Privacy

FTC Proposes Changes to COPPA Rule

Published: Dec. 21, 2023

Updated: Jan. 27, 2025

Kady Hammer
Kandi Parsons
Alex Stout
Zach Lerner
Photo of kids learning how to program on a laptop

UPDATE – January 27, 2025:

The Federal Trade Commission has finalized changes to the Children’s Online Privacy Protection Rule (“COPPA” or the “Final Rule”). The final amendments will become effective 60 days after publication in the Federal Register and entities subject to the Final Rule will have one year from publication to comply.  

The Commission made several notable updates to the Final Rule including: 

  • a new definition of “mixed audience”, 
  • new consent requirements for third-party disclosures (including advertising), 
  • an expanded definition of personal information, 
  • new methods for verifiable parental consent, 
  • additional notice requirements for support for internal operations or audio data uses, 
  • new data retention and security requirements, and 
  • additional obligations for Safe Harbor programs.  

The FTC opted to not finalize its proposed amendments for ed tech vendors and the role of schools citing potential forthcoming amendments to FERPA or amendments limiting operators from sending push notifications (or otherwise using data collected pursuant to an exception).

We provide some key highlights of the updates: 

  • Privacy Policy:  An operator must disclose in its Privacy Policy, if applicable: 
    • the specific internal operations for which it uses persistent identifiers, and the means used to ensure such data is not used in violation of COPPA and 
    • a description of how the operator uses audio files that are exempt from COPPA’s consent requirements and that the operator deletes such audio files immediately afterward.
  • Mixed Audience:  A “mixed audience website or online service” is now defined under the Final Rule, and operators of these sites or services are permitted to collect personal information for limited purposes before determining a visitor’s age. 
  • Personal Information:  The definition of “personal information” now includes biometric and government-issued identifiers.  
  • Disclosures to Third Parties such as Targeting Advertising:  Operators must obtain separate verifiable parental consent for targeted advertising and/or other disclosures of children’s personal information to third parties. 
  • Verified Parental Consent:  Operators can now collect mobile phone numbers in connection with obtaining consent. Moreover, operators may use a “text plus” method for obtaining verifiable parental consent, which allows operators to use text messages sent to parents to obtain consent with requirements, similar to those for the “email plus” method.
  • Retention Periods:  Operators can only retain data as long as reasonably necessary to fulfill the purpose it was collected for, or for a secondary purpose if the operator provides notice and obtains verifiable parental consent.
  • Security Requirements:  The Final Rule contains security requirements for collecting and using children’s data, mirroring the typical written security programs required under state privacy laws.
  • Safe Harbor Programs:  FTC approved COPPA Safe Harbor programs must publicly disclose their membership lists, including certified websites or online services, and update the list every six months. Additionally, Safe Harbor programs must provide the FTC with more information in their annual reports.

UPDATE – January 16, 2024: 

The proposed rule changes have been published in the Federal Register. Comments are due by March 11, 2024.

The Federal Trade Commission (“FTC”) announced proposed changes to the Children’s Online Privacy Protection Rule (“COPPA” or the “Rule”). The notice of proposed rulemaking (“NPRM”) outlines new restrictions on the use and disclosure of children’s data. The NPRM is seeking comments on the proposed rule changes within 60 days of publication in the Federal Register (this typically takes several days)—meaning comments will likely be due toward the end of February.  

The NPRM proposes the following notable changes:

Separate Consent for Disclosure & Targeted Advertising

  • COPPA covered entities seeking to disclose information to third parties, including advertising partners, would be required to obtain verifiable parental consent that is separate from the typical verifiable parental consent to collect and use the information (unless the disclosure is integral to the service). 

Data Retention Policies

  • The revised Rule would prohibit operators from (i) retaining information for longer than necessary to fulfill the specific purpose, (ii) using the information for secondary uses, and (iii) retaining information indefinitely. 
  • Operators would be required to develop a written retention policy for children’s data that includes a timeframe for deletion and include such policy within its children’s privacy notice.  

Actual Knowledge Standard & Third Parties

  • The NPRM modifies the definition of “website or online service directed to children” to include third parties who have actual knowledge that the information collected or obtained belongs to children even if the third party did not collect the information directly from users. 
  • Importantly, the proposal does not change the actual knowledge standard to adopt a constructive knowledge standard.

Ed Tech Providers

  • The proposed changes codify the FTC’s existing Ed Tech guidance, allowing schools to provide COPPA consent in lieu of a parent as long as the collection and use is for a school-authorized educational purpose (which cannot include advertising). 
  • Operators would be required to make reasonable efforts to notify schools (in a form compliant with the Rule) of their collection and use practices and obtain consent.
  • Operators will be required to have an agreement with the school that includes specific elements.

Push Notifications & Other Nudging

  • Operators would be prohibited from sending push notifications (or otherwise using data collected pursuant to an exception) to encourage use of the service without parental consent. 

Safe Harbor Programs

  • Safe harbor programs would be required to publicly disclose their membership lists and annually report to the Commission any operators that have left their program.
  • Safe harbor programs would be required to submit copies of “each consumer complaint” reported to the safe harbor program, along with a summary of “each disciplinary action.” Today, safe harbor programs operate entirely independently and take confidential disciplinary actions against their members. This, along with a triennial review program, would substantially increase the transparency around safe harbor programs. 

Addition of Mobile Number to Online Contact Information

  • The proposed Rule revises the definition of “online contact information” to include mobile phone number. Operators may send a text message to provide parents notice and/or to obtain consent.  

Notice Updates

  • Operators would be required to provide notice of data retention policies (see data retention requirement above). 
  • Operators that collect persistent identifiers under the internal operations exception would be required to include in their privacy policy a description of the specific internal operations for which it uses the identifiers and how it prevents use of identifiers for contacting a specific individual of the company’s practices. 

Data Security

  • The modified Rule would expand existing security requirements by requiring operators to establish formal security programs to safeguard children’s data. The Rule would require operators to (i) implement a written security program for children’s personal information, (ii) designate an employee to coordinate this security program, (iii) conduct annual risk assessments and implement accompanying safeguards, (iv) “regularly” test and monitor the effectiveness of the safeguards, and (v) take “reasonable steps” to conduct security diligence on any other operators, service providers, or third parties that collect or maintain children’s personal information on the operator’s behalf.
  • This would formally extend to COPPA the same types of security requirements that the FTC has been adopting in other contexts and mandating in enforcement proceedings.

Mixed Audience Services

  • The NPRM revises the definitions to separately define “Mixed audience website or online service” which was previously included in the definition of “website or online service directed to children.”  As before, mixed audience services are “directed to children,” but do not target children as their “primary audience.” Similar to the current rule and consistent with FTC guidance:
    • Mixed audience services would not be permitted to collect personal information until the business has collected age or used another method reasonably calculated to determine if the visitor is a child. A mixed audience service is not directed to children for visitors not identified as under 13.  
    • Where collecting age or otherwise determining if a visitor is a child, mixed audience services would be required do so in a neutral manner and could not default to a set age or encourage visitors to falsify age information prior to collecting personal information. 

Conditioning Consent 

  • The FTC’s proposal reinforces the prohibition on conditioning participation in activities based on consent to collect. 
Prev
/
Next
Related Tags
Children's Online Privacy Protection Act (COPPA) Federal Trade Commission (FTC) Children's Privacy
You Might Also Like