FTC Proposes Changes to the Children’s Online Privacy Protection Rule; Seeks Public Comment
On Dec. 20, 2023, the Federal Trade Commission (“FTC”) announced proposed changes to the Children’s Online Privacy Protection Rule (“COPPA Rule”) that would revise and update current restrictions for online service providers related to the collection, use, and disclosure of personal information from users under 13 years of age. The FTC is currently seeking comment on these potential updates. Below, we explore the FTC’s proposals and examine what you need to know about this potential update.
Separate, Verifiable Opt-In for Targeted Advertising: One of the proposed changes requires a separate, verifiable opt-in by parents before their child’s information may be disclosed to third parties including third-party advertisers, unless disclosure is an integral part of the services or website. This builds on the existing consent requirement under the COPPA Rule. The proposed change further clarifies that companies may not prevent access to their services or website if such consent is withheld.
Prohibition on Conditioning Participation: Another proposed change is that service providers are prohibited from conditioning participation in their activities on a parent’s consent to the collection of personal data beyond what is reasonably necessary to participate. Related to this change, the FTC is considering a revision to the definition of “activity” under the COPPA Rule.
New Requirements for the “Internal Operations Exception”: The current version of the COPPA Rule provides an exception to the requirement that service providers receive parental consent before collecting persistent identifiers; specifically, that the service provider is collecting no other personal information and the use of the persistent identifiers is only for “support for the internal operations of the website or online service.” The proposed changes would require service providers relying on this exception to provide notice of the specific internal operations that necessitate collecting persistent identifiers, and how they will ensure that the information will not be otherwise used or disclosed to contact the user.
Limitations on Nudging: Another proposed change would prohibit companies from using online contact information and persistent identifiers collected under the Internal Operations Exception discussed above to send push notifications or use other “nudging” tactics which encourage children to use their service more. If personal information from children is used to encourage or prompt these users to consume their services, companies would be required to provide notice of such usage in their COPPA-required direct and online notices.
Educational Technology Updates: Another proposed change would codify the FTC’s “Policy Statement of the Federal Trade Commission on Education Technology and the Children’s Online Privacy Protection Act,” which allows schools and school districts to authorize Education Technology (i.e., Ed Tech) companies to collect, use, and disclose students’ personal information solely for school-authorized educational purposes. Any commercial purposes would be strictly prohibited.
“Safe Harbor” Updates: Under the current version of the COPPA Rule, companies are permitted to request “safe harbor” treatment from the FTC if certain conditions are met. The proposed changes would require those receiving such treatment to publicly disclose their membership list and report additional information to the FTC.
Revised Data Security Requirements: For companies and service providers that do collect and use personal data collected from children, the proposed changes to the COPPA Rule would require such parties to create a written data security program and to establish, implement, and maintain it within their organizations. Such programs must implement appropriate safeguards to protect the collected personal information.
Data Retention: Another proposed change would limit retention of personal information to only for as long as is needed to fulfill the specific purpose for which it was collected. Companies would also be prohibited from using this information for any secondary purposes and from saving such data indefinitely.
In addition to foregoing proposed changes, the FTC has proposed updating some definitions, including the definition of “personal information” to include biometric identifiers, as well as clarifying what is considers when determining whether a website or online service is directed to children.
Though these changes have not yet been approved or implemented, it is clear that the FTC is keen on strengthening protections under the COPPA Rule. If you have any questions about how these proposed changes may impact you or your business, feel free to contact our firm.