On Dec. 20, 2023, the Federal Trade Commission proposed amendments to the Children’s Online Privacy Protection (COPPA) Rule, signaling a significant step towards addressing the evolving landscape of technology and online practices. The changes are intended to provide a clearer scope of the COPPA Rule and bolster the protection of personal information collected from children.
The COPPA Rule is a set of regulations for the Children’s Online Privacy Protection Act that is aimed at protecting children’s privacy by placing obligations on operators of websites or online services directed at children under the age of 13, and on operators who knowingly collect personal information online from children under this age.
Over the years, the FTC has periodically reviewed the COPPA Rule to ensure its relevance amidst the technological advancements. The FTC now proposes further modifications to the COPPA Rule to address the new realities of the digital world, including how children interact with technology and how their personal information is used and protected. The FTC has indicated that the proposed changes are meant to “shift the burden from parents to providers to ensure that digital services are safe and secure for children.”
A few of the key proposed updates to the COPPA Rule include:
1. Requiring Separate Opt-In Consent for Third-Party Disclosures: Under the proposed updates, businesses would be required to obtain clear authorization via separate verifiable consent from parents before disclosing information to third parties, including third-party advertisers. This requirement would apply unless the disclosure is integral to the website or online service. Consequently, the default settings for COPPA-covered companies would disallow third-party behavioral advertising and permit it only when parents expressly opt-in. The proposed updates also include new methods for verifiable parental consent, including the use of “knowledge based authentication” or submission of “government-issued photograph identification.”
2. Limiting companies’ encouragement to stay online: The proposed updates will now restrict operators from sending push notifications to encourage kids to use their service more. Operators will need to flag that use in their COPPA-required direct and online notices. This would ensure parents are aware of, and must consent to, the companies’ use of nudges.
3. Limiting the Internal Operations Exception: Currently, operators can collect persistent identifiers without parental consent provided they don’t collect any other personal information and use these identifiers only for internal operations. The FTC proposes that operators claiming this exception must provide an online notice explaining the specific operations for which they’re collecting these identifiers. This move aims to ensure transparency and prevent misuse of data.
4. Restricting Data Retention and Clarifying Deletion: The proposed updates clarify that operators can retain children’s personal information only as long as necessary to fulfill the purpose for which it was collected. This prohibits retaining the information indefinitely or using it for any secondary purpose. The updates also prohibit operators from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities and require operators to publicly post in the notice on their website or service a children’s data retention policy setting forth their purposes for collecting children’s information, the business need for retaining that information, and an appropriate timeline for deletion.
5. Limiting Ed Tech: The proposed updates formalize, amidst other safeguards, the FTC’s guidance that schools and school districts can authorize ed tech providers to collect, use, and disclose students’ personal information, but only for a school-authorized educational purpose and not for a commercial purpose.
6. Increasing Accountability for Safe Harbor Programs: Safe Harbor programs, which offer businesses a mechanism to comply with privacy laws, will be required under the proposed update to publicly disclose their membership lists and report additional information to the FTC. This measure seeks to increase transparency and accountability of these programs.
7. Strengthening Data Security Requirements: The proposed updates enhance COPPA’s existing data security requirements by mandating that operators at a minimum create a written security program for children’s personal information. This program must include safeguards appropriate to the sensitivity of the information collected from children and the operator’s size, complexity, and nature and scope of activities.
8. Definition of Personal Information: The proposed updates expand how “personal information” is defined to include “a biometric identifier that can be used for the automated or semi-automated recognition of an individual including fingerprints or handprints; retina and iris patterns genetic data, including a DNA sequence; or data; or data derived from voice data, gait data, or facial data.”
The FTC is encouraging all interested parties, including parents, academics, consumer groups, tech experts, and businesses, to review the Notice of Proposed Rulemaking and submit their comments for further consideration. In this era of rapidly evolving technology, the FTC’s efforts with the proposed updates represent the importance and commitment to adapting and strengthening the protection of children’s online privacy.
O&A can help with understanding COPPA changes
O&A is here to discuss any questions you may have about the COPPA and other online privacy concerns.
O&A is an elite team of attorneys committed to helping clients achieve their objectives — efficiently and effectively. The firm represents some of the biggest companies in technology and interactive entertainment, as well as some of the world’s most innovative entrepreneurs and emerging growth companies. For more information, please visit https://oandapc.com. O&A’s StartupProgram.com (SUP) is designed to support entrepreneurial startups, offering complete company formation services delivered through an efficient platform coupled with an exclusive e-learning curriculum designed for founders. SUP gets startups up and running at a much lower cost than working with a big law firm – and without the risks of using do-it-yourself legal alternative websites. Visit SUP to learn more or book a demo of the service today.