UPDATE – January 16, 2024: The proposed rule changes have been published in the Federal Register. Comments are due by March 11, 2024.
The Federal Trade Commission (“FTC”) announced proposed changes to the Children’s Online Privacy Protection Rule (“COPPA” or the “Rule”). The notice of proposed rulemaking (“NPRM”) outlines new restrictions on the use and disclosure of children’s data. The NPRM is seeking comments on the proposed rule changes within 60 days of publication in the Federal Register (this typically takes several days)—meaning comments will likely be due toward the end of February.
The NPRM proposes the following notable changes:
Separate Consent for Disclosure & Targeted Advertising
- COPPA covered entities seeking to disclose information to third parties, including advertising partners, would be required to obtain verifiable parental consent that is separate from the typical verifiable parental consent to collect and use the information (unless the disclosure is integral to the service).
Data Retention Policies
- The revised Rule would prohibit operators from (i) retaining information for longer than necessary to fulfill the specific purpose, (ii) using the information for secondary uses, and (iii) retaining information indefinitely.
- Operators would be required to develop a written retention policy for children’s data that includes a timeframe for deletion and include such policy within its children’s privacy notice.
Actual Knowledge Standard & Third Parties
- The NPRM modifies the definition of “website or online service directed to children” to include third parties who have actual knowledge that the information collected or obtained belongs to children even if the third party did not collect the information directly from users.
- Importantly, the proposal does not change the actual knowledge standard to adopt a constructive knowledge standard.
Ed Tech Providers
- The proposed changes codify the FTC’s existing Ed Tech guidance, allowing schools to provide COPPA consent in lieu of a parent as long as the collection and use is for a school-authorized educational purpose (which cannot include advertising).
- Operators would be required to make reasonable efforts to notify schools (in a form compliant with the Rule) of their collection and use practices and obtain consent.
- Operators will be required to have an agreement with the school that includes specific elements.
Push Notifications & Other Nudging
- Operators would be prohibited from sending push notifications (or otherwise using data collected pursuant to an exception) to encourage use of the service without parental consent.
Safe Harbor Programs
- Safe harbor programs would be required to publicly disclose their membership lists and annually report to the Commission any operators that have left their program.
- Safe harbor programs would be required to submit copies of “each consumer complaint” reported to the safe harbor program, along with a summary of “each disciplinary action.” Today, safe harbor programs operate entirely independently and take confidential disciplinary actions against their members. This, along with a triennial review program, would substantially increase the transparency around safe harbor programs.
Addition of Mobile Number to Online Contact Information
- The proposed Rule revises the definition of “online contact information” to include mobile phone number. Operators may send a text message to provide parents notice and/or to obtain consent.
Notice Updates
- Operators would be required to provide notice of data retention policies (see data retention requirement above).
- Operators that collect persistent identifiers under the internal operations exception would be required to include in their privacy policy a description of the specific internal operations for which it uses the identifiers and how it prevents use of identifiers for contacting a specific individual of the company’s practices.
Data Security
- The modified Rule would expand existing security requirements by requiring operators to establish formal security programs to safeguard children’s data. The Rule would require operators to (i) implement a written security program for children’s personal information, (ii) designate an employee to coordinate this security program, (iii) conduct annual risk assessments and implement accompanying safeguards, (iv) “regularly” test and monitor the effectiveness of the safeguards, and (v) take “reasonable steps” to conduct security diligence on any other operators, service providers, or third parties that collect or maintain children’s personal information on the operator’s behalf.
- This would formally extend to COPPA the same types of security requirements that the FTC has been adopting in other contexts and mandating in enforcement proceedings.
Mixed Audience Services
- The NPRM revises the definitions to separately define “Mixed audience website or online service” which was previously included in the definition of “website or online service directed to children.” As before, mixed audience services are “directed to children,” but do not target children as their “primary audience.” Similar to the current rule and consistent with FTC guidance:
- Mixed audience services would not be permitted to collect personal information until the business has collected age or used another method reasonably calculated to determine if the visitor is a child. A mixed audience service is not directed to children for visitors not identified as under 13.
- Where collecting age or otherwise determining if a visitor is a child, mixed audience services would be required do so in a neutral manner and could not default to a set age or encourage visitors to falsify age information prior to collecting personal information.
Conditioning Consent
- The FTC’s proposal reinforces the prohibition on conditioning participation in activities based on consent to collect.