On January 11, 2024, the Federal Trade Commission (“FTC”) published in the Federal Register a Notice of Proposed Rulemaking (“NPRM”) to modify the Children’s Online Privacy Protection Rule (“COPPA Rule”), a set of regulations implementing the Children’s Online Privacy Protection Act (“COPPA”) statute. Overall, the NPRM seeks to strengthen and clarify the COPPA Rule in response to technological advances and changes in the way children interact with online offerings. In particular, the NPRM follows a public comment period in which the FTC noted novel issues affecting the COPPA Rule, including the educational technology sector, voice-enabled connected devices, and platforms directed to general audiences that host third-party content directed to children. Comments on the NPRM are due on March 11, 2024.
I. Background
The COPPA Rule, which was issued in 1999 and last amended in 2013, generally applies to “any operator of a Web site or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child.” The COPPA Rule defines the term “personal information” to include the following:
- First and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information;
- A screen or user name that functions as online contact information;
- A telephone number;
- A Social Security number;
- A “persistent identifier” that can be used to recognize a user over time and across different websites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
In general, the COPPA Rule requires that operators:
- Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibits the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
- Provide parents access to their child’s personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child’s personal information;
- Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security;
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use; and
- Not condition a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.
II. Summary of Key Proposals
The following summarizes some of the NPRM’s key proposed modifications to the COPPA Rule and potential areas for comment.
- Definition of “Personal Information” The FTC proposes adding biometric data to the definition of “personal information,” specifically, “[a] biometric identifier that can be used for the automated or semi-automated recognition of an individual, including fingerprints or handprints; retina and iris patterns; genetic data, including a DNA sequence; or data derived from voice data, gait data, or facial data.”
The FTC has decided not to add data inferred about children to the definition of “personal information,” explaining that the COPPA statute expressly pertains to the collection of personal information from a child, and therefore any information collected from a source other than a child is outside the scope of COPPA. Nonetheless, the FTC notes that inferred data could be subject to COPPA if it is combined with data that meets the definition of “personal information.”
- Definition of “Website or Online Service Directed to Children”The FTC has declined to substantively change the definition of “website or online service directed to children.” In its initial comment period for the amended COPPA Rule, the FTC considered such a change to address online offerings that do not include activities that are traditionally seen as child-oriented but still have many child users. However, the NPRM notes that the current definition already allows the FTC to consider several factors in assessing whether an online service is child-directed, including reviewing “competent and reliable empirical evidence regarding audience composition.” As such, the FTC believes it is already able to account for the number of child users of an online service.
However, the FTC does propose changes to the definition for clarity. For example, the FTC suggests (1) adding illustrative examples of types of evidence it will consider in analyzing intended audiences and audience composition, (2) clarifying that service providers are directing services to children when they have actual knowledge that they are collecting personal information from users of another service directed to children whether or not it is collected “directly,” and (3) including a stand-alone definition for “mixed audience website or online service.”
The FTC seeks additional comment on whether it should provide an exemption from the definition. Specifically, the FTC is considering an exemption under which a website or service would not be determined to be child-directed if no more than a specific percentage of its users are likely to be children under the age of 13. For example, the FTC seeks comment on whether an exemption should exist as an incentive to encourage analyses of user base composition, how to best determine the likely age of users, and what the percentage cutoff should be.
The FTC declines to change the knowledge standard from “knowingly” to constructive knowledge, noting that legislative history indicates that Congress intended for the standard to be “actual knowledge.” It also declines to implement the considered modification of permitting general audience platforms to rebut the presumption that all users of any child-directed content are actually children, reasoning that practicality concerns outweigh potential benefits and that the “mixed audience” category adds flexibility.
- Parental Consent
The FTC proposes a number of changes to the COPPA Rule’s verifiable parental consent requirement, which requires operators to obtain verifiable parental consent before collecting, using, or disclosing a child’s personal information. Currently, the COPPA Rule requires operators to give parents the option to consent to the collection and use of their child’s information without consenting to its disclosure, but does not seek separate consent for the disclosure of a child’s information to third parties.
The FTC proposes to require operators to obtain separate verifiable parental consent for disclosures of a child’s personal information unless such disclosures are integral to the nature of the website or online service. This would provide parents with greater control over disclosures of their children’s personal information. In addition, the FTC proposes to prohibit operators from conditioning access to a website or online service on separate verifiable parental consent for disclosures.
