The Children’s Online Privacy Protection Act (COPPA) rules, in place since 2000, make it illegal for websites and online services to collect personal information from children under 13 without verifiable parental consent. Ten years after the last COPPA rule update, the FTC is now proposing revisions to reflect technological changes, provide greater protection for children’s personal information, and ensure that parents, not companies, remain responsible when it comes to children’s personal information. In a dominant position. Children’s information. One major proposed change would further limit companies’ ability to monetize children’s data, making it illegal for companies to disclose information about children without first obtaining parental consent. This means behavioral advertising must be turned off by default, and parents can explicitly say no to behavioral advertising even if they consent to the company’s other data practices. The Federal Trade Commission wants your comments on the enhanced protections it is considering.
After the FTC announced it was considering revising the COPPA rule, we received more than 175,000 comments. The proposed rule reflects input we heard from parents, educators, industry members, researchers, and others, as well as our 23 years of experience enforcing COPPA. You’ll need to read the Notice of Proposed Rulemaking for the details, but here’s a quick review of some of the provisions the FTC is considering:
- You must separately choose to consent to third-party disclosure. Businesses must obtain separate, verifiable parental consent before disclosing information to third parties, including third-party advertisers, unless the disclosure is integral to the nature of the website or online service. This means that COPPA-protected companies must have their default settings prohibit third-party behavioral advertising and only allow this if a parent explicitly opts in.
- Exception to the restriction “Support Internal Operations”. As it stands, operators can collect persistent identifiers without first obtaining parental consent if they do not collect any other personal information and only use the persistent identifier to support internal operations. If carriers assert this exception in the future, the FTC expects them to provide online notices explaining their specific operations for collecting these identifiers and how they ensure that the identifiers are not used to contact specific individuals, including through targeted advertising.
- Restrict companies from encouraging children to go online. Operators may not use certain COPPA exceptions to send push notifications to encourage children to use their services more. Businesses that use children’s information to send these push notifications will also need to label this use in their COPPA-required direct and online notifications. This will ensure that parents understand and must consent to the company’s use of nudges.
- Restrictions on Data Retention. The FTC proposal would strengthen COPPA’s existing standards by clarifying that operators can only retain children’s personal information for as long as necessary to fulfill the purpose for which it was collected, and they certainly cannot retain the information indefinitely or use it for any secondary purpose. The FTC also wants businesses to publish their data retention policies for children’s personal information.
- Compilation of Educational Technology Guidelines. The emerging edtech industry wasn’t that important during the FTC’s last review of COPPA, but a lot has happened since then. While adding further safeguards, the proposed rule would formalize the Federal Trade Commission’s guidance that schools and school districts may authorize educational technology providers to collect, use and disclose students’ personal information only for educational purposes authorized by the school, and not for other purposes. Business purposes.
- Strengthen the accountability of the Safe Harbor program. To increase the transparency and accountability of the COPPA Safe Harbor Program, the proposed rule would require the Safe Harbor Program to publicly disclose its membership and report additional information to the FTC, among other changes.
- Strengthen data security requirements. The proposed rule would strengthen COPPA’s existing data security requirements by requiring operators to develop a written children’s personal information security plan and then put it into practice, including appropriate protections based on the sensitivity of information collected from children.
Another proposed change that reflects the current state of technology: expanding the definition of “personal information” to include biometric identifiers.
Once the Notice of Proposed Rulemaking is published in the Federal Register (we will publish another blog post to let you know when this happens), you will have 60 days to submit public comments, which will appear in on regulations.gov. Remember, we welcome the perspectives of academics, consumer groups, technology experts, and others, but we also want to hear from parents, small businesses, and others who deal with COPPA in the real world on a day-to-day basis.
