Explainer: COPPA Rule Proposed Changes

Jan 3, 2024 by Rukiya Bonner, Director, Children’s Advertising Review Unit (CARU); Debra Policarpo, Senior Counsel, CARU; Khoury Trombetta, Privacy Counsel, CARU, BBB National Programs

As we enter the new year, the Federal Trade Commission (FTC) has given us a lot to think about by publishing its proposed changes to the Children’s Online Privacy Protection Act (COPPA) Rule. While the FTC does not propose many wholesale revisions to the COPPA Rule, it does call for some notable changes that would place more responsibility on providers and platforms to ensure digital privacy and safety for children. 

An underlying premise of the proposed changes seems to be that as technology evolves, protections must also. Accordingly, the FTC’s newest efforts seek to stop companies from exploiting children’s data for commercial gain.  

Proposed changes include expanding the definition of personal information, changes in connection with verifiable parental consent (VPC), and prohibiting companies from keeping children’s data indefinitely. 

Once the changes have been published in the Federal Register, a 60-day comment period will begin.

BBB National Programs’ CARU, the nation’s first and longest-running COPPA Safe Harbor, will submit timely and formal comments to the FTC. Meanwhile, please find a high-level explainer on what the FTC is proposing.

 

Expansion of the “Personal Information” Definition

When a company has actual knowledge (standard remains unchanged) that users under the age of 13 are interacting with their services, the company must take significant measures to protect children’s personal information (PI). 

Currently PI includes one’s full name, email address, street address, telephone number, persistent identifiers, geolocation, audio recordings, photos, and videos. If a company is collecting PI from a child (about that child or anyone), they must obtain VPC. 

Ten years ago, the definition of PI expanded to reflect cell phone usage in children, and the newest changes again reflect and adjust to new technology. Biometric information, including body movement, facial features, fingerprints or handprints, retina or iris patterns, genetic data, and data derived from voice data, gate data, or facial data will be considered PI with the proposed changes. 

This is certainly consistent with how children engage with technology, especially in gaming and Virtual Reality or Augmented Reality environments in the metaverse. 

 

Changes to Verifiable Parental Consent

The FTC’s changes provide increased options to satisfy the COPPA VPC requirement. New methods of obtaining VPC under the proposed changes would allow companies to collect consent through text messages, knowledge-based authentication (a series of questions too advanced for u13 users), and facial recognition in conjunction with a valid ID. Collecting a parent’s credit card information without an associated charge would satisfy the VPC requirement. Companies would no longer be required to charge parents a fee to confirm consent. 

For companies that share children’s data with advertisers or third parties, the proposed changes require those companies to obtain separate VPC prior to that disclosure. Further, access to the online services may not rely on this consent (i.e., parents should be able to provide VPC for their child to use the online service without having to consent to that data being disclosed to advertisers and other third parties).

 

Limitations to COPPA Exceptions

To the extent companies rely on the “Support for Internal Operations” exception (Section J, 5-8), the proposed rule would require operators to provide an online notice stating the internal operations purpose(s) for the collection and how they'll ensure the persistent identifier won't be used or disclosed to contact a specific individual, including through targeted advertising or to prompt/encourage a child to use their services. 

The proposed changes would also prohibit companies from being able to use contact information and persistent identifiers collected under COPPA’s multiple contact and support for internal operations exceptions to send push notifications and “nudges” to get children to stay online longer. 

 

New Security Requirements & Additional Required Documentation 

The proposed changes to the COPPA Rule would require companies to create, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children. 

In addition to requiring a written children’s personal information security program, the FTC proposes requiring companies to:

  • Designate employees to maintain the information security program;
  • Annually assess the information security program to identify any internal and external security risks to children’s data;
  • Safeguard against the risks identified;
  • Test and monitor the effectiveness of those safeguards; and
  • Make changes to the information security program to reflect the company’s assessment.

 

Additionally, to the extent companies share children’s data with other operators, service providers, or third parties, the FTC may require companies to take reasonable steps to determine whether those entities are maintaining reasonable data security over children’s data. Companies must obtain written assurances from these entities showing they can maintain the confidentiality, security, and integrity of the children’s data.

The FTC would further require companies to create, maintain, and publish a data retention policy for children’s data. In addition to a written retention policy, the FTC proposed changes that bar companies from retaining children’s data indefinitely, stating “children’s data may only be retained for as long as reasonably necessary for its intended purpose at the time of collection and the data cannot be used for additional purposes.”

 

What Hasn’t Changed

  • The proposed Rule does not increase the age of a “child.” Consistent with the COPPA statute, the Rule still applies to children under 13. 
  • The FTC rejected arguments for a constructive knowledge standard, as was proposed in the Kids’ Online Safety Act (KOSA) in 2023, and maintained the actual knowledge standard, relying on legislative history to point to Congress’ intent when passing COPPA.
  • The FTC will not allow operators to “rebut the presumption” that all users of child-directed content are children.
  • The FTC decided not to include “inferred data” in the definition of PI.
  • The FTC retained “persistent identifier” under the definition of PI.

 

Safe Harbor Requirements

The FTC’s proposed changes to the COPPA Rule seek to increase transparency and accountability for COPPA Safe Harbor programs, requiring additional responsibilities, including publicly disclosing their members. CARU takes great pride in providing COPPA protections to our safe harbor participants and we look forward to complying with the FTC’s new Rule changes and continuing to provide stellar service.

Suggested Articles

Blog

KOSA (and Children’s Privacy) on the Move

The Kids Online Safety Act (KOSA) is gaining traction in the U.S. Senate after the most recent round of revisions released this month by Senators Richard Blumenthal and Marsha Blackburn, following on the heels of proposed changes to the COPPA Rule. Here are CARU's high-level takeaways from the KOSA revisions with some insight into each revision.
Read more
Blog

Location Not Found: Mitigating Precise Geolocation Consent Flow Risk

Privacy-minded Federal Trade Commission (FTC) watchers have seen two bombshell enforcement actions related to alleged mishandling of consumer geolocation data. The Privacy Initiative team delves into those cases, the breadth of the penalties the FTC has included in the proposed orders, and best practices to avoid the crosshairs.
Read more
Blog

The ABCs of DPF and GDPR

Easing data flows across the Atlantic, the EU-U.S. DPF satisfies requirements outlined under the General Data Protection Regulation (GDPR), helping companies avoid steep fines.
Read more
Blog

The FTC Joins the Global CBPR Party

This month the Federal Trade Commission (FTC) announced participation in the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), signaling the agency’s interest in keeping pace with the increasingly global nature of commerce and marks an important step forward for the global expansion of CBPRs.
Read more