The FTC also proposes changes to the permissible methods for obtaining verifiable parental consent. First, it proposes removing the monetary transaction requirement when a parent provides consent through a credit or debit card or other online payment system, noting that consent can be obtained in this manner without the payment of a fee. The FTC also proposes allowing some new parental consent methods: text message, knowledge-based authentication, and facial recognition technology.
Relatedly, the FTC proposes to add “an identifier such as a mobile telephone number provided the operator uses it only to send a text message” to the illustrative list of types of “online contact information.” In practice, this would permit operators to obtain parental consent through a text message.
- School Authorization Exception
The FTC proposes to add a school authorization exception that would codify existing FTC guidance on the application of COPPA to education technology providers. Specifically, the FTC proposes to codify its guidance that schools, state educational agencies, and local educational agencies may authorize the collection of personal information from students younger than 13 in limited circumstances for a school-authorized education purpose and no other commercial purpose.
The FTC also proposes to add the term “school-authorized education purpose,” which would be defined as “any school-authorized use related to a child’s education.” Notably, this would include product improvement and development related to the school-authorized service but would not cover the development or improvement of a different service. This exception would also require the education technology provider and school to execute a written agreement that meets certain requirements (e.g., it must include language limiting the operator’s use and disclosure of the personal information to school-authorized education purposes).
- Notice Requirements
The FTC proposes to require various new disclosures in direct notices to parents as well as online notices. In direct notices, operators would be required to disclose (1) how they intend to use a child’s personal information, (2) when they have already collected a child’s name or online contact information, (3) categories of third parties with whom they are sharing a child’s personal information and the purposes for such sharing, and (4) that parents can consent to collection and use of their child’s information without consenting to its disclosure (unless that disclosure is integral to the nature of the online service).
For online notices, operators would be required to disclose internal operations for which persistent identifiers are collected and how it protects those identifiers from being impermissibly tied to specific individuals. They must also disclose how any audio files will be used and promise to delete these files immediately after responding to the request for which they were generated. In addition, operators must provide more information about disclosure and retention practices and policies.
- Security RequirementsWhile the current COPPA Rule already requires operators to maintain reasonable procedures to protect children’s personal information, the FTC proposes to add clarity and prescriptiveness to current security requirements. Under these proposed modifications, operators would be required to establish, implement, and maintain a written children’s personal information security program (“CPISP”) with safeguards appropriate to the sensitivity of collected children’s personal information collected and the operator’s size, complexity, and nature and scope of activities. As part of a CPISP, the FTC proposes to require operators to (1) designate someone responsible for coordinating the CPISP; (2) perform annual risk assessments; (3) design, implement, and maintain safeguards to control the risks identified in such risk assessments; (4) regularly test and monitor the effectiveness of the aforementioned safeguards; and (5) evaluate and modify the CPISP annually.
- Data Retention
The FTC proposes to further clarify that operators may retain personal information for “only as long as is reasonably necessary to fulfill the specific purpose(s) for which the information was collected and not for a secondary purpose.” In addition, the FTC proposes requiring operators to establish, implement, maintain, and publish a written data retention policy setting forth the purposes for which children’s personal information is collected, the business need for retaining such information, and a timeframe for deletion of such information that precludes indefinite retention.
III. Takeaways
The NPRM proposes a revised COPPA Rule that permits continued flexibility while addressing technological advancements and changes in the way children interact with online resources. Organizations subject to COPPA should consider submitting comments, which are likely to help shape the final rule. Notable proposed modifications and potential areas of comment include:
- The addition of biometric data to the definition of “personal information”;
- Clarifications to the definition of “website or online service directed to children” and a potential exemption from this definition;
- A new requirement to obtain separate verifiable parental consent for disclosures of a child’s personal information, unless these disclosures are integral to the nature of the website or online service;
- Broadening of the permissible methods for obtaining verifiable parental consent, tracking new realities of how parents interact with personal devices;
- The addition of a school authorization exception from the parental consent requirement;
- New disclosures required in direct and online notices;
- The requirement to implement a written children’s personal information security program; and
- Data retention requirements.
For more information on the NPRM, to better understand how these proposed modifications may impact your organization, or for assistance with submitting comments, please contact the professionals listed below or your regular Crowell & Moring contact.
For further information, please contact:
Jeffrey L. Poston, Partner, Crowell & Moring
jposton@crowell.com