The FTC is proposing significant changes to the Children’s Online Privacy Protection Act (COPPA) rule to place new restrictions on the use and disclosure of children’s personal information.

The COPPA Rule requires websites and online services to obtain parental consent before collecting personal information from children under age 13. The proposed changes are intended to address the evolving ways personal information is collected and used, including actions that monetize children’s data.

Some of the proposed changes include:

Updating the Definitions of “Online Contact Information,” “Personal Information,” and “Website or Online Service Directed to Children.” The FTC wants to clarify the definition of “Online Contact Information” to include a mobile telephone number used only for the purpose of sending a text message to obtain parental consent. The FTC also wants to expand the definition of “Personal Information” to add biometric data such as fingerprints or facial scans.

The Rule currently uses a multi-factor test to determine whether a site or service is directed to children under 13. The revisions would not eliminate any of the factors now considered; however, the FTC proposes to include examples to help identify the intended or actual audience of a site or service, including marketing or promotional materials or plans, reviews by users or third parties, and the age of users on similar websites or services.

The FTC also asks if the Rule should provide an exemption under which an operator’s site or service would not be deemed child-directed if the operator analyzes the site’s or service’s audience composition and determines that no more than a specific percentage of its users are likely to be children under 13. The revisions would include a definition for a mixed audience website or online service as a site or service that meets the criteria of the multi-factor test but does not target children as the primary audience. Such sites and services would only need to apply COPPA protections to users under 13.

Clarifying When Verifiable Parental Consent is Required. Website and online service operators would be required to obtain verifiable parental consent before disclosing information to third parties, including third party-advertisers, unless there is an integral need for the information. Additional changes would include requiring operators taking advantage of the persistent identifier exception, which allows operators to collect persistent identifiers without obtaining consent, to provide a notice online which states the specific internal operations for which identifiers are used and explains how operators will ensure that identifiers are not used to identify individuals.

Reconfirming the Outright Prohibition on Conditioning a Child’s Participation in an Activity to Collect Personal Information. The FTC restates that the ban on collecting more personal information than is reasonably necessary for a child to participate in an activity applies even if an operator has obtained consent to collect information beyond what is reasonably necessary. The FTC asks for comment on whether new language should be added to clarify what constitutes an “activity.”

Limits on Encouraging Kids to Remain Online. Operators would not be allowed to use online contact information or persistent identifiers to prompt kids to increase their use of the service. Operators who engage in nudging children to return to their service must flag such usage of personal information for these purposes in their direct and online notices.

Codifying Ed Tech Guidance. The FTC proposes to codify its guidance that personal information from students under 13 may be collected in very limited circumstances related to educational purposes by schools, and state and local educational agencies.

Heightened Protections and Safeguards for Children’s Data. Operators would be required to establish a written comprehensive security program with safeguards based on the sensitivity of the children’s data.

Strengthening Data Retention Policies. Personal information from a child could not be retained indefinitely and should only be retained for as long as reasonably necessary for the specific purposes for which it was collected, and not for any secondary purpose. The revised Rule would also establish guidelines for a public, written data retention policy for children’s personal information.

Safe Harbor Program Enhancements. An FTC-approved COPPA Safe Harbor program’s assessments would need to include comprehensive reviews of an operator’s privacy and security policies. Overall transparency and accountability of safe harbor program participants would also be improved through public disclosure of membership lists and additional reporting to the FTC.

The proposed changes were published in the Federal Register on January 11, 2024. Comments must be submitted by March 11, 2024.