FTC Moves to Modernize Children’s Online Privacy Protection Rule

Introduction

In an age where children are increasingly engaging online, concerns over their privacy have reached a crescendo. Shrills for reform have echoed across the United States, urging policymakers to take decisive action. However, with Congress divided and preoccupied with other matters, the onus has fallen on regulatory bodies to address the issue.

While privacy experts predict movement in other areas of government, the first chess piece has been moved once again by the U.S. Federal Trade Commission (FTC). After almost four years of review and 175,000 public comments later, the FTC unveiled its plan to update the Children’s Online Privacy Protection Rule (COPPA Rule) on December 20, 2023, after the Commission voted 3-0.  The last COPPA revision was made in 2013.

The FTC prioritized the upcoming changes/modernization to align the 25-year-old rule to an era in which online tools are integral to daily life — and where companies are deploying increasingly sophisticated digital tools to surveil children.

2024 Priorities: Data Minimization, Data Retention and Deletion, & Online Safety Measures

Key provisions include requiring verifiable parental consent for targeted advertising, setting data retention limits, enhancing COPPA Safe Harbor accountability, limiting push notifications, restricting surveillance in schools, and strengthening data security. The proposed changes aim to reinforce parental control over children’s online activities, shifting the burden from parents to service providers. By requiring affirmative obligations on providers and prohibiting the exploitation of children’s data for targeted advertising, the FTC seeks to establish a safer digital environment for young users.

In addition, the FTC has proposed changes to some definitions in the rule, including expanding the definition of “personal information” to include biometric identifiers and stating that the Commission will consider marketing materials, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services when determining whether a website or online service is directed to children.

The FTC proposed language indicating that it will consider marketing materials, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services when determining whether a website or online service is directed to children.

The FTC also added new approved methods for obtaining verifiable parental consent, including text messages, knowledge-based authentication, and facial recognition technology. The FTC is also proposing to eliminate the monetary transaction requirement for obtaining consent through a parent’s use of a credit card, debit card, or online payment system — under this proposal, the parent would simply need to enter their payment information without actually being charged.

New data security requirements ensure entities establish, implement, and maintain a written comprehensive security program that contains specific elements, such as annual risk assessments and procedures for testing and monitoring the effectiveness of safeguards.

There are also limits on data retention by expressly stating that children’s personal information may not be retained indefinitely. Instead, it is taking a more stringent approach by only allowing personal information to be retained for only as long as it is reasonably necessary for the specific purpose for which it was collected, and not for any secondary purpose. Auditing is certainly on the noggin as the rule changes also proposed a requirement for entities to establish, maintain, and make public a written data retention policy that specifies the business need for retaining children’s personal information and the timeframe for deleting it.

What isn’t Changing?

Teen Privacy Protections

The proposed rulemaking does not address raising the age of a “child” beyond 12, as urged by many commentors. Reason: the agency does not have the authority to change the age of a child, which is established in the Act.

Knowledge Standard

Currently, COPPA only applies to “child-directed” services or when an operator has “actual knowledge.” Despite many comments urging the FTC to change the standard from the “actual knowledge” standard to a “constructive knowledge” or another less definite standard, the agency declined to do so.

Inferred Data

Not included because the Act makes clear that COPPA applies to information collected from a child, not about a child. Many children provide information without understanding the extent of the information disclosed.

Closing

The public will have 60 days to submit a comment on the proposed changes to the COPPA Rule after the notice is published in the Federal Register. Information on how to submit a comment will be included in the Federal Register notice. Once submitted, comments will be posted to Regulations.gov.

Once the new changes have been made, we will update you in our Data Privacy & Cybersecurity blog.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.