On December 20, 2023, the Federal Trade Commission (FTC) announced a Notice of Proposed Rulemaking (NPRM or Proposed Rule) to update its Children’s Online Privacy Protection Act (COPPA) rule¹ (the Rule) for the first time since 2013.² The federal law imposes requirements and restrictions on the use, collection, and disclosure of children’s personal information and allows parents to control websites’ collection of their children’s information. The Rule specifically covers commercial websites and online services (including apps) directed to children as well as general audience website operators and online services that have “actual knowledge” that they are collecting, disclosing or using the personal information from children under 13 years of age³ or have “actual knowledge” that they are collecting personal information from other website users directed to children (collectively, online service operators).⁴

The Rule currently requires clear and direct notice to parents regarding the online service operator’s information practices, verifiable parental consent to collect, use, or disclose a child’s personal information, parental access to their child’s personal information, confidential and secure maintenance of collected data, and deletion of information by reasonable measures when retaining such data is no longer necessary. With a focus on both privacy and online safety, the Proposed Rule tackles the protection of “a range of biometric identifiers as personal information,” provides potential consent workarounds, and prohibits keeping children’s data “forever”.

Key Proposed Changes

Additional guidelines in the Rule are ever-important due to technology’s rapid evolution. Online tools and resources serve as important educational aids. To illustrate, two in five US school children participate in online learning with well over half needing to access online educational resources daily.⁵ The FTC’s goal is to shift the burden for keeping children safe digitally from parents to the online service operators.⁶ The regulatory update is designed to place affirmative obligations on service providers while prohibiting them from offloading their responsibilities to parents.⁷ Some key changes in the Proposed Rule include:

• Expanding Definitions: The definition of “personal information” may be modified to include biometric identifiers that can be used for automated or semi-automated recognition. This may include fingerprints, voice data, retina scans, and facial recognition, among other identifiers. The proposed definition for “online contact information” includes identifier mobile phone numbers.
• Limits on Nudging: The FTC proposes to modify the exceptions to parental consent to prohibit the use of personal data collected under an exception to “send push notifications to children to prompt or encourage them to use [the] service more.” Any use of children’s personal information or information used to encourage a child’s use of the service would also need to be clearly disclosed in an online notice.
• Third Party Disclosures and Targeted Advertising: The current Rule requires verifiable parental consent before any collection, use, or disclosure of personal information from children.⁸ However, once consent is obtained, it could be misused as a blanket consent for the provider’s varied processing of a child’s information. The Proposed Rule modifies this provision to require a separate verifiable parental consent to disclose information to third parties including third party advertisers, which would limit the use of children’s data for targeted advertising. The separate consent is not required if the disclosure is integral to the nature of the website or online service.
• Safe Harbor Accountability: With respect to the self-regulatory Safe Harbor programs, proposed changes would increase FTC oversight, transparency, and accountability by mandating the programs publish business models, consumer complaints alleging violations of the programs guidelines, and the program’s member list.
• Data Security Requirements: Modeled after its Safeguards Rule, the FTC proposes a requirement that online service operators “at minimum, establish, implement, and maintain a written comprehensive security program that contains safeguards that are appropriate to the sensitivity of children’s information and to the operator’s size, complexity, and nature and scope of activities.” Additional requirements include designating an employee to oversee the program and annual risks assessments. These stronger data security requirements reflect an expansion of the FTC’s typical security requirements in other arenas into children’s online safety. It is important to note that concurrently the FTC is adding a breach notification requirement to its Safeguards Rule this year. This then would obligate online service operators to ultimately give the FTC notice of reportable breaches.⁹
• Limits to Data Retention: Setting out more specific limits on data retention, the Proposed Rule would prevent online service operators from retaining personal information for any secondary purpose or for longer than necessary. These operators would also be required to create and publish data retention policies specific to children’s personal information.
• School Authorization Exception: Under the proposal, schools are authorized to consent to the collection of personal information for students under 13 when the information is for a “school-authorized education purpose”. This measure codifies existing FTC educational technology guidelines and requires a written agreement between schools and “ed tech”. The agreement must include details such as who is authorized to give consent, limitations on the use and disclosure of student data, specifications that the school will have direct control over the data usage and maintenance, and the provider’s retention policy. This exception to parental consent will allow schools to use certain technologies without needing to obtain parental consent for each use.
• Notice for Support for Internal Operations Exception: An exception in the current Rule allows online service operators to collect persistent identifiers that are used solely to support the site’s internal operations without parental consent. This Proposed Rule adds a requirement for notice to be given detailing the internal operations for which the identifiers are collected and how the use of the identifiers will be limited.

Congressional Action and Legislative Lag

The FTC’s move to update the Rule comes as Congress lags on finalizing children’s privacy and online safety legislation. The proposed Children and Teens' Online Privacy Protection Act (COPPA 2.0) and the Kids Online Safety Act (KOSA) have been available for full Senate votes since July 2023, following green lights from the Senate Committee on Commerce, Science and Transportation. However, movement on both bills has stalled due to competing Senate priorities and general division over various policy points, specifically with KOSA. It seems likely that KOSA will pass the Senate, having recently garnered 65 Cosponsors as of March 7, 2024. Congress has further shown interest in regulating child online safety through recent hearings. On January 31, 2024, the Senate Judiciary Committee held a hearing to question tech giants on child safety and claims of online exploitation. An Achilles heel for any federal legislation in this area may be preemption clauses which became the death knell for the bipartisan bicameral privacy bill that did not pass in 2023 due to opposition from state attorneys’ general.¹⁰

Conclusion/Next Steps

The increase in concern surrounding children’s online privacy and associated pending legislation will likely result in other regulatory developments related to children’s personal information. Online service operators and companies that process children’s personal information should stay on top of regulatory and legal requirements. Companies should review the Proposed Rule and consider whether internal policies or processes may need to be updated if the Proposed Rule goes into effect.
__________

1 An FTC rule required by the Children’s Online Privacy Protection Act (COPPA), 15 USCS §§ 6501 et seq.

2 Changes were made in 2013 “to reflect the increasing use of mobile devices and social networking by, among other things, expanding the definition of personal information to include persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings.” Press Release, Federal Trade Commission, FTC Proposes Strengthening Children’s Privacy Rule to Further Limit Companies’ Ability to Monetize Children’s Data (Dec. 20,2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/ftc-proposes-strengthening-childrens-privacy-rule-further-limit-companies-ability-monetize-childrens?utm_source=govdelivery.

3 While COPPA only applies to children under 13 and not to teenagers, the FTC provides guidance documents related to online safety for teens. See the FTC’s guidance, https://consumer.ftc.gov/identity-theft-and-online-security/online-privacy-and-security.

4 See Rule Summary https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa.

5 See, e.g., statistics published at https://www.devlinpeck.com/content/online-learning-statistics.

6 See Press Release, Federal Trade Commission, supra note 2 (stating that “The proposal aims to shift the burden from parents to providers to ensure that digital services are safe and secure for children.”).

7 Id. (“By requiring firms to better safeguard kids’ data, [the] proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents.”).

8 See 16 C.F.R. § 312.5(a)(1).

9 See, https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches.

10 The American Data Privacy and Protection Act introduced in June, 2022, H.R. 8152 and in July, 2022, California’s CCPA and eleven states’ attorney generals issued a letter opposing the proposed law on preemption grounds. https://cppa.ca.gov/announcements/2022/20220815.html.

[View source.]