FTC proposes amendments to the COPPA Rule
Posted in Cybersecurity, Data Privacy

On December 20, the Federal Trade Commission released a notice of proposed rulemaking to update the Children’s Online Privacy Protection Rule, known as the “COPPA Rule.” (We are linking to the official version of the proposed rule that was published in the Federal Register on January 11.) In a press release published on December 20, the FTC announced that the proposed amendments “would place new restrictions on the use and disclosure of children’s personal information and further limit the ability of companies to condition access to services on monetizing children’s data.”

Background on COPPA and the COPPA Rule

Congress enacted the Children’s Online Privacy Protection Act (“COPPA”) in 1998 and directed the FTC to promulgate regulations implementing the statute’s notice and verifiable parental consent requirements. On November 3, 1999, the FTC issued the COPPA Rule, which became effective on April 21, 2000.

Generally, the COPPA Rule requires an operator of a website or online service directed to children, or an operator that has actual knowledge that it is collecting or maintaining personal information from a child, to do the following:

  • Provide notice on the website or online service of what information it collects from children, how it uses such information, and its disclosure practices for the information.
  • Obtain verifiable parental consent before any collection, use, or disclosure of personal information from children.
  • Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance.
  • Not require, as a condition a child’s participation in a game, the offering of a prize, or another activity, the child to disclose more personal information than is reasonably necessary to participate in such activity.
  • Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

The last time the FTC made revisions to the COPPA Rule was more than 10 years ago, in 2013. In 2019, the FTC initiated a review of the COPPA Rule and received extensive public comments about whether changes were needed. The commenters included industry representatives, video content creators, consumer advocacy groups, academics, technologists, FTC-approved COPPA Safe Harbor programs, members of Congress, and members of the public. The latest proposed amendments would bring significant changes to the COPPA Rule, and it is expected that the FTC will receive many public comments this time as well.

Proposed changes

Some of the key changes include the following:

  1. Expanded definition of “online contact information.” The FTC proposes amending the definition of “online contact information” to add “an identifier such as a mobile telephone number provided the operator uses it only to send a text message” to the non-exhaustive list of identifiers that constitute “online contact information.” This amendment, the FTC reasons, would allow operators to collect and use a parent’s or child’s mobile phone number in certain circumstances, such as in connection with obtaining parental consent through a text message.
  2. Expanded definition of “personal information.” The FTC believes that the definition of “personal information” needs to be updated to keep pace with technological developments that facilitate increasingly sophisticated means of identification. The definition of “personal information” would expand to include “[a] biometric identifier that can be used for the automated or semi-automated recognition of an individual, including fingerprints or handprints; retina and iris patterns; genetic data, including a DNA sequence; or data derived from voice data, gait data, or facial data.” Additionally, the FTC proposes expanding the definition of personal information to include data that is inferred about, but not directly collected from, children, as well as persistent identifiers that can be used to recognize a user over time and across different websites and services.
  3. Codification of current FTC guidance on education technology. The FTC proposes codifying its current guidance related to the use of education technology to allow schools to authorize, without express parental consent, ed tech vendors to collect, use, and disclose student personal information for a “school-authorized education purpose.”
  4. Additional use restriction for internal operations exception. The COPPA Rule in its current form permits operators to collect persistent identifiers without prior verifiable parental consent, provided that the operator (a) does not collect any other personal information and (b) uses persistent identifiers solely to support the internal operations of the website or online service. The proposed amendments would prohibit operators that use the internal operations exception from using or disclosing personal information in connection with processes, including machine learning processes, that encourage or prompt use of a website or online service. The FTC also proposes prohibiting operators from using or disclosing persistent identifiers to optimize user attention or maximize user engagement with the website or online service, including by sending notifications to prompt the child to engage with the site or service, without verifiable parental consent.
  5. Additional factors in “website or online service directed to children” multi-factor test. The FTC proposes adding “marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services” as examples of evidence it will consider in analyzing audience composition and intended audience.
  6. New definition of “mixed audience website or online service.” The proposed amendments would add a standalone definition for “mixed audience website or online service.” The purpose would be to more clearly distinguish websites or online services that satisfy the multi-factor test for determining whether they are a “website or online service directed to children” but does not target children as their primary audience.
  7. Changes to direct notice and online notice provisions. The FTC proposes a number of changes to the COPPA Rule’s direct notice and online notice provisions. One of these proposed changes includes requiring operators sharing personal information with third parties to identify the third parties as well as the purposes of sharing, should the parent provide consent. This change would also require the operator to state that the parent can consent to the collection and use of the child’s personal information without consenting to the disclosure of that information, except where the disclosure is integral to the nature of the website or online service.
  8. Requirement to establish a written comprehensive security program. The proposed changes to the COPPA Rule would require operators to, at a minimum, establish, implement, and maintain a written comprehensive security program that contains safeguards that are appropriate to the sensitivity of children’s information and to the operator’s size, complexity, and nature and scope of activities. The required security program must designate an employee to coordinate the program, identify and perform risk assessments on an annual basis, and implement and test controls and safeguards to mitigate identified risks.
  9. Contractual data security assurances. The proposed amendments would also clarify that operators that release personal information to third parties or other operators must obtain written assurances that the recipients will employ reasonable measures to maintain the confidentiality, security, and integrity of the information.
  10. Limits on data retention. The FTC proposes limiting retention of personal information for only as long as reasonably necessary for the specific purpose for which it was collected. Operators would also be required to delete the information when it is no longer reasonably necessary for the purpose collected. Additionally, the proposed changes would require operators to establish a written data retention policy specifying the operator’s business need for retaining children's personal information and the operator’s timeframe for deleting the information. Retention policies may not provide for indefinite retention.
  11. Changes to Safe Harbor programs. The proposed changes would require all FTC-approved Safe Harbor programs to identify each subject operator and all approved websites or online services in the program, as well as all subject operators that have left the program. Additionally, FTC-approved Safe Harbor programs would be required to provide a narrative description of the program’s business model, including whether it provides additional services to subject operators, such as training, and to provide copies of each consumer complaint related to guidelines violations of FTC-approved COPPA Safe Harbor programs.

What’s next

The public comment period is open until March 11. Businesses that are currently affected by COPPA and the COPPA Rule should pay close attention to the FTC’s proposed changes and prepare to update their compliance programs.

The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their cybersecurity and compliance programs. If you would like additional information on COPPA and the COPPA Rule, please contact us at cyber@constangy.com.

TAGS: COPPA, Cyber Team, CyberMonday, Cybersecurity, Data Privacy, FTC, Internet
Facebook Twitter/X Linkedin Email

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek