On December 20, 2023, the Federal Trade Commission (FTC) published its Notice of Proposed Rulemaking to update the Children's Online Privacy Protection Act (COPPA), the latest step in a process that started in 2019 with an FTC Request for Comments from lawmakers, regulated businesses, advocacy groups, academics, technologists, and members of the general public regarding proposed updates to COPPA, within an environment of growing attention and public concern over online data collection of children's personal information. After consideration of more than 175,000 submissions in response to the Request for Comments, the FTC has published several proposed and significant changes to COPPA that, if ultimately approved, will require regulated companies that direct online services to children under the age of 13 (or have actual knowledge that they are collecting personal information from a child under 13 years of age) to implement significant changes to their business operations. Such proposed changes include:
- Separate Opt-In for Targeted Advertising to Children. The FTC proposes a separate opt-in process for third-party sharing or targeted advertising, in addition to the current opt-in parental consent requirement for such activities. For businesses that would seek to promote online engagement with children via push notifications, prior parental consent would be required for such practices.
- New Parental Notice and Consent Requirements. Certain companies are currently relying upon an exception to the consent requirements when the collection of the personal information of the child is limited to "support for the internal operations." While the FTC's new proposals do not include a change to the current rule provisions that allow this exception, the FTC now proposes to require businesses relying on this "internal operations" exception to provide an online notice stating the express internal operations for which the personal information is collected as well as an affirmative statement that such collected information will not be used or disclosed to contact any specific children, such as through targeted advertising.
- Prohibition on Prompting/Encouraging Children to Use Services or Conditioning Activity on Submitting Personal Information. Online businesses would be prohibited from using personal information collected under the above-described "internal operations" exception to prompt or otherwise encourage children to use the online service more often, such as through push notifications. While COPPA already prohibits conditioning a child's activity on to providing personal information, new proposals would add new language to clarify the meaning of "activity," potentially expanding the scope of such prohibitions.
- Biometric Information Collection. Under the new proposals, biometrics would be added to the statutory definition of "personal information" of COPPA.
- Express Written Data Retention Policies. The FTC proposes that online businesses be required to develop, implement, and publish written data retention policies specific to children's personal information, as well as a prohibition on indefinite retention of children's personal information.
- Establish, Implement, and Maintain Data Security Programs Specific to Children's Personal Information. The proposed rules would require online businesses to develop and maintain written data security programs that would include appropriate safeguards commensurate with the sensitivity of children's personal information collected by such businesses. Such programs would be overseen by designated employees to coordinate programs and conduct, at a minimum, annual assessments and implement updates as needed.
- Prohibition of Commercial Use of Children's Personal Information by Educational Technology Providers. New FTC rules would require educational technology providers to collect, use, and share children's personal information solely for school-authorized educational purposes, with an express prohibition on the use of such information by such providers for commercial purposes.
Based on these significant proposed updates to COPPA, any businesses operating websites or online services directed to children under 13 years of age, or having actual knowledge that they are collecting personal information online from a child under 13 years of age, should consult with data privacy and data security counsel to review and assess potential impacts on their businesses, as well as consider submitting comments with the FTC during the 60 day comment period following publication of the proposed rules in the Federal Register. If your company is interested in how the proposed COPPA rules may impact strategies or other best practices regarding policies, notices, and other procedures to comply with existing COPPA regulations, please contact Aldo M. Leiva, or other members of Baker Donelson's Data Protection, Privacy, and Cybersecurity Team.