Skip to main content

In place since 2000, the Children’s Online Privacy Protection Act (COPPA) Rule makes it illegal for websites and online services to collect personal information from kids under 13 without parents’ verifiable consent. It’s been a decade since the last COPPA Rule update, and the FTC is now proposing revisions to reflect technological changes, provide greater protections for kids’ personal information, and ensure that parents – not companies – are still in the driver’s seat when it comes to children’s data. One major suggested change would further limit the ability of companies to monetize children’s data by making it illegal for companies to disclose kids’ information without first obtaining separate parental consent. That means that behavioral advertising would have to be turned off by default and parents would have the clear option to say no to behavioral advertising even if they consent to the company’s other data practices. The FTC wants your comments about the enhanced protections it has in mind.

After the FTC announced it was considering revisions to the COPPA Rule, we received more than 175,000 comments. The proposed rule reflects what we heard from parents, educators, industry members, researchers, and others – as well as our 23 years’ experience enforcing COPPA. You’ll want to read the Notice of Proposed Rulemaking for the details, but here is a brief recap of some of the provisions the FTC is considering:

  • Requiring separate opt-in consent for third-party disclosures. Businesses would have to get parents’ separate verifiable consent to disclose information to third parties, including third-party advertisers, unless the disclosure is integral to the nature of the website or online service. That means COPPA-covered companies’ default settings would have to disallow third-party behavioral advertising and allow it only when parents expressly opt in.

  • Limiting the “support for internal operations” exception. As it now stands, operators can collect persistent identifiers without first getting parental consent if they don’t collect any other personal information and use the persistent identifiers just to provide support for internal operations. If operators claim this exception in the future, the FTC wants them to provide an online notice explaining the specific operations for which they’re collecting those identifiers and how they will ensure identifiers aren’t used to contact specific people, including through targeted advertising.

  • Limiting companies’ nudging of kids to stay online. Operators wouldn’t be allowed to use certain COPPA exceptions to send push notifications to encourage kids to use their service more. Operators using kids’ information to send these push notifications would also be required to flag that use in their COPPA-required direct and online notices. This would ensure parents are aware of, and must consent to, the companies’ use of nudges. 

  • Limiting data retention. The FTC proposal would strengthen COPPA’s existing standards by making it clear that operators can hold on to kids’ personal information only for as long as necessary to fulfill the purpose for which it was collected – and they for sure can’t hold on to it indefinitely or use it for any secondary purpose. The FTC also wants operators to post their data retention policy for children’s personal information.

  • Codifying ed tech guidance. The burgeoning ed tech sector wasn’t as big of a thing during the FTC’s last look at COPPA, but a lot has happened since then. While also adding further safeguards, the proposed rule would formalize the FTC’s guidance that schools and school districts can authorize ed tech providers to collect, use, and disclose students’ personal information, but only for a school-authorized educational purpose – and not for a commercial purpose.

  • Increasing accountability for Safe Harbor programs. To increase transparency and accountability of COPPA’s Safe Harbor programs, the proposed rule would require the safe harbor programs to publicly disclose their membership lists and report additional information to the FTC, among other changes.

  • Strengthening data security requirements. The proposed rule would strengthen COPPA’s existing data security requirements by mandating that operators create a written children’s personal information security program and then put it into practice, including safeguards appropriate to the sensitivity of the information collected from kids.

Another proposed change that reflects the current state of technology: expanding the definition of “personal information” to include biometric identifiers.

Once the Notice of Proposed Rulemaking runs in the Federal Register – we’ll publish another blog post to let you know when that happens – you’ll have 60 days to file a public comment that will appear on regulations.gov. Remember that we welcome the perspectives of academics, consumer groups, tech experts, etc., but we also want to hear from parents, small businesses, and others who deal with COPPA day-to-day in real world settings.
 

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Anu
December 21, 2023

As a therapist, I have become a firm believer that the cons of being online for children and teens far outweigh the benefits. I am really happy to see that you are starting to enforce some rules at the govt level. I do believe we have a long way to go, and i strongly believe banning phones from schools like some other countries have done will greatly improve children’s educational, social and mental health.

Sue S.
December 21, 2023

These read to be very Sensible Changes.

In my opinion what would additionally make a difference is -

1. Firstly Enforceable Actions and Heavy Fines on any Data Collection Service if they use Kids data outside of the specified and signed purpose.

2. Secondly, Actionable and Enforceable Data Destruction and sanitization methods with these Service Providers which ensure that the Kids Data is not in the Hands of these Services after usage and specified Time..

3. Thirdly, and Most importantly - for Maintenance of Data for Legal and Statutory Purposes by these Data Collectors- a DATA SEPARATION MECHANISM where the Data and Backups are transferred after use and maintained by Government Regulated and Controlled Third party and / or Data Processing Bodies. This will ensure Data is available if needed for Legal and Statutory Purposes at the same time that Data is NOT AVAILABLE with the Service Provider after their Data Usage is Over for Potential Sale or Misuse.

Thomas Quilty
December 21, 2023

As the CSO of a new Social Media Company, we support these changes to COPPA, even though it may be difficult at times. We need to help parents protect their children while they are online.

Silas Keig
December 21, 2023

It is a good idea. It seems that China's "Golden Umbrella" offers similar (if not more) protections and it seems wise that we follow suite.

Kynthia Rosgeal
December 21, 2023

I'm concerned that the requirement "Codifying ed tech guidance" is going to allow extremists on school boards (see : Florida) to push their non education and highly religious agenda claiming "Ed tech" privilege to continue harming marginalized students.

Christina D. T…
December 29, 2023

In reply to by Kynthia Rosgeal

I don’t think so.
Florida has done a good job protecting students but can do better.
They lists students and do not teach them how to protect privacy. Then you have data collection which is the extra piece needed to prove things together to find someone. It’s a serious issue.

Janey mims
December 29, 2023

Amen! Do it. Kids do not have enough protection! Retired travher

Christina D Th…
December 29, 2023

I am concerned. I come in as a security professional, kind of sarcastic at times because I can’t believe you just now see the need to change the rules.

First data collection for what? Do you forgot so short ago that Consumer Protection Bureau with DOJ had to sue Amazon’s Alexa because without consent of the parent they recorded the children. Then when the parents said delete it Amazon said no we are keeping it indefinitely. Then enforcement came. Amazon lost. Good on the government.

Now I tell you right now we have kids at 13 that have no idea what terms of service are. So they are agreeing to something they don’t even understand. Isn’t that like wrong? I am not a lawyer, CEH.

Then let me show you this. Beeper-Mini they collect data also. They are sending our kids data to another country 😳. People are not reading. So this COPPA, says it’s okay for a 3rd world nation to have the data of a 13 year old? Come on folks. You don’t need to be hacker to figure this out. It’s bad security. Fix this too. No kids data to other nations.

When it gets breached? Not IF but when.

Where are the rules that say all data of minor children have to be in the United States? Come on People!!! Think with me. Our kids are the future and if we can’t protect them from digital thieves we are in some serious trouble.

We talk so much about encryption and facial recognition. Why aren’t these companies mixing the consent of data collection of minors with a AES encryption key?

I think professionally the age should be raised to 16 of informed consent. In LAYMEN TERMS. I think a special key 🔑 should be placed to ensure ETEE of data collection with parents consent. No consent no data.

Enforcement of legal penalties and right to sue. I think Android phones should be modified to show tracking across apps for minors.

I think at 17 the minor decides.

3rd party data collection should be eliminated period for all minors till they are 18 years of age due to the risk of them.

I also think Facebook, Instagram, Snapchat, TikTok should stop suggesting adults to kids and kids to adults with no relationship whatsoever. I have inside knowledge of it. It needs to stop. Now.

Steven Simon
December 29, 2023

The new regulations should include a "Universal Opt-Out Code" that is specific to minors. The intent of using a Universal Opt-Out code is send a clear signal that the most strict regulations for the collection, retention and sharing of should be applied to the data. The proposed mechanism is a derivative of the method is used by Privacy4Cars.com of appending a code to the Device Name. Privacy4cars uses 0$S for the universal opt-out code (which I believe has legal definition in the state of Colorado). I propose a short text code like "-Kid-Guard" appended to a device name should signal the most strict handling of data possible.

Juliette
December 29, 2023

Having worked in child welfare for more than a decade, I can’t stress how critical it is that the government pass and enforce laws requiring companies to implement safeguards to protect youth from harm. It is also essential that parents monitor their children’s social media and internet use.

Alexander R. Cohen
December 29, 2023

> we also want to hear from parents, small businesses, and others who deal with COPPA day-to-day in real world settings.

It is striking that you omit the group most directly affected by COPPA: the young people whom it purports to protect but in practice largely excludes from the modern world. Indeed, given the federal government's policy of complying with COPPA on its own websites, I, as an adult concerned with young people's rights, have to ask: Is it even possible for individuals under 13 to submit comments without their parents' involvement, and if so, how?

Get Business Blog updates