The Federal Trade Commission announced proposed revisions to the Children’s Online Privacy Protection Act Rule. The proposed revisions are said to provide greater protections for children’s personal information online to ensure parents are still in control of their children’s data.
The Children’s Online Privacy Protection Act Rule, or COPPA, which was put in place in 2000, hasn’t been updated in a decade.
“The FTC’s recent COPPA enforcement actions against Epic Games, Amazon, Microsoft, and Meta demonstrated that Big Tech does not have carte blanche with kids’ data,” Haley Hinkle, policy counsel at Fairplay, said. “With this critical rule update, the FTC has further delineated what companies must do to minimize data collection and retention and ensure they are not profiting off of children’s information at the expense of their privacy and well being.”
COPPA makes it illegal for websites and online services to collect personal information from kids under 13 without parents’ verifiable consent, according to the FTC.
With more than 175,000 public comments from parents, educators, industry members and researchers, some suggested changes included “further limit the ability of companies to monetize children’s data by making it illegal for companies to disclose kids’ information without first obtaining separate parental consent,” according to the FTC, so behavioral advertising will be turned off “by default” that way parents “would have the clear option to say no to behavioral advertising even if they consent to the company’s other data practices.”
“The commission’s plan will limit data uses involving children and help prevent companies from exploiting their information,” Katharina Kopp, Ph.D., director of policy at the Center for Digital Democracy, said. “These rules will also protect young people from being targeted through the increasing use of AI, which now further fuels data collection efforts. Young people 12 and under deserve a digital environment that is designed to be safer for them and that fosters their health and well-being. With this proposal, we should soon see less online manipulation, purposeful addictive design, and fewer discriminatory marketing practices.”
According to the Notice of Proposed Rulemaking, some of the other provisions the FTC is considering include:
- Requiring separate opt-in consent for third-party disclosures. Businesses would have to get parents’ separate verifiable consent to disclose information to third parties, including third-party advertisers, unless the disclosure is integral to the nature of the website or online service. That means COPPA-covered companies’ default settings would have to disallow third-party behavioral advertising and allow it only when parents expressly opt in.
- Limiting the “support for internal operations” exception. As it now stands, operators can collect persistent identifiers without first getting parental consent if they don’t collect any other personal information and use the persistent identifiers just to provide support for internal operations. If operators claim this exception in the future, the FTC wants them to provide an online notice explaining the specific operations for which they’re collecting those identifiers and how they will ensure identifiers aren’t used to contact specific people, including through targeted advertising.
- Limiting companies’ nudging of kids to stay online. Operators wouldn’t be allowed to use certain COPPA exceptions to send push notifications to encourage kids to use their service more. Operators using kids’ information to send these push notifications would also be required to flag that use in their COPPA-required direct and online notices. This would ensure parents are aware of, and must consent to, the companies’ use of nudges.
- Limiting data retention. The FTC proposal would strengthen COPPA’s existing standards by making it clear that operators can hold on to kids’ personal information only for as long as necessary to fulfill the purpose for which it was collected – and they for sure can’t hold on to it indefinitely or use it for any secondary purpose. The FTC also wants operators to post their data retention policy for children’s personal information.
- Codifying ed tech guidance. The burgeoning ed tech sector wasn’t as big of a thing during the FTC’s last look at COPPA, but a lot has happened since then. While also adding further safeguards, the proposed rule would formalize the FTC’s guidance that schools and school districts can authorize ed tech providers to collect, use, and disclose students’ personal information, but only for a school-authorized educational purpose – and not for a commercial purpose.
- Increasing accountability for Safe Harbor programs. To increase transparency and accountability of COPPA’s Safe Harbor programs, the proposed rule would require the safe harbor programs to publicly disclose their membership lists and report additional information to the FTC, among other changes.
- Strengthening data security requirements. The proposed rule would strengthen COPPA’s existing data security requirements by mandating that operators create a written children’s personal information security program and then put it into practice, including safeguards appropriate to the sensitivity of the information collected from kids.
“Anyone who believes that children deserve to explore and play online without being tracked and manipulated should support this update,” Hinkle said.
COMMENTS