FTC proposes amendments to COPPA to expand child online protections

The Federal Trade Commission (FTC) is proposing additional revisions to the Children’s Online Privacy Protection Rule (COPPA or the “Rule”) that will strengthen the privacy and protection of information belonging to children under the age of 13, and eliminate further monetization of children’s information for commercial use. The revision to this Rule will also allow children to access online websites or services without the condition that they have to share personal information. With these revisions, the FTC aims to reduce stress on parents when monitoring their child’s online activity and allow children more protection when navigating the online world.

COPPA, 15 U.S.C. 6501, was enacted in 1998 by Congress to develop and implement rules surrounding children and online safety. The statute directed the FTC to develop and implement regulations following COPPA requirements through rulemaking. The Rule came into effect in 2000, and was further revised in 2013, which imposed certain requirements on website operators and/or online services. Under the Rule, an operator must give notice to parents and obtain parental consent before collecting, using, or disclosing personal information from a child under 13 years old. The Rule further requires that parents be given the opportunity to review what information is being collected about their child, the option to delete that information, and the opportunity to change what information may be collected in the future.

The FTC initiated the latest review of the Rule in 2019, resulting in almost 200,000 comments for further revision. These comments were taken under consideration, and the FTC has now proposed several changes, including:

• Requiring service operators to obtain separate, verified parental consent for disclosure to third parties and third-party advertisers, unless the disclosure is necessary to the nature of the website or service. Access to services cannot be restricted if a person opts not to disclose information to third parties.
• Prohibiting an operator from requiring a child to consent to data collection for website participation.
• For operators that fall under the internal operations exception, requiring operators to list a public notice on why they have collected identifiers without parental consent and what necessary internal operations the identifiers are being used for.
• Limiting push notifications to children to stay online and continue use of their service.
• Allowing education technology providers to collect, use, and disclose student information, but only for school-related and/or educational purposes. Any disclosure for commercial use is prohibited.
• Public disclosure of COPPA Safe Harbor program membership and additional reporting to the FTC.
• Mandates that require operators create, implement, and maintain a written security program that contains the appropriate safeguards for information collected from minors.
• Limiting and restricting operators to only retain data for a primary purpose, and only keeping that data for the necessary time period to fulfill the purpose it was collected for.

In an ever-evolving online landscape, the FTC is working to respond to those changes and protect the safety of children online, evidenced by the continuous development of the COPPA Rule. FTC will be taking public comments or recommendations for the Rule until March 11, 2024.

If you have any questions about your company’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.