On December 20, 2023, the Federal Trade Commission (FTC) announced proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule) that would place significant new restrictions on companies that collect personal information from children under 13.
The COPPA Rule applies to operators of websites and online services that are directed to children under 13 or that have “actual knowledge” that they are collecting personal information from children under 13. It imposes notice, consent, data security, and data minimization requirements, among other things. The FTC last updated the Rule in 2013, when it made a number of changes to reflect the increasing use of mobile devices and social networks (e.g., by expanding the definition of “personal information” to include persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings). The FTC initiated the current Rule review in 2019, during the prior administration. In response to its request for public comment on updating the Rule, the FTC received over 175,000 comments from industry, consumer advocacy groups, regulators, technologists, and others. We expect to see a similarly robust response to the request for public comment on the proposed changes to the Rule.
The FTC is proposing to modify most of the Rule’s provisions. Key changes to the Rule are summarized below.
Key Changes:
- Expanded definition of “personal information” covered by COPPA: The FTC is proposing to expand the definition of “personal information” to include biometric identifiers that can be used for the automated or semi-automated recognition of an individual, including fingerprints or handprints; retina and iris patterns; genetic data, including a DNA sequence; or data derived from voice data, gait data, or facial data.
- New factors added to “directed to children” test: The FTC is proposing to add language indicating that it will consider marketing materials, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services when determining whether a website or online service is directed to children.
- Updated notice and consent requirements and exceptions: The FTC is proposing a number of significant changes to the Rule’s notice and consent requirements and exceptions. Most notably:
- The COPPA Rule and associated guidance currently allow a single consent for collection, use, and disclosure of children’s personal information, with one nuance: companies must give parents the option to consent to collection and use without consenting to the disclosure of information to third parties if that disclosure is not inherent to the activity the parent is consenting to. Under the proposed Rule, the FTC would require covered entities to obtain separate verifiable parental consent for disclosure unless the disclosure is integral to the nature of the site or service. This would include disclosures to third parties for advertising purposes. The FTC is also proposing to add language that would expressly prohibit companies from conditioning access to the site or service on such consent.
- The updated Rule would prohibit covered entities from using online contact information and persistent identifiers collected under COPPA’s multiple contact and support for internal operations exceptions to send push notifications to children or to otherwise prompt or encourage them to use their service more. The FTC states that “[t]his proposed addition prohibits operators from using or disclosing persistent identifiers to optimize user attention or maximize user engagement with the website or online service” and specifically notes that operators cannot use “machine learning processes” to encourage or prompt use of a website or online service.
- The COPPA Rule currently exempts companies from direct notice and consent requirements if they collect persistent identifiers solely for certain specified categories of “support for internal operations” (e.g., troubleshooting), but these companies must still post a COPPA-compliant online notice. The FTC is proposing to require companies that rely on this exception to enhance their online notice by including detail on the specific internal operations for which they have collected a persistent identifier and how they will ensure that such identifier is not used or disclosed to contact a specific individual, including through targeted advertising or to prompt or encourage children to use their service.
- The FTC is proposing to codify its guidance setting forth the “school authorization exception,” which allows EdTech providers to get consent from schools, instead of parents, to collect personal information from students—provided that information is used only for educational purposes, not for other commercial purposes. Under the proposal, schools would not be able to consent to the use of student data for advertising or marketing, or for product improvement outside of the service the school authorized. The FTC would allow schools to consent to the use of student data to improve a service directly related to the service the school authorized. The FTC is also proposing to impose additional obligations on providers that rely on this exception, including an obligation to have a contract with the school and to allow the school to review and request deletion of student data.
- New approved consent methods: The FTC is proposing to add new approved methods for obtaining verifiable parental consent, including text messages, knowledge-based authentication, and facial recognition technology. The FTC is also proposing to eliminate the monetary transaction requirement for obtaining consent through a parent’s use of a credit card, debit card, or online payment system—under this proposal, the parent would simply need to enter their payment information without actually being charged.
- New data security requirements: The FTC’s proposal includes a requirement that covered entities establish, implement, and maintain a written comprehensive security program that contains specific elements, such as annual risk assessments and procedures for testing and monitoring the effectiveness of safeguards.
- Limits on data retention: The modified Rule would expressly state that children’s personal information may not be retained indefinitely, and it would clarify that personal information may be retained for only as long as it is reasonably necessary for the specific purpose for which it was collected, and not for any secondary purpose. The FTC is also proposing to require covered entities to establish, maintain, and make public a written data retention policy that specifies the business need for retaining children’s personal information and the timeframe for deleting it.
The FTC is accepting public comment on the proposed changes to the Rule for 60 days after publication in the Federal Register, which should be in the next few weeks.