FTC Proposes Updates to COPPA Rule

February 12, 2024

Reading Time : 5 min

On January 18, 2024, the Federal Trade Commission (FTC) discussed its long-anticipated proposed changes for the Children’s Online Privacy Protection Rule (COPPA) in an open meeting. Released in a notice of proposed rulemaking the month prior, these proposed changes would add new restrictions on using and disclosing children’s personal information, as well as new limitations on access and monetization, in the first changes to COPPA since 2012.1

The comment period for the proposed changes closes March 11, 2024.

Background

First enacted in 1998, COPPA was created to establish requirements for Operators of websites or online services regarding how they collect, use and share personal information of children under 13 years of age, in order to give parents more control over information collected from their children.

The COPPA Rule, which was issued by the FTC in 1999 and first went into effect in 2000, requires certain websites and other online services that collect personal information from children under the age of 13 (called “Operators”) to provide notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information from children. The rule also limits the personal data that websites and other online services can collect from children, limits how long they can retain such data and requires them to secure the data.

The last amendments to the COPPA Rule went into effect in 2013 and attempted to address the impact of social media and mobile devices. The new proposed rules that were issued on December 20, 2023 impose significant new obligations on Operators.

Proposed Updates

The FTC’s proposed changes include the following:

  • Separate Opt-In for Third Party Disclosures

Building on existing consent requirements, the proposed changes would require Operators to obtain a separate consent to disclose personal information to third parties, including third party advertisers, except where disclosure is integral to the nature of the website or online service. Operators must make clear to parents that they are able to consent to the collection and use of their child’s information without consenting to that information being disclosed. Operators would also be prohibited from conditioning access to the website or online service on this consent.2

  • Expanding the Scope of the COPPA Rule to Cover Biometric Data

The proposed change would expand the definition of “personal information” to include biometric identifiers that can be used for the automated or semi-automated recognition of an individual, like fingerprints, handprints, retina and iris patterns, genetic data or data derived from voice, gait or facial data. The FTC stated that this change will enable the rule to keep up with more advanced modes of identification.3

  • Codifying the FTC’s Ed Tech Guidance

The FTC proposes codifying its current guidance on the use of education technology, allowing schools to authorize ed tech vendors to, collect, use and disclose student personal information without express parental consent, for a “school-authorized education purpose” only, and not for commercial purposes.4

  • More Factors for Being Considered a “Website or Online Service Directed to Children”

The proposed changes would add “marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services” as examples of evidence it will consider in the multifactor test to determine if a website or online service is directed to children, among other changes.5 The proposed rule adds a standalone definition for “mixed audience website or online service” for websites that meet the multifactor test criteria, but do not primarily target children.6 Where third-party content on a platform is child-directed under the Rule’s multi-factor test but the platform does not target children as its primary audience, the Operator can request age information and provide COPPA protections only to those users who are under 13.

  • Increased Data Security Requirements

The proposed changes would strengthen the COPPA Rule’s data security obligations, requiring Operators to establish, implement and maintain a written comprehensive security program that contains safeguards that are appropriate to the sensitivity of children’s information and to the operator’s size, complexity, and nature and scope of activities. Under this program, Operators will designate an employee to coordinate the program, perform risk annual assessments and implement and test controls and safeguards to mitigate risks. Operators that disclose personal information to third parties would also be required to obtain written assurances that recipients will employ reasonable measures to maintain the confidentiality, security and integrity of the information.7

  • Limits on Data Retention

The FTC proposes expanding the COPPA Rule’s data retention limits, permitting the retention of personal information for only as long as reasonably necessary for the specific purpose for which it was collected. The proposed changes add an explicit requirement to delete the information when it is no longer reasonably necessary for the purpose for which it was collected. Operators would also be required to create a written data retention policy specifying the business need for retaining children’s personal information, and the timeframe for deleting it (which cannot be indefinite).8

  • Safe Harbor Program Reporting

The FTC’s COPPA Safe Harbor programs allow industry groups to apply for FTC approval of self-regulatory groups. The FTC’s proposed changes would improve the FTC’s oversight of these programs, increasing transparency and accountability by, for example, requiring Safe Harbor programs to publicly identify their subject Operators and publish descriptions of the Safe Harbor’s business model and copies of each consumer complaint related to alleged violation of the program’s guidelines.9

  • Limits on Internal Operations Exception

The current COPPA Rule allows collection of persistent identifiers without prior verifiable parental consent, provided that the operator (1) does not collect any other personal information and (2) uses the persistent identifier solely to support the “internal operations” of the website or online service. The proposed change would prohibit Operators using this internal operations exception from using or disclosing personal information in connection with processes (including machine learning) that encourage or prompt use of a website or online service. Operators would need verifiable parental consent in order to use or disclose persistent identifiers to optimize user attention or maximize engagement with their website or online service.10

  • Expanding “online contact information”Definition

This proposed change would amend the definition of “online contact information” to include: “an identifier such as a mobile telephone number provided the operator uses it only to send a text message” to the non-exhaustive list of identifiers considered “online contact information.” The FTC intends this change to allow Operators to collect and use a parent’s or child’s mobile phone in certain circumstances, such as obtaining parental consent through a text message.11

Next Steps

Companies currently operating under the COPPA Rule should review the proposed changes and determine if they wish to comment by the March 11 deadline. We will continue to monitor these proposed COPPA Rule changes as well as other similar developments. Please contact a member of Akin’s cybersecurity, privacy and data protection team to learn more about how these changes may affect your company.


1 89 Fed. Reg. 2034 (January 11, 2024).

2 Id. at 2051.

3 Id. at 2041.

4 Id. at 2043-44.

5 Id. at 2047.

6 Id. at 2048.

7 Id. at 2061.

8 Id. at 2062.

9 Id. at 2063.

10 Id. at 2045.

11 Id. at 2040.

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.