On December 20, the Federal Trade Commission (FTC or “the Commission”) published a notice of proposed rulemaking (NPRM) proposing amendments to the Children’s Online Privacy Protection Rule (the “COPPA Rule” or the “Rule”).
The COPPA Rule is a foundational federal legal protection for children’s online personal information. The FTC promulgated the original COPPA Rule in 1999 after Congress passed COPPA the year before. The Commission subsequently amended the Rule in 2013 and initiated this latest round of rulemaking in 2019. Broadly speaking, the Rule imposes requirements on website and online-service operators’ collection and use of children’s personal information, including requirements related to notice, parental consent, and data security, among others. The Rule defines “child” to refer to individuals under the age of 13. The FTC’s current proposal entails substantial modifications that would, in the Commission’s telling, affect “most provisions of the Rule.” Most notably, the proposal would require operators to obtain separate parental consent for disclosures of children’s personal information to third parties (including for purposes of targeted advertising), codify existing FTC guidance allowing schools to authorize the collection of children’s personal information for educational purposes, and impose new data security requirements to better protect children’s personal information.
The FTC’s proposed COPPA Rule amendments constitute the latest in a series of developments indicating a growing legislative and regulatory interest in children’s privacy. Last year, for instance, the Commission reached a settlement with Microsoft centered on alleged COPPA violations associated with the company’s Xbox Live product. And children’s privacy has repeatedly bubbled to the surface of legislative debates at the federal and state levels. Given this environment, companies that handle children’s data should pay close attention to ensure that they are handling that data consistent with relevant legal requirements, including the COPPA Rule and the proposed changes outlined in the NPRM.
In this post, we summarize notable features of the FTC’s proposed modifications to the COPPA Rule. We are happy to answer any questions you may have about how these modifications would affect your privacy compliance program. To stay up-to-date on the latest developments in the children’s privacy arena, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
Key Proposed Modifications to the COPPA Rule
Notable elements of the FTC’s proposed modifications to the COPPA Rule include:
- Separate Verifiable Parental Consent for Disclosures to Third Parties. The COPPA Rule currently requires that operators “obtain verifiable parental consent before any collection, use, or disclosure of personal information from children.” 16 C.F.R. § 312.5(a)(1). The FTC’s proposal would modify this provision to require that operators obtain a separate parental consent for disclosures, including disclosures made for targeted advertising purposes — a change that would enhance parental control over operators’ use of children’s data and limit the ability of operators to use that data for advertising.
- School Authorization Exception. The FTC proposal would explicitly establish that “schools, state educational agencies, and local educational agencies may authorize the collection of personal information from students younger than 13 … where the data is used for a school-authorized education purpose and no other commercial purpose,” thus codifying existing FTC guidance on this issue. This modification would presumably reduce legal uncertainty for providers of education technologies (EdTech), clearly allowing them to obtain relevant COPPA consents from, for example, a school district, rather than having to obtain separate consents from each student’s parents individually. The proposal would further require that schools maintain written agreements with EdTech providers that clearly set forth the school authorization exception’s requirements.
- Data Security Requirements. The COPPA Rule currently includes a high-level provision (16 C.F.R. § 312.8) requiring that operators “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children” and “take reasonable steps to release children's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information.” The proposal outlined in the NPRM would expand this section to include additional guidance as to what “reasonable procedures” and “reasonable steps” operators must implement. Among other things, operators would be required to establish and implement a “written comprehensive security program” to protect children’s information. In the NPRM, the FTC notes that this requirement is explicitly modeled on a similar requirement in the original Gramm-Leach-Bliley Act (GLBA) Safeguards Rule promulgated by the Commission in relation to financial institutions.
- Data Deletion and Retention Requirements: As part of this strengthening of the COPPA Rule’s data security requirements, the FTC’s proposal would also bolster provisions related to data deletion and retention. For example, the proposal would make clear that “operators may retain personal information for only as long as is reasonably necessary for the specific purpose for which it was collected, and not for any secondary purpose.” Additionally, operators would be required to establish written data retention policies pertaining to the children’s information that they collect.
- Restricting “Nudging.” The proposal would modify one of the COPPA Rule’s current exceptions to the parental consent requirement — specifically, 16 C.F.R. § 312.5(c)(4) — to make clear that operators are prohibited from using online contact information to “optimize user attention or maximize user engagement” (i.e., “nudging” children through methods such as push notifications) without first obtaining parental consent. In the NPRM, the FTC explains this modification by noting that it is concerned about children “overusing online services” as the result of such “engagement-enhancing techniques.”
- Safe Harbor Programs. The COPPA Rule’s “safe harbor” provision allows industry groups to apply for FTC approval of self-regulatory programs. See 16 C.F.R. § 312.11. The NPRM proposes several new requirements for these Safe Harbor programs broadly aimed at increasing transparency and accountability. For example, the FTC’s proposal would require that Safe Harbor programs “publish lists of their subject operators” and provide additional information to the Commission in their required annual reports, such as descriptions of the Safe Harbor program’s business model and copies of consumer complaints claiming violations of the program’s guidelines.
- Expanding Scope of “Personal Information” to Include Biometric Information. The FTC’s proposal would expand the scope of the “personal information” covered by the COPPA Rule to include biometric information, an expansion well-aligned with the Commission’s recent focus on this particular type of sensitive data.
- Notice Requirements. The FTC proposal would require operators to make several new types of disclosures in both the direct notice to parents and online notice required under the current COPPA Rule. See 16 C.F.R. § 312.4. For example, in the “direct notice” that must be provided to parents, operators will be required to identify the third parties with which they share personal information, as well as the purposes for such sharing. Operators will also be required to make clear that “parent[s] can consent to the collection and use of [their] child’s information without consenting to the disclosure of such information.” Meanwhile, in the online notice, operators that collect persistent identifiers (e.g., cookie information, IP addresses) to support their “internal operations” will be required to “specify the particular internal operation(s) for which the operator has collected the persistent identifier and describe the means it uses to ensure that it does not use or disclose the persistent identifier … for any other purpose.”
In addition to the proposed COPPA Rule modifications discussed above, the FTC’s NPRM includes a set of targeted questions for consideration by public commenters. The Commission has asked for comments to be provided by March 11, 2024.