The Bottom Line
- The proposed changes to COPPA place new restrictions on the use of children’s personal information and would further limit the ability of companies to monetize children’s data by making it illegal for companies to disclose kids’ information without first obtaining separate parental consent.
- Now is the time to get ahead of the proposed changes and review your children’s privacy practices to ensure compliance with the proposed changes.
On December 20th, the FTC announced proposed changes to the Children’s Online Privacy Protection Rule (COPPA), which was last updated in 2013. The updates are intended to respond to technological changes, provide greater protections for kids’ personal information and ensure that parents retain control of their children’s data.
The Proposed Rule
In the Notice of Proposed Rulemaking, the FTC is seeking comments on how personal information is being collected from children, including with respect to the monetization of children’s data. In addition, the FTC proposes expanding the scope of its review when determining whether a website or online service is directed to children to consider marketing materials, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services.
The other proposed changes include the following:
- Requiring separate opt-in consent for targeted advertising. Operators would need to obtain parents’ separate verifiable consent to disclose information to third-party advertisers unless the disclosure is integral to the nature of the website or online service. This means COPPA-covered companies’ default settings would have to block third-party behavioral advertising and allow it only when parents expressly opt in.
- Prohibiting conditioning a child’s participation on collection of personal information. The proposed rule would make it clear that collecting more personal information than is reasonably necessary for a child to participate in a game, offering a prize, or another activity is prohibited. In addition, the FTC is considering adding new language to this section to clarify the meaning of “activity.”
- Limiting the “support for internal operations” exception. Operators can currently collect persistent identifiers without obtaining parental consent if they do not collect any other personal information, and only use the persistent identifiers to provide support for internal operations. Under the proposed rule, operators will need to provide an online notice explaining the specific internal operations for which they are collecting identifiers and how they will ensure identifiers are not used to contact specific people, including through targeted advertising.
- Limiting companies’ nudging of kids to stay online. The proposed rule would prohibit operators from using certain COPPA exceptions to send kids push notifications to encourage them to use their services. Any online notices required by COPPA would need to disclose that kids’ information is used for push notifications, so parents are aware of, and can consent to, the use of such notifications.
- Limiting data retention. The proposed rule strengthens COPPA’s data retention limits by allowing operators to keep kids’ personal information for only as long as necessary to fulfill the purpose for which it was collected, and not use it for any secondary purpose. Operators would also need to post a data retention policy for children’s personal information.
- Codifying ed tech guidance. The proposed rule would formalize the FTC’s guidance allowing schools and school districts to authorize ed tech providers to collect, use, and disclose students’ personal information, but only for an authorized educational purpose, and not for any commercial purpose.
- Increasing accountability for Safe Harbor programs. The proposed rule would require the safe harbor programs to publicly disclose their membership lists and report additional information to the FTC to increase transparency and accountability.
- Strengthening COPPA’s existing data security requirements. Operators would need to create and implement a written information security program that is specific to children’s data and includes safeguards appropriate to the sensitivity of the information collected from kids.
The FTC also proposed changes to certain definitions in the rule, including expanding the definition of “personal information” to include biometric identifiers.
Request For Public Comment
The public has 60 days after the notice is published in the Federal Register to submit a comment regarding the proposed changes. Davis+Gilbert is happy to assist anyone who wishes to file comments.