Last week, the FTC issued a long-awaited notice of proposed rulemaking that will bring changes to the COPPA Rule, the set of FTC regulations that operationalize the Children’s Online Privacy Protection Act (COPPA), which governs online service and website operators focused on children under 13 and the entities collecting or using those children’s personal information. This move follows the FTC’s announcement in 2019 that it would ensure COPPA “remains effective” despite “rapid technological changes” impacting “the online children’s marketplace.”
According to press release from the FTC, the proposed changes would “shift the burden from parents to providers to ensure that digital services are safe and secure for children” and place new restrictions on the “use and disclosure of children’s personal information.” Further, the proposed changes would limit “the ability of companies to condition access to services on monetizing children’s data.”
The public has 60 days from December 20, 2023 to submit comments on the FTC’s proposal.
Key updates to be aware of include:
- Requiring Parental Consent to Disclose Children’s Information: The proposed changes would require covered entities to get clear authorization from parents before sharing a child's personal information with third parties (unless such disclosure is “integral to the nature of the website or online service”).
- Providing Additional Methods for Verifiable Parental Consent: The proposed changes would add use of “knowledge based authentication” or a parent’s submission of a “government-issued photograph identification” to the list of methods for obtaining verifiable parental consent that satisfy the rule’s requirements (provided that each of those methods meet certain specific requirements).
- Imposing Limitations on Encouraging the Use of Services: The proposed changes prohibit operators from using certain information and practices to “encourage or prompt” children to spend more time on their website or service.
- Setting Restrictions on Education Technology Providers: The proposed changes seek to codify existing FTC guidance on the use of education technology (“ed tech”) in schools. The changes would allow schools or districts to authorize ed tech providers to collect, use, and disclose students’ personal information for school-authorized educational purposes only, and “not for any commercial purpose” according to the FTC’s press release.
- Clarifying Data Retention and Deletion Requirements: The proposed changes expressly prohibit retaining information collected from a child online “indefinitely.” The changes also clarify that such information can only be used for the initial reason it was collected, and must be deleted when the information it is “no longer necessary” for that purpose.
- Requiring Children’s Data Retention Policies be Public: The changes also require operators to post in the notice on their website or service a children’s data retention policy setting forth their purposes for collecting children’s information, the business need for retaining that information, and an appropriate timeline for deletion.
- Imposing Limitations on Internal Operations Exception: Under the proposed changes, operators utilizing the internal operations exception under the current rule must provide certain online notice related to that exception.
- Requiring Establishment of Children’s Security Programs: While COPPA currently requires operators to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children,” the proposed changes specify that “at a minimum, the operator must establish, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children and the operator’s size, complexity, and nature and scope of activities.” The proposed changes delineate certain requirements necessary to the establishment of such a program.
- Adding Language Regarding Prohibition on Conditioning: COPPA already prohibits “conditioning a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity.” The FTC says it is considering adding language providing that an “activity” means “any activity offered by a website or online service, whether that activity is a subset or component of the website or online service or is the entirety of the website or online service.”
- Expanding “Personal Information” to include “Biometric Identifiers”: The proposed changes would modify the definition of “Personal information,” to include “a biometric identifier that can be used for the automated or semi-automated recognition of an individual including fingerprints or handprints; retina and iris patterns genetic data, including a DNA sequence; or data; or data derived from voice data, gait data, or facial data.
By introducing more rigorous standards for parental consent, data collection retention, and security, the FTC’s proposed changes demonstrate their continued focus on responding to technological advancements and enforcing children's privacy in the digital age.