Madelyn Strohm 

On December 20, 2023, the Federal Trade Commission (“FTC”) announced proposed changes to its Children’s Online Privacy Protection Act Rule (“Rule” or “COPPA Rule”).[1] The proposed changes aim to keep up with changes in technology and how businesses are using children’s information collected online.[2] The updated Rule aims to further enhance children’s privacy online by (1) expanding the definition of “personal information” under the Rule to include biometric identifiers, (2) preventing companies from abusing exceptions to consent policies, and (3) requiring companies to establish an express policy for retention and deletion of children’s personal information.[3]

History of the Act and Previous Changes to the Rule

The Children’s Online Privacy Protection Act was enacted in 1998.[4] The Act was passed in direct response to FTC research finding that websites for children were collecting their personal information without requesting permission from their parents, with the information ranging from their names to their parents’ income, or even Social Security Numbers.[5] The goal of the Act was to enhance children’s safety by ensuring their parents had knowledge and control of the collection of information from their children.[6]

Congress gave the FTC the power to issue and enforce regulations under the Act, and the FTC issued the COPPA Rule.[7] The Rule applies to operators of websites directed at children or any online service operators who have actual knowledge that they are collecting personal information from a child.[8] The Rule requires that these websites provide notice about their collection of personal information from children, how they use the information, and their practices for disclosure, and requires parental consent before they collect, use or disclose the information.[9] Personal information includes various types of information, like a child’s name, address, contact information, or Social Security Number.[10]

In its latest amendments to the Rule in 2013, the FTC expanded personal information to include “persistent identifiers,” like IP addresses, device serial numbers, or precise geolocations.[11] In 2019, the FTC issued a Rule Review Invitation and received more than 175,000 comments that helped them identify several areas for improvement, which are reflected in the proposed changes.[12]

Key Aspects of the Proposed Changes to the Rule

  1. Expanding the definition of personal information to include biometric data.

The first proposed expansion of the Rule would modify the Rule’s definition of “personal information” to include biometric identifiers that companies can use for automated recognition of individuals, including fingerprints, handprints, retina and iris patterns, genetic data, or data derived from voice data, gait data, or facial data.[13] Many of the comments by the public addressing biometric data supported its inclusion in the definition of personal information, noting that biometric data is uniquely susceptible because of its “permanent and unalterable nature.”[14] Additionally, some states have expanded their definition of personal information to include biometric data, as have other federal laws, like the Department of Education’s Family Educational Rights and Privacy Act (“FERPA”) regulations.[15] In his remarks on the proposed updates to the Rule, FTC Commissioner Bedoya cited “the beginning of an era of biometric fraud” and concern for how companies are protecting children’s biometric data against breaches, fraud and abuse.[16]

  1. Narrowing current exceptions to parental consent policies to prevent websites from encouraging to engage with online platforms without parental consent.

The FTC also proposed expanding its list of use restrictions for persistent identifiers.[17] The 2013 amendments allowed for an exception to the prohibition on the use of persistent identifiers, like IP address, if they were used for the “sole purpose of providing support for the internal operations of the website or online service.”[18] In the most recent round of comments, organizations expressed concern that this exception is overly broad and allows companies to shirk their COPPA obligations.[19] Commenters argued, and the FTC agreed, that this exception should not be allowed to promote increased site usage by children without verifiable parental consent.[20] This change would prevent companies from using or disclosing persistent identifiers to increase children’s attention and engagement, including using the information to send push notifications to the child reminding or encouraging them to engage with the company’s website or service without consent from parents.[21]

  1. Prohibiting companies from retaining children’s personal information indefinitely and requiring a written policy on data retention.

Finally, the proposed updates clarify the portion of the 2013 amendment that prohibits indefinite retention of children’s personal information.[22] Commenters from consumer groups argued that allowing companies to use the permissive “only as long as is reasonably necessary” standard for retention of children’s information allowed operators to both retain data unnecessarily and use it for purposes other than those understood by parents in their initial consent.[23] As such, the FTC intends to clarify that operators can only retain children’s personal information for the specific purpose for which it was collected, and not for any secondary uses.[24] The FTC will also require operators to establish a written data retention policy addressing businesses’ need for retention of children’s personal information, as well as a timeframe for deletion to prevent indefinite retention and further use.[25]

Conclusion

Though the proposed changes do not incorporate every request from commenters, they reflect the most prominent concerns raised by commenters across a variety of industries and platforms.[26] At the end of the notice of the proposed changes, the FTC highlighted questions it was still considering and asked for additional comments, indicating that additional changes are still possible.[27] The public has sixty days from the proposal’s publication in the Federal Register to submit additional comments.[28]

 

[1] Fed. Trade Comm’n, Statement of Commissioner Bedoya on the Issuance of Notice of Proposed Rulemaking to Update the Children’s Online Privacy Protection Rule (Dec. 20, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/BedoyaStatementonCOPPARuleNPRMFINAL12.20.23.pdf.

[2] Children’s Online Privacy Protection Rule, 89 Fed. Reg. 2034, 2034 (Jan. 11, 2024) (to be codified at 16 C.F.R. pt. 312).

[3] Fed. Trade Comm’n, supra note 1.

[4] 15 U.S.C. §§ 6501 et. seq.

[5] Fed. Trade Comm’n, Privacy Online: A Report to Congress 31-42 (1998).

[6] Id. at iii-iv; Fed. Trade Comm’n, supra note 1.

[7] 15 U.S.C. § 6502(b); 16 C.F.R. § 312 (2013).

[8] 16 C.F.R. § 312.3.

[9] Id.

[10] Id. § 312.2.

[11] Id.

[12] Children’s Online Privacy Protection Rule, 89 Fed. Reg. 8 at 2035.

[13] Id. at 2041.

[14] Id.

[15] Id.; 34 C.F.R. § 99.3 (1988).

[16] Fed. Trade Comm’n, supra note 1.

[17] Children’s Online Privacy Protection Rule, 89 Fed. Reg. at 2042-43.

[18] Id. at 2044.

[19] Id.

[20] Id. at 2045.

[21] Id.

[22] Id. at 2062.

[23] Id.

[24] Id.

[25] Id.

[26] Id. at 2044, 2062.

[27] Id. at 2069; Allison Grande, FTC Targets Data Profits with Kids’ Privacy Rule Changes, Law360 (Dec. 20, 2023 7:56 PM), https://www.law360.com/articles/1779564/ftc-targets-data-profits-with-kids-privacy-rule-changes.

[28] Children’s Online Privacy Protection Rule, 89 Fed. Reg. at 2034.