As we discussed last year, the Federal Trade Commission (FTC) has increased its focus and its enforcement related to the Children’s Online Privacy Protection Act (COPPA), especially in the educational context. Now the FTC is taking further steps to secure and protect children’s information as online tools and technologies continue to quickly advance.
In December 2023, the FTC issued a notice of proposed rulemaking to the COPPA rule that focuses on targeted advertising, push notifications, surveillance in the educational context, and providing more clarity on the exceptions under COPPA. According to the FTC Chair Linda M. Kah, “[t]he proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children.” Moreover, the FTC issued a lengthy statement from Commissioner Alvaro M. Bedoy that attempts to dispel the critiques around COPPA and other regulations around children’s data collection, such as the critique that many violations of such data privacy statutes regulate conduct that does not involve a great deal of harm. Looking at all of the above, it is clear that the FTC believes new tools and technologies utilized by companies online are a major risk to children and that this new rulemaking is necessary to keep up with such new tools and technologies.
Per the notice of proposed rulemaking, the FTC has proposed the following changes:
- Requiring separate opt-in for targeted advertising. In addition to the existing consent requirements, operators would now be required to obtain separate verifiable parental consent to disclose information to third parties, including advertisers.
- Prohibition against conditioning a child’s participation on collection of personal information. The FTC is seeking to bolster the current requirements under COPPA by specifically banning the conditioning of a child participating in an “activity” on the collection of their personal information. Per comments from the FTC, it is considering adding language clarifying what “activity” shall mean.
- Limits on the support for the internal operations exception. Currently, COPPA provides an exception that allows for the collection of persistent identifiers without obtaining parental consent as long as such information is only used to support internal operations. This new proposal would require such operators utilizing this exception to now provide a notice that states the specific internal operations for which the information is being used. This notice must also include information on how the operator will ensure that such information will not be used to contact the individual or for targeted advertising.
- Limits on nudging kids to stay online. This new proposal would include limits on how an operator can provide prompts and notifications to encourage children to stay online and continue using its services.
- Changes related to Ed. Tech. As we discussed previously, the FTC has increased its focus on the use of children’s personal information in the educational context. The new proposal would allow schools and districts to authorize educational technology providers to collect, use, and disclose personal information but only for a school-authorized educational purpose and not for any commercial purpose.
- Increasing accountability for Safe Harbor programs. Currently, COPPA has Safe Harbor programs. This new proposal would require each Safe Harbor program to publicly disclose its membership list.
- Strengthening data security requirements. This new proposal accounts for administrative safeguards as well, including requirements that operators establish a written children’s personal information security program.
- Limits on data retention. This new proposal would also provide clarity regarding the retention of children’s personal information. This new proposal would (1) prohibit an operator from retaining children’s information indefinitely; (2) prohibit an operator from using such retained information for a secondary purpose; (3) only allow retention of children’s personal information for as long as necessary to fulfill the purpose in which it was collected; and (4) require operators to post a publicly available written data retention policy regarding its collection of children’s personal information.
Lastly, this new proposal will include updates to some of the definitions under the COPPA rule, such as including biometric identifiers under the definition of “personal information.”
The FTC is seeking public comments regarding the proposed rulemaking. The comment period ends on March 11, 2024.
Taft will continue to monitor developments in this area and will provide updates here and on all our Taft platforms. As always, seek qualified legal counsel whenever making determinations about your company’s legal or compliance obligations. Taft’s Privacy and Data Security Practice (PDS) stands ready to assist you with a risk-based, common-sense approach to your data governance needs. Stay tuned to Privacy and Data Security Insights and don’t forget to download our free mobile app, to give you quick, real-time access to Taft PDS content and updates like this one.