FTC Approves NPR Updating the COPPA Rule
On December 20, 2023, the Federal Trade Commission (FTC or Commission) finally published its long-awaited proposed Notice of Proposed Rulemaking (NPR) updating the Children’s Online Privacy Protection Act Rule (COPPA Rule).
The process to update the COPPA Rule began in 2019 when the FTC posted a Request for Comments, which garnered more than 175,000 submissions. Some lawmakers and advocacy groups proposed expanding the Rule’s definition of “website or online service directed to children” and changing the Rule’s actual knowledge standard to constructive knowledge. In this NPR, the FTC explicitly rejects such changes as outside its statutory authority. The FTC likewise did not change the definition of a persistent identifier or eliminate the “support for internal” operations exception but does impose new disclosure requirements on operators relying on the exception. Importantly, the FTC proposes to allow operators to collect mobile phone numbers to provide notices and obtain parental consent, but the FTC also proposes to restrict use of mobile phones to call children. The proposal involves a number of important changes to the COPPA Rule that will require companies offering child-directed online services to implement significant internal operational changes.
Key elements of the new proposed COPPA Rule include:
- Requiring a separate opt-in for targeted advertising. Although opt-in parental consent is already required for third-party sharing, including for targeted advertising purposes, the FTC proposes to impose a separate opt-in.
- Prohibition against conditioning a child’s participation on collection of more personal information than necessary. The COPPA rule already prohibits conditioning participation in child’s activity on the collection of personal data, but the FTC is considering adding new language to this section to clarify the meaning of “activity.”
- A new parental notice requirement explaining support for the internal operations exception. The FTC is not proposing to change the current rule provisions allowing operators to collect persistent identifiers without first obtaining verifiable parental consent as long as the operator does not collect any other personal information and uses the persistent identifier solely to provide “support for the internal operations of the website or online service.” The FTC, however, proposes to require operators utilizing this exception to provide an online notice that states the specific internal operations for which the operator has collected a persistent identifier and how they will ensure that such identifier is not used or disclosed to contact a specific individual, including through targeted advertising.
- Limits on “nudging” kids to stay online. Operators would be prohibited from using online contact information and persistent identifiers collected under COPPA’s multiple contact and support for the internal operations exceptions to send push notifications to children to prompt or encourage them to use their service more. Operators that use personal information collected from a child to prompt or encourage use of their service would also be required to flag such usage in their COPPA-required direct and online notices.
- Ed Tech changes. The FTC has proposed codifying its current ed tech guidance to prohibit commercial use of children’s information and implement additional safeguards. It would, however, allow schools and school districts to authorize ed tech providers to collect, use, and disclose students’ personal information for a school-authorized educational purpose only, not for any commercial purpose.
- More requirements for COPPA Safe Harbor programs. The proposed rule imposes new requirements on COPPA Safe Harbor programs, including requiring each program to publicly disclose its membership list and report additional information to the Commission.
- Strengthening data security requirements. The FTC proposes requiring that operators establish, implement, and maintain a written children’s personal information security program that contains safeguards appropriate to the sensitivity of the personal information collected from children. Operators must designate one or more employees to coordinate the program and must identify and perform, at least annually, additional assessments and update the program as needed.
- Limits on data retention. The COPPA Rule requires that operators retain personal information only for as long as necessary to fulfill the specific purpose for which it was collected. The FTC proposes to also prohibit operators from using retained information for any secondary purpose, and the proposed revisions explicitly state that operators cannot retain the information indefinitely. The Rule would also require operators to establish, and make public, a written data retention policy for children’s personal information.
Businesses that offer online services to children, those that offer “mixed audience” online services, and others will want to read the FTC’s NPR thoroughly and consider sharing their perspectives with the FTC.
The comment deadline is 60 days after the Notice is published in the Federal Register (which, as of the date of this writing, has not yet occurred).