The Children’s Online Privacy Protection Rule requires operators of websites and online services that are directed to children under 13 years of age, or that have “actual knowledge” they are collecting personal information from children under 13 years of age. The COPPA Rule imposes notice, consent, data security and data minimization requirements.

On December 20, FTC attorneys announced a Notice of Proposed Rulemaking proposing revisions to the Children’s Online Privacy Protection Rule. The agency has also requested public comment on the NPRM, including, but not limited to: (i) whether the definition of "personal information" should be modified to include other identifiers; (ii) whether the FTC should maintain its stance vis-a-vis an operator not being deemed to have “collected” personal information if it employs automated means to delete all (or, virtually all), personal information from one-to-one communications; (iii) whether avatars generated from a child’s image constitute personal information’ and (iv) whether platforms can play a role in establishing consent mechanisms to enable obtaining verifiable parental consent.

The proposed changes include, without limitation:

• modifying the definition of “personal information” to include biometric information
• requiring separate parental consent for sharing (in addition to collection) children’s data
• requiring operators to disclose their data retention policies, the type of third parties “to which the operator discloses personal information and the purposes for such disclosures,” and where applicable, “the specific internal operations for which the operator has collected a persistent identifier”
• if the operator collects audio files that contain a child’s voice, the NPRM proposes that website notice must describe “how the operator uses such audio files and that the operator deletes such audio files immediately after responding to the request for which they were collected”
• if applicable, an operator must identify that it “has obtained authorization from a school to collect a child’s personal information,” and will follow the school’s policies for protecting that information
• additional methods for operators to obtain parental consent
• amendment of the current definition of “online contact information” to include “an identifier such as a mobile telephone number provided the operator uses it only to send a text message” to identifiers constituting “online contact information” (e.g., via text message)
• permission for operators to verify parental consent via a knowledge-based authentication that: (i) “uses dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low;” and (ii) uses questions of a “sufficient difficulty that a child age 12 or younger in the parent’s household could not reasonably ascertain the answers”
• permitting parents to submit “a government-issued photographic identification that is verified to be authentic and is compared against an image of where the parent’s face taken with a phone camera or webcam using facial recognition technology and confirmed by personnel trained to confirm that the photos match; provided that the parent’s identification and images are deleted by the operator from its records after the match is confirmed”
• requiring operators to obtain separate parental consent for sharing children’s data, and this include for targeted advertising purposes (operators would be required to provide parents the option to consent to the collection and use of the child’s personal information without consenting to the disclose of such information, “unless such disclosure is integral to the nature of the website or online service”) [ “separate verifiable parental consent to such disclosure" would be required and such consent must not be a condition to access to the website or online service]

The proposed changes also include stringent data retention and deletion requirements:

• operators would only be permitted to retain personal information as long as “reasonably necessary for the specific purpose for which it was collected, and not for any secondary purpose”
• operators would be required to “delete the information when such information is no longer reasonably necessary for the purpose for which it was collected”
• a restriction that personal information collected from a child “may not be retained indefinitely”
• requiring operators to implement written data retention policies that covers “its business need for retaining children’s personal information and its timeframe for deleting it, precluding indefinite retention”

The proposed changes also cover schools, state educational agencies and local education agencies:

• codifying FTC’s guidance that schools, state educational agencies and local educational agencies may authorize the collection of personal information from students under 13 years of age in limited circumstances (e.g., where the data is used for a school-authorized education purpose, as opposed to a commercial purpose)
• a proposition to define “school” as “a state educational agency or local educational agency . . . as well as an institutional day or residential school, including a public school, charter school, or private school, that provides elementary or secondary education, as determined under State law”
• addition of the phrase “School-Authorized Education Purpose,” defined as “any school-authorized use related to a child’s education” (“use” being limited to “operating the specific educational service that the school has authorized, including maintaining, developing, supporting, improving, or diagnosing the service, provided such uses are directly related to the service the school authorized”) [the foregoing would not include “commercial purposes unrelated to a child’s education, such as advertising”]

The proposed changes also propose to amend the definition of "personal information":

• a proposal to amend the definition of “personal information” to include “[a] biometric identifier that can be used for the automated or semi-automated recognition of an individual, including fingerprints or handprints; retina and iris patterns; genetic data, including a DNA sequence; or data derived from voice data, gait data, or facial data”
• a prohibition on conditioning a child’s participation in an activity “on the child’s disclosing more personal information than is reasonably necessary to participate in such activity”
• requiring operators to design and implement written security programs that includes specific safeguards for children’s personal information (e.g., appointing designated personnel and audit/remediation procedures)

The NPRM would require COPPA Safe Harbor programs to demonstrate that they meet certain performance standards, including, but not limited to:

• the provision of, at least, substantially similar safeguards for children as required by COPPA
• a mechanism that ensures the independent assessment of compliance with the COPPA Safe Harbor program’s guidelines
• Remedial action in the event of failure to comply with self-regulatory program guidelines
• a requirement that FTC-approved COPPA Safe Harbor must “identify each subject operator and all approved websites or online services in the program, as well as all subject operators that have left the program”

Interested parties will have 60 days from the date that the NPRM is published in the Federal Register to provide comments.

Takeaway: Consult with an experienced FTC defense lawyer about the proposed changes to the COPPA Rule, including, without limitation, parental consent options, parental consent for third-party disclosures, parental consent for education technology, the use and disclosure of persistent identifiers, data retention and security protocols, maintenance of data security “reasonable procedures,” the meaning of “directed to children,” and an expanded definition of “personal information,”