FTC Proposes New COPPA Rules

The Federal Trade Commission (FTC) proposed changes to the Children’s Online Privacy Protection Rule (COPPA). The proposed COPPA rules aim to shift the burden from parents to providers to ensure that digital services are safe and secure for children through new restrictions on the use and disclosure of children’s personal information. In a notice of proposed rulemaking, the FTC is seeking public comment on the proposed COPPA changes. The public will have 60 days to submit comments after the notice is published in the Federal Register.

The COPPA Rule requires certain websites and other online services that collect personal information from children under the age of 13 to provide notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information from these children. The rule also limits the personal data that websites and other online services can collect from children, limits how long they can retain such data, and requires them to secure the data.

The proposed COPPA Rule changes include:

Requiring Separate Opt-In for Targeted Advertising

Building off the existing consent requirement in section 312.5, website and online service operators covered by COPPA would now be required to obtain separate verifiable parental consent to disclose information to third parties including third-party advertisers, unless the disclosure is integral to the nature of the website or online service. Firms cannot condition access to services on disclosure of personal information to third parties.

Prohibition Against Conditioning a Child’s Participation on Collection of Personal Information

The proposal reinforces the current rule’s prohibition on conditioning participation in an activity on the collection of personal data to make clear that it serves as an outright ban on collecting more personal information than is reasonably necessary for a child to participate in a game, offering of a prize, or another activity. In addition, the FTC is considering adding new language to this section to clarify the meaning of “activity.” 

Limits on the Support for the Internal Operations Exception

The current rule allows operators to collect persistent identifiers without first obtaining verifiable parental consent as long as the operator does not collect any other personal information and uses the persistent identifier solely to provide “support for the internal operations of the website or online service.” The proposed rule changes would require operators utilizing this exception to provide an online notice that states the specific internal operations for which the operator has collected a persistent identifier and how they will ensure that such identifier is not used or disclosed to contact a specific individual, including through targeted advertising.

Limits on Nudging Kids to Stay Online

Operators would be prohibited from using online contact information and persistent identifiers collected under COPPA’s multiple contact and support for the internal operations exceptions to send push notifications to children to prompt or encourage them to use their service more. Operators that use personal information collected from a child to prompt or encourage use of their service would also be required to flag such usage in their COPPA-required direct and online notices.

Changes Related to Ed Tech 

The FTC has proposed codifying its current guidance related to the use of education technology to prohibit commercial use of children’s information and implement additional safeguards. The proposed rule would allow schools and school districts to authorize ed tech providers to collect, use, and disclose students’ personal information but only for a school-authorized educational purpose and not for any commercial purpose.

Increasing Accountability for Safe Harbor Programs

The proposed rule would increase transparency and accountability of COPPA Safe Harbor programs, including by requiring each program to publicly disclose its membership list and report additional information to the Commission.

Strengthening Data Security Requirements 

The FTC has proposed strengthening the COPPA Rule’s data security requirements by mandating that operators establish, implement, and maintain a written children’s personal information security program that contains safeguards appropriate to the sensitivity of the personal information collected from children.

Limits on Data Retention 

The FTC would also strengthen the COPPA Rule’s data retention limits by allowing for personal information to be retained only for as long as necessary to fulfill the specific purpose for which it was collected. The proposed change would also prohibit operators from using retained information for any secondary purpose, and it explicitly states that operators cannot retain the information indefinitely. The Rule would also require operators to establish, and make public, a written data retention policy for children’s personal information.

The FTC has also proposed changes to some COPPA Rule definitions, including expanding the definition of “personal information” to include biometric identifiers, and stating that the Commission will consider marketing materials, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services when determining whether a website or online service is directed to children.

The COPPA Rule has been in effect since 2000. Changes to the rule have not occurred  since 2013. Those revisions were made to reflect the increasing use of mobile devices and social networking by, among other things, expanding the definition of personal information to include persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings.

At CompliancePoint, we have a team of experts that can help your organization comply with all applicable privacy regulations, including COPPA, GDPR, CCPA, and all state laws. Contact us at connect@compliancepoint.com to learn more.