Mar 72024

FTC Proposes Significant and Sweeping Changes to COPPA and Requests Public Comment

Colleen Theresa Brown and Sasha Hondagneu-Messner
, , , , , , ,

On January 11, 2024, the Federal Trade Commission (“FTC”) published its Notice of Proposed Rule Making (“NPRM”) seeking to update the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule in the Federal Register.  Among other things, the proposed changes would require more granular privacy notices, require fairly detailed identification of, and parental consent to, third-party data sharing (including targeted advertising), expand the scope of personal information subject to COPPA, make it easier for parents to provide consent via text message, clarify various requirements around EdTech, including school authorization for parental consent, and impose significant new programmatic information security and data retention requirements.

COPPA was designed to protect children under the age of 13 on the internet.  COPPA imposes several requirements on regulated entities, including required privacy notices, rules on parental consent, and requiring the establishment procedures concerning the protection of the confidentiality, security, and integrity of information collected from children.  To date, no target of an FTC COPPA enforcement action has proceeded to litigation.

This NPRM follows a 2019 FTC Rule Review Initiation and request for comment related to the COPPA Rule, which resulted in the FTC receiving over 175,000 stakeholder comments. The NPRM would be a significant modernization from the current COPPA Rule to reflect the prominent use of digital and mobile technologies in children’s lives — at home and, especially, at school.  However, while these proposals will significantly add to the COPPA Rule, notable portions reflect recently published guidance or enforcement actions by the FTC interpreting COPPA, and are generally in line with the FTC’s intense focus on children’s privacy.

Key Takeaways of NPRM:

The NPRM responds to several of the public comments and proposes a series of key updates to the COPPA Rule for further comment:

  1. Expanded Scope of Personal Information: The NPRM proposes to expand the definition of “personal information” that would also include biometric data.  The NPRM rejected comments requesting for the expansion of “personal information” to include data that is inferred about, but not directly collected from, children.  However, the NPRM contemplates that inferred data could fall within COPPA’s scope when it is combined with additional data that would meet the COPPA Rule’s current definition of “personal information.”
  2. Determinations Concerning Whether a Website or Online Service Is Directed to Children: The NPRM does not propose to revise the existing multi-factor test, but it does propose clarifications concerning the evidence the FTC will consider related to audience composition and intended audience (providing certain examples the FTC will consider, such as “marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services”).  Moreover, the NPRM notes that a “mixed audience website or online service” is one that meets the criteria of the Rule’s multi-factor test but does not target children as the primary audience.
  3. EdTech and Consent From Schools: The NPRM explicitly contemplates the EdTech sector and proposes to formalize the FTC’s 2022 guidance on EdTech.  For instance, the NPRM proposes two new definitions, “school” and “school-authorized education purpose,” which would codify FTC guidance and permit operators to rely on a school authorization to collect and process children’s personal information in certain circumstances without parental authorization.  Such authorization would need to be accompanied by a written agreement meeting the COPPA Rule’s requirements, and would only be provided when the data is used for a school-authorized purpose and not a commercial purpose (such as advertising).  However, such uses could permit EdTech companies to use personal information for product improvement and development purposes provided that such use is directly related to the services the school authorized.
  4. Requiring Explicit Parental Consent for Third-Party Disclosure of Children’s Information: If enacted, the revised COPPA Rule would require companies to provide parents the option to consent to the collection and use of a child’s personal information without consenting to the disclosure of such information to third parties (requiring separate verifiable consent for such disclosures).  However, such consent would not be required when such disclosure is integral to the nature of the website or online service.
  5. Requiring Specific Disclosures to Rely on the “support for internal operations” Exception: Currently, operators can collect personal information from children without parental consent if such personal information is only used to support internal operations.  The FTC’s contemplated rule would require operators to disclose in their online notice the specific operations for which they are collecting these identifiers and the protections in place to ensure that such information is not used for other purposes.  In the proposing release, the FTC states that such a rule would be designed to ensure that the operator does not use or disclose the persistent identifier to contact a specific individual, including through behavioral advertising, amass a profile on a specific individual, in connection with processes that encourage or prompt use of a website or online service, or for any other purpose, except as permitted by the support for the internal operations exception.
  6. Security Program Requirements: The NPRM proposes to impose revised security requirements on operators to implement and maintain a written comprehensive security program that contains safeguards that are appropriate to the sensitivity of children’s information and to the operator’s size, complexity, and nature and scope of activities.  The NPRM includes several proposed security program elements, such as identifying and, at least annually, performing additional assessments to identify risks to the confidentiality, security, and integrity of personal information collected from children; designing, implementing, and maintaining safeguards to control any identified risks, as well as testing and monitoring the effectiveness of such safeguards; and, at least annually, evaluating and modifying the information security program.
  7. Data Retention and Deletion: The NPRM would impose new data retention policies to clarify that operators could only retain data as reasonably necessary for the specific purpose for which the data was collected, and not for any secondary purpose. Moreover, the NPRM would require operators to post their data retention policies on their website or online service.
  8. Verifiable Parental Consent: The NPRM would also permit the use of text messages to obtain verifiable parental consent, revising the definition of “online contact information” to do so.
  9. COPPA Safe Harbor: The NPRM would require COPPA safe harbor programs to publicly disclose membership lists and report additional information to the FTC.

COPPA has never been fully litigated, and operators are instead relegated to parsing the FTC’s guidance, interpretations, and settlements with companies.  The NPRM appears to reflect certain interpretations and priorities that have emerged in the FTC’s COPPA enforcement trends, including the FTC’s focus on collection of children’s data without consent, age gating, potentially unnecessary retention of children’s data, meaningful and granular parental notice, and concerns around dark patterns.  The NPRM also aligns with a broader national policymaker focus on children’s privacy and online safety.

The revised COPPA Rule, in whatever final form it takes, will almost certainly require operators to undertake significant updates to their COPPA compliance programs.  While some parts of the NPRM would raise compliance burdens and risks for companies subject to the COPPA Rule, and may have particular impact on targeted advertising, other parts may well support innovation and expand children’s access to digital services — particularly in the EdTech space.

The FTC is requesting public comments, which are due by March 11, 2024.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Sasha Hondagneu-Messner

New York

shondagneumessner@sidley.com

You might also like
Top 10 Questions on the EU AI Act

The EU AI Act will be the first standalone piece of legislation worldwide regulating the use and provision of AI in the EU, and will form a key consideration in AI governance programs. The AI Act will have a significant impact on many organizations inside and outside the EU, with failure to comply potentially leading to fines of up to 7% of annual worldwide turnover.

EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.