Enacted in 1996, the Children’s Online Privacy Protection Act (COPPA) is the nation’s longest standing and most comprehensive statute aimed at regulating the collection, use and sharing of the personal information of children—defined as children under the age of 13—by online services. When Congress enacted COPPA in 1996, it gave rulemaking authority to the Federal Trade Commission (FTC) and required that the agency periodically evaluate and consider updates to the COPPA Rule.1 On December 20, 2023, four years after initiating review of the COPPA Rule in 2019, the FTC issued a Notice of Proposed Rulemaking (NPRM) with its proposed updates to the Rule. Once the NPRM is published in the Federal Register, the public will have 60 days to comment on the proposed new COPPA Rule.
Background on the Rule
The FTC last updated the COPPA Rule in 2012 following an extensive review that began in 2010. Those amendments, which went into effect on July 1, 2013, established that third parties, such as advertising networks and providers of social media plugins, must comply with COPPA when they have actual knowledge that they are collecting personal information from online services directed to children. Among other things, the 2012 updates also established that online services directed to children may collect persistent identifiers from children without parental consent as long as the services’ use of such identifiers is limited to supporting “internal operations.”
Because the ways in which children engage with online services continue to evolve at a rapid pace, the FTC slotted the COPPA Rule for reexamination again in 2019. The December 20 NPRM is the culmination of that reexamination process, which began four years ago.
The FTC’s Proposed Updates to the Rule
The FTC’s proposed updates to the COPPA Rule are largely incremental and in step with its enforcement actions over the past four years. The most significant proposed changes are aimed at restricting commercial or advertising use of children’s personal information, limiting retention of children’s personal information, adding more structure to protecting the security of children’s personal information, and adding greater clarity as to when schools can provide consent to an online service’s collection of personal information on behalf of parents. Following are some of the most significant updates the FTC has proposed to the COPPA Rule and highlighted in its press release:
- Separating Verifiable Parental Consent for the Disclosure of Children’s Personal Information: Under the updated Rule, operators of online services directed to children (Operators) would be required to obtain separate verifiable parental consent for disclosures of a child’s personal information to third parties, including advertisers, unless the disclosures are integral to the nature of the service. Parents would have the option to refuse disclosure of the child’s personal information to a third party. The child’s access to the website or online service could not be conditioned on the provision of parental consent. This update reflects the FTC’s move toward requiring granular consents for uses of personal information.
- Reinforcing the Rule Prohibiting the Conditioning of Participation on the Collection of Personal Information: The proposed updates make clear that the COPPA Rule’s prohibition against conditioning a child’s participation in an activity on the collection of more personal information than is reasonably necessary for the child to participate in a game, qualify for or receive a prize, or participate in another activity applies even if the Operator obtains consent to use such information for reasons beyond those reasonably necessary to provide the service. In addition, the FTC now proposes revising the definition of “activity” to clarify that it covers “any activity offered by a website or online service, whether that activity is a subset or component of the website or online service or is the entirety of the website or online service.”
- Narrowing the Internal Operations Exception: The FTC proposes changing the internal operations exception that allows Operators to collect persistent identifiers (such as an IP address, a customer number held in a cookie or a unique device identifier that can recognize a user over time and across different online services) without obtaining verifiable consent, as long as no other personal information is collected and the persistent identifier is used solely to provide “support for the internal operations of the website or online service.” Under the updated Rule, an Operator would have to specifically identify the internal operations practices for which it collects the persistent identifier and the means by which it will ensure that this identifier is not used or disclosed to contact a specific individual (including through targeted advertising). Operators relying on the internal operations exception would also need to provide an online public notice of these practices and means.
- Limiting the Use of Push Notifications to Encourage Use of a Service: Under a proposed amendment to COPPA, Operators using children’s personal information to encourage kids to continue using the service would have to clearly and directly notify parents of that usage when obtaining verifiable parental consent. Further, Operators would not be able to use online contact information and persistent identifiers collected under COPPA’s multiple contact and internal operations exceptions to send push notifications to children to encourage their use of a service without first obtaining verifiable parental consent.
- Limiting the School Authorization Exception: Operators of some ed tech services rely on schools to provide verifiable consent on behalf of parents to the collection of students’ personal information. The proposed COPPA Rule would limit Operators of these services to using such personal information for school-authorized educational purposes and not for any commercial purpose.
- Reinforcing Transparency in the Safe Harbor Program: The proposed COPPA Rule would impose additional requirements on COPPA Safe Harbor programs by requiring each program to apply the increased data security requirements (discussed below) on their members; performing a comprehensive review of each member’s privacy and security policies; and identifying publicly its members, their approved websites and services, and their departure from the applicable program.
- Implementing New Data Security Requirements: The proposed COPPA Rule provides more structure on the “reasonable procedures” Operators must establish to maintain the confidentiality, security and integrity of children’s personal information. These procedures are modeled after the Safeguards Rule under the Gramm-Leach-Bliley-Act (GLBA), applicable to financial institutions. First, Operators would need to implement and maintain a written comprehensive security program, including safeguards that are appropriate to the sensitivity of children’s information and to the Operator’s size, its complexity, and the nature and scope of activities offered. The Operator would also need to identify an employee to coordinate the security program, and to review and test the program at least annually. Finally, Operators would need to obtain written assurances that any third parties receiving children’s personal information will “employ reasonable measures to maintain the confidentiality, security and integrity of the information.”
- Implementing Data Retention and Deletion Requirements: The proposed modification to the COPPA Rule would clarify that Operators are only allowed to keep children’s personal information for as long as needed to fulfill the specific purpose for which such information was collected, and not for any secondary purposes. An Operator would also be required to delete children’s personal information when it no longer needs the personal information to perform the purpose for which that information was collected. The proposed COPPA Rule would also require Operators to establish, and make public, a written data retention policy for children’s personal information to avoid indefinite retention.
Though the FTC proposed numerous changes to the COPPA Rule, the FTC also explicitly declined to make some changes requested by commenters that would have broadened the COPPA Rule’s scope, as follows:
- Expanding the Definition of “Website or Online Service Directed to Children”: Some of the public comments submitted to the FTC advocated expanding the COPPA Rule’s definition of “website or online service directed to children” to include websites and online services that do not include traditionally child-oriented activities but still have large numbers of child users. The FTC rejected that proposal, stating that it “already considers demographics of a website’s or online service’s user base in its determination” of whether a particular website or online service is child-directed.
- Modifying the Knowledge Standard: The FTC also rejected suggestions that it change the COPPA Rule’s standard for determining when general audience services must comply with COPPA from “actual knowledge” to “constructive knowledge,” finding that making such a change would be outside of its statutory authority and noting that Congress had already rejected a constructive knowledge approach when it enacted COPPA.
Key Takeaways
In light of the proposed changes, Operators should be prepared to take steps to modify their COPPA compliance programs to adhere to the proposed updates to the COPPA Rule, assuming the new Rule goes into effect without modifications after the 60-day notice-and-comment period expires. In particular, Operators should be prepared to update their COPPA compliance programs to:
- Collect the separate parental consents required for disclosing children’s personal information to advertisers and other third parties;
- Develop and implement a children’s data retention program that is publicly available;
- Implement an information security program, and review and test that program at least annually; and
- To the extent an Operator relies on the internal operations exception to the COPPA Rule, update its online privacy policy to identify the specific internal operations for which children’s identifiers are used.
1. Children’s Online Privacy Protection Rule, Section 312.11.↩