Explainer: COPPA Rule Proposed Changes

As we enter the new year, the Federal Trade Commission (FTC) has given us a lot to think about by publishing its proposed changes to the Children’s Online Privacy Protection Act (COPPA) Rule. While the FTC does not propose many wholesale revisions to the COPPA Rule, it does call for some notable changes that would place more responsibility on providers and platforms to ensure digital privacy and safety for children. 

An underlying premise of the proposed changes seems to be that as technology evolves, protections must also. Accordingly, the FTC’s newest efforts seek to stop companies from exploiting children’s data for commercial gain.  

Proposed changes include expanding the definition of personal information, changes in connection with verifiable parental consent (VPC), and prohibiting companies from keeping children’s data indefinitely. 

Once the changes have been published in the Federal Register, a 60-day comment period will begin.

BBB National Programs’ CARU, the nation’s first and longest-running COPPA Safe Harbor, will submit timely and formal comments to the FTC. Meanwhile, please find a high-level explainer on what the FTC is proposing.

Expansion of the “Personal Information” Definition

When a company has actual knowledge (standard remains unchanged) that users under the age of 13 are interacting with their services, the company must take significant measures to protect children’s personal information (PI). 

Currently PI includes one’s full name, email address, street address, telephone number, persistent identifiers, geolocation, audio recordings, photos, and videos. If a company is collecting PI from a child (about that child or anyone), they must obtain VPC. 

Ten years ago, the definition of PI expanded to reflect cell phone usage in children, and the newest changes again reflect and adjust to new technology. Biometric information, including body movement, facial features, fingerprints or handprints, retina or iris patterns, genetic data, and data derived from voice data, gate data, or facial data will be considered PI with the proposed changes. 

This is certainly consistent with how children engage with technology, especially in gaming and Virtual Reality or Augmented Reality environments in the metaverse. 

Changes to Verifiable Parental Consent

The FTC’s changes provide increased options to satisfy the COPPA VPC requirement. New methods of obtaining VPC under the proposed changes would allow companies to collect consent through text messages, knowledge-based authentication (a series of questions too advanced for u13 users), and facial recognition in conjunction with a valid ID. Collecting a parent’s credit card information without an associated charge would satisfy the VPC requirement. Companies would no longer be required to charge parents a fee to confirm consent. 

For companies that share children’s data with advertisers or third parties, the proposed changes require those companies to obtain separate VPC prior to that disclosure. Further, access to the online services may not rely on this consent (i.e., parents should be able to provide VPC for their child to use the online service without having to consent to that data being disclosed to advertisers and other third parties).

Limitations to COPPA Exceptions

To the extent companies rely on the “Support for Internal Operations” exception (Section J, 5-8), the proposed rule would require operators to provide an online notice stating the internal operations purpose(s) for the collection and how they'll ensure the persistent identifier won't be used or disclosed to contact a specific individual, including through targeted advertising or to prompt/encourage a child to use their services. 

The proposed changes would also prohibit companies from being able to use contact information and persistent identifiers collected under COPPA’s multiple contact and support for internal operations exceptions to send push notifications and “nudges” to get children to stay online longer. 

New Security Requirements & Additional Required Documentation 

The proposed changes to the COPPA Rule would require companies to create, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children. 

In addition to requiring a written children’s personal information security program, the FTC proposes requiring companies to:

• Designate employees to maintain the information security program;
• Annually assess the information security program to identify any internal and external security risks to children’s data;
• Safeguard against the risks identified;
• Test and monitor the effectiveness of those safeguards; and
• Make changes to the information security program to reflect the company’s assessment.

Additionally, to the extent companies share children’s data with other operators, service providers, or third parties, the FTC may require companies to take reasonable steps to determine whether those entities are maintaining reasonable data security over children’s data. Companies must obtain written assurances from these entities showing they can maintain the confidentiality, security, and integrity of the children’s data.

The FTC would further require companies to create, maintain, and publish a data retention policy for children’s data. In addition to a written retention policy, the FTC proposed changes that bar companies from retaining children’s data indefinitely, stating “children’s data may only be retained for as long as reasonably necessary for its intended purpose at the time of collection and the data cannot be used for additional purposes.”

What Hasn’t Changed