Author

Alison Pepper

4As EVP of Government Relations & Sustainability

Topic

  • Government Relations
  • Privacy Law
  • Regulations

On December 20, 2023, the Federal Trade Commission announced a new Notice of Proposed Rulemaking (NPRM), which would update the Children’s Online Privacy and Protection Act (COPPA) rules regulating children’s online data privacy at the federal level. COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. The NPRM comes after four years of reviews, workshops, and soliciting public feedback regarding whether the rule needed to be updated. The last time the agency changed COPPA was in 2013.

With the latest proposed rule changes, the FTC says it intends to “shift the burden from parents to providers to ensure that digital services are safe and secure for children.”

The FTC’s proposed modifications to the COPPA Rule include:

  • Mandating that targeted advertising for kids to be turned “off” by default including any necessary disclosures to third parties to facilitate such targeting; targeted advertising would require separate verifiable parental opt-in consent, with narrow exceptions; permits operators to bundle such consent with any other consents they obtain to collect, use, and disclose the child’s personal information.
  • Creating new a notice requirement for “support for internal operations” exception. The FTC did not change the support for internal operations exception, which expressly allows operators to collect persistent identifiers, such as IP addresses, as necessary to serve contextual advertising on their websites or online services. That said, the proposed COPPA Rule does add new disclosure requirements. Operators will now be required to disclose the specific internal operations for which they collect persistent identifiers and the means taken to ensure such identifiers are not used or disclosed to contact specific individuals.The NPRM would require operators who rely on the “support for internal operations” exemption for providing notice and choice (which applies when an operator collects persistent identifiers and no other personal information) to state in their privacy policies the specific internal operations for which they collect such identifiers. Examples of current exception activities impacted include authenticating users, protecting security, ensuring regulatory compliance, personalizing site content, frequency capping, and serving contextual advertising.
  • Establishing limits on push notifications or “nudges” that are intended to keep children online longer. Notice and consent would be required for the use of “engagement-enhancing techniques,” including push notifications.
  • Restricting education technology aka ed tech in schools. The use of ed tech would be limited and the changes would codify guidance that bars students’ personal information from being used for commercial purposes.  
  • Bolstering data security, including tightening retention and deletion requirements. Publishers must also implement a written children’s personal information security program.
  • Banning the condition of acceptance based on the collection of personal information. The proposed rulemaking creates a prohibition on conditioning a child’s participation in an activity “on the child’s disclosing more personal information than is reasonably necessary to participate in such activity”. The FTC is also considering expanding the definition of “activity.”
  • Adding clarifying examples for “directed to children” factors. While the NPRM does not put forward policy to eliminate or modify any of the existing factors in its multifactor test to assess whether a is website or service is directed to children, the NPRM proposes to include examples indicating that it will consider (1) an operator’s marketing materials and representations about the nature of the operator’s site or service, (2) third-party reviews, and (3) the age of users on similar sites or services in determining whether a website or online service is directed to children.
  • Adding biometric identifiers to the definition of “personal information.” The proposed rulemaking would expanding the definition of “personal information” in COPPA to cover biometric identifiers that can be used for the automated or semi-automated recognition of an individual; this includes fingerprints, handprints, retina and iris patterns, genetic data, or information derived from voice data, gait data, or facial data.

The FTC has also asked for stakeholder input on other topics they are considering, indicating there could be other future material changes to any final COPPA Rule. Other areas of rulemaking exploration include:

  • Whether to continue to permit contextual advertising under this exemption, “given the sophistication of contextual advertising today, including that personal information collected from users may be used to enable companies to target even contextual advertising to some extent.”
  • Whether screen or user names should be treated as online contact information even if the name does not allow one user to contact another through the service but could enable one user to contact another by assuming that the user is the same screen or user name on another service, and whether there are measures an operator can take to ensure that a screen or user name cannot be utilized to permit direct contact with a person online.
  • Whether avatars generated from a child’s image constitute personal information under the COPPA Rule even if the image is not uploaded to the service 
  • Whether exemption should be provided for a site or service being deemed “directed to children” if the operator undertakes an analysis of the audience composition of its site or service and determines that no more than a specific percentage of its users are likely under the age of 13.
  • Whether platforms can play a role in establishing consent mechanisms to enable app developers or other operators to obtain verifiable parental consent.

For advertisers and agencies, the proposed changes would impose more stringent limits on companies’ ability to monetize children’s data. Because contextual advertising doesn’t rely on cookies or other personal identifiers, it has historically been the method of choice for many child-directed websites and services with “actual knowledge” that they’re collecting personal information from a child. While contextual advertising to children will survive the proposed changes to the COPPA Rule, it may be subject to additional limitations.

Comments on the NPRM will be due March 11, 2024 and can be submitted via regulations.gov.  The 4As plans to submit written comments to the proposed rule in partnership with the Privacy for America coalition

Have questions about the proposed COPPA rulemaking? Please contact Alison Pepper, 4As EVP Government Relations & Sustainability.

 

Related Posts

View All Posts
A bald man in a gray blazer writes notes during a conference. He is surrounded by people seated at tables. The atmosphere is focused and professional.

03/05/2025

White House Seeks Public Comment on U.S. AI Strategy

Learn More
A woman in a blue sweater speaks into a microphone during a meeting or conference. She is seated at a table with a cup of coffee and a smartphone in front of her. Other attendees are seated nearby, listening attentively.

03/05/2025

Oklahoma Bill Introduced to Broadly Ban DTC Pharmaceutical Advertising

Learn More

02/03/2025

U.S. Copyright Office Publishes Part 2 of AI Report, Offering Clarity on Copyright for Generative AI Outputs

Learn More
View All Posts