information from children. The rule also limits the personal data that websites and other online services can collect from children, limits how long they can retain such data and requires them to secure the data.
The last amendments to the COPPA Rule went into effect in 2013 and attempted to address the impact of social media and mobile devices. The new proposed rules that were issued on December 20, 2023 impose significant new obligations on Operators.
Proposed Updates
The FTC’s proposed changes include the following:
Building on existing consent requirements, the proposed changes would require Operators to obtain a separate consent to disclose personal information to third parties, including third party advertisers, except where disclosure is integral to the nature of the website or online service. Operators must make clear to parents that they are able to consent to the collection and use of their child’s information without consenting to that information being disclosed. Operators would also be prohibited from conditioning access to the website or online service on this consent.2
The proposed change would expand the definition of “personal information” to include biometric identifiers that can be used for the automated or semi-automated recognition of an individual, like fingerprints, handprints, retina and iris patterns, genetic data or data derived from voice, gait or facial data. The FTC stated that this change will enable the rule to keep up with more advanced modes of identification.3
The FTC proposes codifying its current guidance on the use of education technology, allowing schools to authorize ed tech vendors to, collect, use and disclose student personal information without express parental consent, for a “school-authorized education purpose” only, and not for commercial purposes.4
- More Factors for Being Considered a “Website or Online Service Directed to Children”
The proposed changes would add “marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services” as examples of evidence it will consider in the multifactor test to determine if a website or online service is directed to children, among other changes.5 The proposed rule adds a standalone definition for “mixed audience website or online service” for websites that meet the multifactor test criteria, but do not primarily target children.6 Where third-party content on a platform is child-directed under the Rule’s multi-factor test but the platform does not target children as its primary audience, the Operator can request age information and provide COPPA protections only to those users who are under 13.
The proposed changes would strengthen the COPPA Rule’s data security obligations, requiring Operators to establish, implement and maintain a written comprehensive security program that contains safeguards that are appropriate to the sensitivity of children’s information and to the operator’s size, complexity, and nature and scope of activities. Under this program, Operators will designate an employee to coordinate the program, perform risk annual assessments and implement and test controls and safeguards to mitigate risks. Operators that disclose personal information to third parties would also be required to obtain written assurances that recipients will employ reasonable measures to maintain the confidentiality, security and integrity of the information.7
The FTC proposes expanding the COPPA Rule’s data retention limits, permitting the retention of personal information for only as long as reasonably necessary for the specific purpose for which it was collected. The proposed changes add an explicit requirement to delete the information when it is no longer reasonably necessary for the purpose for which it was collected. Operators would also be required to create a written data retention policy specifying the business need for retaining children’s personal information, and the timeframe for deleting it (which cannot be indefinite).8
The FTC’s COPPA Safe Harbor programs allow industry groups to apply for FTC approval of self-regulatory groups. The FTC’s proposed changes would improve the FTC’s oversight of these programs, increasing transparency and accountability by, for example, requiring Safe Harbor programs to publicly identify their subject Operators and publish descriptions of the Safe Harbor’s business model and copies of each consumer complaint related to alleged violation of the program’s guidelines.9
The current COPPA Rule allows collection of persistent identifiers without prior verifiable parental consent, provided that the operator (1) does not collect any other personal information and (2) uses the persistent identifier solely to support the “internal operations” of the website or online service. The proposed change would prohibit Operators using this internal operations exception from using or disclosing personal information in connection with processes (including machine learning) that encourage or prompt use of a website or online service. Operators would need verifiable parental consent in order to use or disclose persistent identifiers to optimize user attention or maximize engagement with their website or online service.10
This proposed change would amend the definition of “online contact information” to include: “an identifier such as a mobile telephone number provided the operator uses it only to send a text message” to the non-exhaustive list of identifiers considered “online contact information.” The FTC intends this change to allow Operators to collect and use a parent’s or child’s mobile phone in certain circumstances, such as obtaining parental consent through a text message.11
Next Steps
Companies currently operating under the COPPA Rule should review the proposed changes and determine if they wish to comment by the March 11 deadline. We will continue to monitor these proposed COPPA Rule changes as well as other similar developments. Please contact a member of Akin’s cybersecurity, privacy and data protection team to learn more about how these changes may affect your company.
1 89 Fed. Reg. 2034 (January 11, 2024).
2 Id. at 2051.
3 Id. at 2041.
4 Id. at 2043-44.
5 Id. at 2047.
6 Id. at 2048.
7 Id. at 2061.
8 Id. at 2062.
9 Id. at 2063.
10 Id. at 2045.
11 Id. at 2040.