FTC Proposes Strengthening Children’s Privacy Rule to Further Limit Companies’ Ability to Monetize Children’s Data

The Federal Trade Commission has proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule) that would place new restrictions on the use and disclosure of children’s personal information and further limit the ability of companies to condition access to services on monetizing children’s data. The proposal aims to shift the burden from parents to providers to ensure that digital services are safe and secure for children.

In a notice of proposed rulemaking, the FTC is seeking comment on proposed changes to the COPPA Rule aimed at addressing the evolving ways personal information is being collected, used, and disclosed, including to monetize children’s data, and clarifying and streamlining the rule. The COPPA Rule, which first went into effect in 2000, requires certain websites and other online services that collect personal information from children under the age of 13 to provide notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information from these children. The rule also limits the personal data that websites and other online services can collect from children, limits how long they can retain such data, and requires them to secure the data.

“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” said FTC Chair Lina M. Khan. “The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children. By requiring firms to better safeguard kids’ data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents.”

The FTC initiated the latest review of the COPPA Rule in 2019 and received more than 175,000 comments on its request for public comment on whether changes were needed to the rule. The agency also held a workshop in October 2019 on whether to update the COPPA Rule in light of evolving business practices in the online children’s marketplace, including the increased use of voice-enabled connected devices, educational technology, and general audience platforms hosting third-party child-directed content.

The FTC last made changes to the COPPA Rule in 2013 to reflect the increasing use of mobile devices and social networking by, among other things, expanding the definition of personal information to include persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings.

In a notice that will be published in the Federal Register shortly, the FTC has proposed several changes to the rule, including:

• Requiring Separate Opt-In For Targeted Advertising: Building off the existing consent requirement in section 312.5, website and online service operators covered by COPPA would now be required to obtain separate verifiable parental consent to disclose information to third parties including third-party advertisers—unless the disclosure is integral to the nature of the website or online service. Firms cannot condition access to services on disclosure of personal information to third parties.
• Prohibition against conditioning a child’s participation on collection of personal information: The proposal reinforces the current rule’s prohibition on conditioning participation in an activity on the collection of personal data to make clear that it serves as an outright ban on collecting more personal information than is reasonably necessary for a child to participate in a game, offering of a prize, or another activity. In addition, the FTC is considering adding new language to this section to clarify the meaning of “activity.” 

• Limits on the support for the internal operations exception: The current rule allows operators to collect persistent identifiers without first obtaining verifiable parental consent as long as the operator does not collect any other personal information and uses the persistent identifier solely to provide “support for the internal operations of the website or online service.” The proposed rule changes would require operators utilizing this exception to provide an online notice that states the specific internal operations for which the operator has collected a persistent identifier and how they will ensure that such identifier is not used or disclosed to contact a specific individual, including through targeted advertising.
• Limits on nudging kids to stay online: Operators would be prohibited from using online contact information and persistent identifiers collected under COPPA’s multiple contact and support for the internal operations exceptions to send push notifications to children to prompt or encourage them to use their service more. Operators that use personal information collected from a child to prompt or encourage use of their service would also be required to flag such usage in their COPPA-required direct and online notices.
• Changes related to Ed Tech: The FTC has proposed codifying its current guidance related to the use of education technology to prohibit commercial use of children’s information and implement additional safeguards. The proposed rule would allow schools and school districts to authorize ed tech providers to collect, use, and disclose students’ personal information but only for a school-authorized educational purpose and not for any commercial purpose.
• Increasing accountability for Safe Harbor programs: The proposed rule would increase transparency and accountability of COPPA Safe Harbor programs, including by requiring each program to publicly disclose its membership list and report additional information to the Commission.
• Strengthening data security requirements: The FTC has proposed strengthening the COPPA Rule’s data security requirements by mandating that operators establish, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children.
• Limits on data retention: The FTC also would strengthen the COPPA Rule’s data retention limits by allowing for personal information to be retained only for as long as necessary to fulfill the specific purpose for which it was collected. The proposed change would also prohibit operators from using retained information for any secondary purpose, and it explicitly states that operators cannot retain the information indefinitely. The Rule would also require operators to establish, and make public, a written data retention policy for children’s personal information.

In addition, the FTC has proposed changes to some definitions in the rule, including expanding the definition of “personal information” to include biometric identifiers, and stating that the Commission will consider marketing materials, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services when determining whether a website or online service is directed to children.

The public will have 60 days to submit a comment on the proposed changes to the COPPA Rule after the notice is published in the Federal Register. Information on how to submit a comment will be included in the Federal Register notice. Once submitted, comments will be posted to Regulations.gov.

The Commission voted 3-0 to publish the notice of proposed rulemaking in the Federal Register.  Commissioner Alvaro Bedoya released a statement.

The lead attorneys on this matter are Manmeet Dhindsa and James Trilling in the FTC’s Bureau of Consumer Protection.