The Federal Trade Commission (FTC) gave privacy lawyers a long-awaited Christmas gift on December 20, 2023: its notice of proposed rulemaking (NPRM) to amend the Children’s Online Privacy Protection Act (COPPA) Rule. The NPRM follows a review of the COPPA Rule initiated by the FTC four years ago and the submission of over 175,000 public comments. The FTC last modified the COPPA Rule in 2013.

While the FTC declined to propose a number of changes to the COPPA Rule in response to public comments, the NPRM nevertheless sets forth a host of new requirements that, if adopted, would impose substantial new obligations on operators subject to the COPPA Rule. Key proposed changes include the following:

• Addition of biometric identifiers to definition of “personal information.” The FTC proposes expanding the definition of “personal information” covered by COPPA to expressly include biometric identifiers that can be used for the automated or semi-automated recognition of an individual, such as fingerprints, handprints, retina and iris patterns, genetic data, or information derived from voice data, gait data, or facial data.
• Additional “directed to children” factors. The FTC does not propose to eliminate or modify any of the existing factors in its multifactor test to determine if a website or service is directed to children. The NPRM proposes to include examples indicating that it will consider (1) an operator’s marketing materials and representations about the nature of the operator’s site or service, (2) third-party reviews, and (3) the age of users on similar sites or services in determining whether a website or online service is directed to children.
• Disclosures to third parties/targeted advertising. The COPPA Rule currently requires operators to obtain verifiable parental consent to engage in targeted advertising, including any necessary disclosures to third parties to facilitate such targeting, but permits operators to bundle such consent with any other consents they obtain to collect, use, and disclose the child’s personal information. The NPRM would make disclosures to third parties—including for targeted advertising purposes, as well as uses of personal information for advertising purposes—more burdensome.

First, the NPRM proposes that operators be required to obtain separate verifiable parental consent to disclose information to third parties, including third-party advertisers, unless the disclosure is integral to the nature of the website or online service. Second, the NPRM would require operators that share information with third parties to identify the third parties (or categories of third parties) with which they share information, as well as the purposes for such sharing. Third, the NPRM seeks comment on whether the COPPA Rule should adopt a different approach to contextual advertising (which does not require verifiable parental consent under the current COPPA Rule) given the “sophistication of contextual advertising today” and that personal information may be used to enable targeting “even contextual advertising to some extent” and also imposes new obligations on companies relying on the “support for internal operations” exemption discussed below.

These changes and questions—all of which make targeted advertising and potentially even contextual advertising to children more difficult—are consistent with recent trends in state laws and federal bills that either require parental consent for targeted advertising and “sales” of personal information to third parties or outright prohibit them, as well as regulators’ apprehension about advertising to children.

• New notice requirement for “support for internal operations” exception. The NPRM would require operators who rely on the “support for internal operations” exemption for providing notice and choice (which applies when an operator collects persistent identifiers and no other personal information) to state in their privacy policies the specific internal operations for which they collect such identifiers. They also must articulate how they ensure that the identifiers are not used or disclosed to contact a specific individual, including via targeted advertising, or for any purposes other than those permitted by the exemption.
• Limits on nudging kids to stay online. Arguably veering beyond COPPA’s mission of protecting the privacy of kids’ personal information and into more recent policy movements of limiting the amount of time kids spend online, the FTC proposes new friction for operators seeking to use personal information to prompt or encourage children to use their service more, including by sending push notifications. In addition, the FTC proposes prohibiting operators that rely on certain exemptions from notice and consent obligations under the COPPA Rule (including the support for internal operations exemption described above) from using or disclosing personal information in connection with processes that encourage or prompt use of a website or online service.

The FTC explains that this would ensure operators obtain verifiable parental consent before using or disclosing persistent identifiers or other personal information to optimize children’s attention or maximize their engagement with the website or online service. The NPRM also would urge more transparency about such use by requiring operators to explain how they use children’s information in the direct notice to parents, reflecting the FTC’s position that use of children’s information to prompt further use of a website or online service should be stated explicitly.

• Data security. The NPRM would expressly bring to the COPPA Rule the same kinds of data security requirements the FTC requires elsewhere. It would require that operators establish, implement, and maintain a comprehensive written security program that meets specific requirements, such as designating an employee to coordinate the security program, conducting annual risk assessments and implementing appropriate safeguards, regularly testing and monitoring the effectiveness of the safeguards, and taking reasonable steps to conduct security diligence on service providers or third parties that collect or maintain children’s personal information on the operator’s behalf.
• COPPA and schools. The FTC seeks to codify in the COPPA Rule its longstanding guidance that allows providers of technology used in schools to rely on schools and school districts (rather than parents) to provide consent for the collection, use, and disclosure of children’s personal information in the school context if the provider’s collection, use, and disclosure of students’ personal information is only for an educational purpose and not for a commercial purpose. Under the NPRM, schools could not consent for use of student personal information for advertising or marketing purposes, nor for product development or improvement that is not directly related to the service the school authorized. The NPRM also requires that the provider have a contract with the school that meets specified requirements. In addition, the FTC’s proposal would give the school the ability to review the personal information collected from a child in lieu of the parent.
• Data retention limits. The current COPPA Rule imposes broad data minimization requirements. The NPRM would make such requirements much more specific, prohibiting operators from retaining personal information longer than necessary for the specific purpose for which it was collected and not for any secondary purpose, and requiring the deletion of information when no longer reasonably necessary for the purpose for which it was collected (and in no event retained indefinitely). The NPRM would also require operators to publicly state their data retention policies for children’s personal information.

The FTC also posed a series of questions on topics for which it requests further comment that could portend future material changes to the COPPA Rule. Among these are:

• Whether screen or user names should be treated as online contact information even if the name does not allow one user to contact another through the service but could enable one user to contact another by assuming that the user is the same screen or user name on another service, and whether there are measures an operator can take to ensure that a screen or user name cannot be used to permit direct contact with a person online.
• Whether avatars generated from a child’s image constitute personal information under the COPPA Rule even if the image is not uploaded to the service and no other personal information is collected.
• Whether the FTC should provide an exemption for a site or service being deemed directed to children if the operator undertakes an analysis of the audience composition of its site or service and determines that no more than a specific percentage of its users are likely under the age of 13.
• Whether platforms can play a role in establishing consent mechanisms to enable app developers or other operators to obtain verifiable parental consent.
• What types of services should be covered by “school-authorized education purposes,” which schools may authorize technology providers to provide, and whether such purposes should include ensuring the safety of students or schools.

The FTC is accepting comments from the public on the NPRM from 60 days after the NPRM is published in the Federal Register (likely to occur in the next few weeks).