The Federal Trade Commission (FTC) received over 270 comments to its notice of proposed rulemaking (NPRM) for the amendments to the Children’s Online Privacy Protection Rule (COPPA Rule) during the public comment period that ended on March 11, 2024.  The NPRM reflects the FTC’s continued effort to modernize the COPPA Rule, which implements the Children’s Online Privacy Protection Act (COPPA) and regulates operators of websites and online services that collect personal information from children.  Our previous advisory discusses notable proposals in the NPRM in more detail.

National Association of Attorneys General

One of the notable comments was the letter the National Association of Attorneys General (NAAG) submitted on behalf of a nonpartisan coalition of 43 state attorneys general (AGs).  We expect the letter will be particularly insightful for regulators’ expectations on protecting children’s privacy online, given that state AGs (in addition to the FTC) have statutory authority to enforce COPPA, under 15 U.S.C. § 6504.  Key recommendations by the NAAG included the following:

• Scope of personal information.  The NAAG supported the FTC’s suggestion to expand the scope of “personal information” the COPPA Rule protects to expressly include biometric data, including data derived from voice data, gait data, or facial data, due to the increasing prevalence of wearable devices like smartwatches and fitness trackers, as well as “avatar[s] generated on the child’s image and likeness” and “information concerning the child or the parent of that child that may otherwise be linked or reasonably linkable to personal information of the child.”
• “Support for the internal operations” exception.  The NAAG recommended that the FTC narrow the scope of the “support for the internal operations” exception.  This exception allows operators to collect and use children’s persistent identifiers for certain permissible purposes without obtaining a verifiable parental consent (VPC), if they do not collect any other personal information from children.  One of the permissible purposes is content personalization, and the NAAG claimed that operators may interpret this provision to justify the use of manipulative targeting techniques on children without obtaining a VPC.  The comment thus urged the FTC to clarify that permissible personalization under the exception refers only to “user-driven” personalization, such as providing user-selected functions or settings.
• Contextual advertising.  The NAAG suggested that the FTC make “contextual advertising” into a defined term with a narrowly tailored meaning.  Serving contextual advertising is another permissible purpose under the “support for the internal operations” exception to the VPC requirement, but the COPPA Rule currently does not define “contextual advertising.”  The NAAG expressed concerns that this lack of clarity may lead to advertisers using advanced advertising techniques, including those with artificial intelligence capabilities, to serve pervasive contextual advertising without obtaining a VPC.
• Separate VPCs for collection and disclosure.  The NAAG supported the FTC’s proposal to require two distinct VPCs for operators intending to disclose children’s personal information – one VPC that covers collection, and another VPC that covers disclosure.  Under the current COPPA Rule, operators that obtain a VPC at the point of collection do not need a separate VPC for disclosing that information.  Noting the state AGs’ particular concern around disclosures of children’s personal information, the comment commended the proposed two-track VPC requirement as “an avenue for parents to further protect their child’s personal information.”
• School-authorized education purpose.  The NAAG recommended that the FTC further clarify the scope of the new “school-authorized education purpose” exception to the VPC requirement in the NPRM.  The FTC proposed this new exception to allow schools and education agencies to authorize, on behalf of parents, educational technology providers’ collection, use, and disclosure of children’s personal information for a “school-authorized education purpose.”  The comment suggested aligning the scope of “school-authorized education purpose” with existing state student privacy regulations, by narrowly tailoring the definition to only include activities “directly related to education, administration, collaboration, and the overall well-being of students within the educational environment.”

Other Notable Comments

The California Privacy Protection Agency (CPPA) also submitted a comment to provide the background on how California law regulates businesses’ use of children’s personal information.  The CPPA did not opine on any specific proposal in the NPRM, but the comment noted the CPPA’s implementation and enforcement of the California Consumer Privacy Act could serve as helpful guidance for the FTC’s consideration of those issues.

Other notable commenters included privacy advocacy groups, such as the Future of Privacy Forum, Electronic Privacy Information Center, and Center for Democracy and Technology, as well as industry associations, including NetChoice, U.S. Chamber of Commerce, and Network Advertising Initiative.  These comments addressed several issues implicated by the NPRM, including:

• Whether the amended scope of “personal information” in the NPRM is adequate;
• How the FTC should balance the potential benefits of requiring a separate “disclosure VPC” with the associated risks, such as consent fatigue parents may experience or an increased transmission of data from parents to operators;
• How the FTC should determine the adequate scope of permissible “contextual advertising” under the “support for the internal operations” exception;
• How the FTC should tailor the scope of the “school-authorized education purpose” exception; and
• Whether the additional governance measures for operators the FTC proposed in the NPRM, such as written retention and security policies, are adequate.

[View source.]