Background on COPPA and the COPPA Rule

Congress enacted the Children’s Online Privacy Protection Act (“COPPA”) in 1998 and directed the FTC to promulgate regulations implementing the statute’s notice and verifiable parental consent requirements. On November 3, 1999, the FTC issued the COPPA Rule, which became effective on April 21, 2000.

Generally, the COPPA Rule requires an operator of a website or online service directed to children, or an operator that has actual knowledge that it is collecting or maintaining personal information from a child, to do the following:

• Provide notice on the website or online service of what information it collects from children, how it uses such information, and its disclosure practices for the information.
• Obtain verifiable parental consent before any collection, use, or disclosure of personal information from children.
• Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance.
• Not require, as a condition a child’s participation in a game, the offering of a prize, or another activity, the child to disclose more personal information than is reasonably necessary to participate in such activity.
• Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

The last time the FTC made revisions to the COPPA Rule was more than 10 years ago, in 2013. In 2019, the FTC initiated a review of the COPPA Rule and received extensive public comments about whether changes were needed. The commenters included industry representatives, video content creators, consumer advocacy groups, academics, technologists, FTC-approved COPPA Safe Harbor programs, members of Congress, and members of the public. The latest proposed amendments would bring significant changes to the COPPA Rule, and it is expected that the FTC will receive many public comments this time as well.

Proposed changes

Some of the key changes include the following:

1. Expanded definition of “online contact information.” The FTC proposes amending the definition of “online contact information” to add “an identifier such as a mobile telephone number provided the operator uses it only to send a text message” to the non-exhaustive list of identifiers that constitute “online contact information.” This amendment, the FTC reasons, would allow operators to collect and use a parent’s or child’s mobile phone number in certain circumstances, such as in connection with obtaining parental consent through a text message.
2. Expanded definition of “personal information.” The FTC believes that the definition of “personal information” needs to be updated to keep pace with technological developments that facilitate increasingly sophisticated means of identification. The definition of “personal information” would expand to include “[a] biometric identifier that can be used for the automated or semi-automated recognition of an individual, including fingerprints or handprints; retina and iris patterns; genetic data, including a DNA sequence; or data derived from voice data, gait data, or facial data.” Additionally, the FTC proposes expanding the definition of personal information to include data that is inferred about, but not directly collected from, children, as well as persistent identifiers that can be used to recognize a user over time and across different websites and services.
3. Codification of current FTC guidance on education technology. The FTC proposes codifying its current guidance related to the use of education technology to allow schools to authorize, without express parental consent, ed tech vendors to collect, use, and disclose student personal information for a “school-authorized education purpose.”
4. Additional use restriction for internal operations exception. The COPPA Rule in its current form permits operators to collect persistent identifiers without prior verifiable parental consent, provided that the operator (a) does not collect any other personal information and (b) uses persistent identifiers solely to support the internal operations of the website or online service. The proposed amendments would prohibit operators that use the internal operations exception from using or disclosing personal information in connection with processes, including machine learning processes, that encourage or prompt use of a website or online service. The FTC also proposes prohibiting operators from using or disclosing persistent identifiers to optimize user attention or maximize user engagement with the website or online service, including by sending notifications to prompt the child to engage with the site or service, without verifiable parental consent.
5. Additional factors in “website or online service directed to children” multi-factor test. The FTC proposes adding “marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services” as examples of evidence it will consider in analyzing audience composition and intended audience.
6. New definition of “mixed audience website or online service.” The proposed amendments would add a standalone definition for “mixed audience website or online service.” The purpose would be to more clearly distinguish websites or online services that satisfy the multi-factor test for determining whether they are a “website or online service directed to children” but does not target children as their primary audience.
7. Changes to direct notice and online notice provisions. The FTC proposes a number of changes to the COPPA Rule’s direct notice and online notice provisions. One of these proposed changes includes requiring operators sharing personal information with third parties to identify the third parties as well as the purposes of sharing, should the parent provide consent. This change would also require the operator to state that the parent can consent to the collection and use of the child’s personal information without consenting to the disclosure of that information, except where the disclosure is integral to the nature of the website or online service.
8. Requirement to establish a written comprehensive security program. The proposed changes to the COPPA Rule would require operators to, at a minimum, establish, implement, and maintain a written comprehensive security program that contains safeguards that are appropriate to the sensitivity of children’s information and to the operator’s size, complexity, and nature and scope of activities. The required security program must designate an employee to coordinate the program, identify and perform risk assessments on an annual basis, and implement and test controls and safeguards to mitigate identified risks.
9. Contractual data security assurances. The proposed amendments would also clarify that operators that release personal information to third parties or other operators must obtain written assurances that the recipients will employ reasonable measures to maintain the confidentiality, security, and integrity of the information.
10. Limits on data retention. The FTC proposes limiting retention of personal information for only as long as reasonably necessary for the specific purpose for which it was collected. Operators would also be required to delete the information when it is no longer reasonably necessary for the purpose collected. Additionally, the proposed changes would require operators to establish a written data retention policy specifying the operator’s business need for retaining children's personal information and the operator’s timeframe for deleting the information. Retention policies may not provide for indefinite retention.
11. Changes to Safe Harbor programs. The proposed changes would require all FTC-approved Safe Harbor programs to identify each subject operator and all approved websites or online services in the program, as well as all subject operators that have left the program. Additionally, FTC-approved Safe Harbor programs would be required to provide a narrative description of the program’s business model, including whether it provides additional services to subject operators, such as training, and to provide copies of each consumer complaint related to guidelines violations of FTC-approved COPPA Safe Harbor programs.

What’s next

The public comment period is open until March 11. Businesses that are currently affected by COPPA and the COPPA Rule should pay close attention to the FTC’s proposed changes and prepare to update their compliance programs.