FTC Seeks Expansion of Children’s Privacy Protection Law
January 26, 2024
On Dec. 20, 2023, the Federal Trade Commission (FTC) published a Notice of Proposed Rulemaking (NPRM) to the Children’s Online Privacy Protection Act (COPPA). COPPA was enacted in 1998 and went into effect in 2000. Under COPPA, certain online entities must obtain parental consent and provide notice before the collection, use and disclosure of personal information from children under the age of 13. COPPA was last updated in 2013. Over a decade later, the FTC seeks expansion of the Act.
The proposed amendments make significant changes to COPPA, including additional restrictions on the use and disclosure of children’s personal information and further constraints on companies that monetize children’s data. The goal of the proposed amendments is to limit the collection and exploitation of children’s personal information and provide a secure digital environment for children to safely explore.
- Additional Opt-In Required for Targeted Ads
Entities subject to COPPA must obtain separate verifiable parental consent to disclose information to third parties (including third-party advertisers) unless the disclosure is integral to the nature of the website or online service.
- Collection of Personal Data Cannot Be a Condition of Participation
Covered entities are prohibited from collecting more personal information than reasonably necessary as a condition for a child to participate in a game, offering of a prize, or other activities. The FTC is considering adding language to clarify the meaning of “activities.”
- Limits on the Support for the Internal Operations Exception
Currently, covered entities can collect persistent identifiers without first obtaining parental consent if: (1) the entity does not collect any other personal information; and (2) uses the persistent identifier solely to provide “support for the internal operations of the website or online service.” Under COPPA, “support for internal operations” includes activities necessary to maintain or analyze the functioning of a site or online service; authenticate users of or personalize content on the site or online service; serve contextual advertising or cap the frequency of advertising; protect the security or integrity of the user, site, or online service; ensure legal or regulatory compliance; and fulfill a request of a child. Additionally, under the proposed amendments, exempt entities must provide an online notice that states the specific internal operations for which it has collected a persistent identifier and how it will ensure that such identifier is not used or disclosed to contact a specific individual.
- Limits on Coercing Kids to Stay Online
Covered entities are prohibited from using personal information collected under COPPA’s multiple contact and support for the internal operations exceptions to send push notifications to children with the intention of encouraging children to use their service more. Entities that use personal information collected from a child to prompt or encourage use of its service would also be required to flag such usage in its COPPA-required direct and online notices.
- Education-Based Technology
The amended rule would allow schools and school districts to authorize education-based technology providers to collect, use and disclose students’ personal information but only for a school-authorized educational purpose and not for any commercial purpose.
- Increasing Accountability for Safe Harbor Programs
To increase transparency and accountability, COPPA Safe Harbor programs must publicly disclose its membership lists and report additional information, such as the program’s business model to the FTC.
- Strengthening Data Security Requirements
Covered entities must establish, implement and maintain a written children’s personal information security program that includes safeguards appropriate to the sensitivity of children’s data collected.
- Limits on Data Retention
Under the amended rule, children’s personal information can only be retained for as long as the purpose it was collected for is fulfilled. In addition, covered entities are prohibited from retaining information for any secondary purpose and are required to establish and publicize a written data retention policy for children’s personal information.
The NPRM was published in the Federal Register on Jan. 11, 2024. Parties seeking to comment on the proposed changes to COPPA will have until March 11, 2024. In addition, on Jan. 18, 2024, the FTC held its open meeting of the Commission and presented the proposed changes to COPPA.
The FTC’s proposed amendment to COPPA signifies the increased attention in expanding privacy protections over individuals under the age of 18. Shortly after the NPRM announcement, U.S. Senators Bill Cassidy (R-LA) and Edward Markey (D-MA) vocalized their support for the proposed amendments. Specifically, they noted that Congress should enact the Children and Teens’ Online Privacy Protection Act, coined as COPPA 2.0, which would strengthen the protections of minors in relation to the online collection, use and disclosure of their personal information.
Moreover, several states have already initiated expansion of privacy protections for individuals under the age of 18. For example, the California Consumer Privacy Act requires covered entities to obtain consent before the sale of personal information of consumers under the age of 16. Additionally, Utah, Arkansas, Louisiana and Texas enacted laws that prohibit social media sites from allowing minors to use their services without parental consent. Most recently, New Jersey passed the New Jersey Data Privacy Act which prohibits the processing of personal data from consumers between the ages of 13 to 17 without consent.
Bond attorneys regularly assist and advise clients on an array of data privacy and cybersecurity matters, including compliance with COPPA and other privacy authorities. If you have any questions about COPPA or FTC privacy enforcement, please contact Jessica Copeland, CIPP/US, Victoria Okraszewski or any attorney in Bond's cybersecurity and data privacy practice.