Explainer: COPPA Rule Proposed Changes

Jan 3, 2024 by Rukiya Bonner, Director, Children’s Advertising Review Unit (CARU); Debra Policarpo, Senior Counsel, CARU; Khoury Trombetta, Privacy Counsel, CARU, BBB National Programs

As we enter the new year, the Federal Trade Commission (FTC) has given us a lot to think about by publishing its proposed changes to the Children’s Online Privacy Protection Act (COPPA) Rule. While the FTC does not propose many wholesale revisions to the COPPA Rule, it does call for some notable changes that would place more responsibility on providers and platforms to ensure digital privacy and safety for children. 

An underlying premise of the proposed changes seems to be that as technology evolves, protections must also. Accordingly, the FTC’s newest efforts seek to stop companies from exploiting children’s data for commercial gain.  

Proposed changes include expanding the definition of personal information, changes in connection with verifiable parental consent (VPC), and prohibiting companies from keeping children’s data indefinitely. 

Once the changes have been published in the Federal Register, a 60-day comment period will begin.

BBB National Programs’ CARU, the nation’s first and longest-running COPPA Safe Harbor, will submit timely and formal comments to the FTC. Meanwhile, please find a high-level explainer on what the FTC is proposing.

 

Expansion of the “Personal Information” Definition

When a company has actual knowledge (standard remains unchanged) that users under the age of 13 are interacting with their services, the company must take significant measures to protect children’s personal information (PI). 

Currently PI includes one’s full name, email address, street address, telephone number, persistent identifiers, geolocation, audio recordings, photos, and videos. If a company is collecting PI from a child (about that child or anyone), they must obtain VPC. 

Ten years ago, the definition of PI expanded to reflect cell phone usage in children, and the newest changes again reflect and adjust to new technology. Biometric information, including body movement, facial features, fingerprints or handprints, retina or iris patterns, genetic data, and data derived from voice data, gate data, or facial data will be considered PI with the proposed changes. 

This is certainly consistent with how children engage with technology, especially in gaming and Virtual Reality or Augmented Reality environments in the metaverse. 

 

Changes to Verifiable Parental Consent

The FTC’s changes provide increased options to satisfy the COPPA VPC requirement. New methods of obtaining VPC under the proposed changes would allow companies to collect consent through text messages, knowledge-based authentication (a series of questions too advanced for u13 users), and facial recognition in conjunction with a valid ID. Collecting a parent’s credit card information without an associated charge would satisfy the VPC requirement. Companies would no longer be required to charge parents a fee to confirm consent. 

For companies that share children’s data with advertisers or third parties, the proposed changes require those companies to obtain separate VPC prior to that disclosure. Further, access to the online services may not rely on this consent (i.e., parents should be able to provide VPC for their child to use the online service without having to consent to that data being disclosed to advertisers and other third parties).

 

Limitations to COPPA Exceptions

To the extent companies rely on the “Support for Internal Operations” exception (Section J, 5-8), the proposed rule would require operators to provide an online notice stating the internal operations purpose(s) for the collection and how they'll ensure the persistent identifier won't be used or disclosed to contact a specific individual, including through targeted advertising or to prompt/encourage a child to use their services. 

The proposed changes would also prohibit companies from being able to use contact information and persistent identifiers collected under COPPA’s multiple contact and support for internal operations exceptions to send push notifications and “nudges” to get children to stay online longer. 

 

New Security Requirements & Additional Required Documentation 

The proposed changes to the COPPA Rule would require companies to create, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children. 

In addition to requiring a written children’s personal information security program, the FTC proposes requiring companies to:

  • Designate employees to maintain the information security program;
  • Annually assess the information security program to identify any internal and external security risks to children’s data;
  • Safeguard against the risks identified;
  • Test and monitor the effectiveness of those safeguards; and
  • Make changes to the information security program to reflect the company’s assessment.

 

Additionally, to the extent companies share children’s data with other operators, service providers, or third parties, the FTC may require companies to take reasonable steps to determine whether those entities are maintaining reasonable data security over children’s data. Companies must obtain written assurances from these entities showing they can maintain the confidentiality, security, and integrity of the children’s data.

The FTC would further require companies to create, maintain, and publish a data retention policy for children’s data. In addition to a written retention policy, the FTC proposed changes that bar companies from retaining children’s data indefinitely, stating “children’s data may only be retained for as long as reasonably necessary for its intended purpose at the time of collection and the data cannot be used for additional purposes.”

 

What Hasn’t Changed

  • The proposed Rule does not increase the age of a “child.” Consistent with the COPPA statute, the Rule still applies to children under 13. 
  • The FTC rejected arguments for a constructive knowledge standard, as was proposed in the Kids’ Online Safety Act (KOSA) in 2023, and maintained the actual knowledge standard, relying on legislative history to point to Congress’ intent when passing COPPA.
  • The FTC will not allow operators to “rebut the presumption” that all users of child-directed content are children.
  • The FTC decided not to include “inferred data” in the definition of PI.
  • The FTC retained “persistent identifier” under the definition of PI.

 

Safe Harbor Requirements

The FTC’s proposed changes to the COPPA Rule seek to increase transparency and accountability for COPPA Safe Harbor programs, requiring additional responsibilities, including publicly disclosing their members. CARU takes great pride in providing COPPA protections to our safe harbor participants and we look forward to complying with the FTC’s new Rule changes and continuing to provide stellar service.

Suggested Articles

Blog

CFBAI and CCAI Publish the 2023 Annual Report on Participant Compliance and Program Progress

BBB National Programs has released the Children’s Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) 2023 Annual Report. The report notes excellent compliance by the 22 CFBAI participants and the six CCAI participants in 2023.
Read more
Blog

The Case for Teaching Industry Self-Regulation in Law, Business, and Public Policy Schools

Law schools, business schools, and public policy programs have a unique opportunity to shape the future of corporate behavior by teaching students the importance of soft law and independent industry self-regulation.
Read more
Blog

5 Missteps to Avoid When Applying or Recertifying to the DPF Program

Each year, participants in the DPF Program need to recertify with the Department of Commerce. To help companies navigate it, our Global Privacy Division has outlined five key recommendations to keep in mind to avoid common missteps with the process.
Read more
Blog

Sharing Holiday Cheer (but Not a Child’s Personal Information)

Not surprisingly, cell phones, connected toys, and toys advertised on social media top wish lists of kids everywhere. To help ensure your holiday shopping experiences are as safe as possible, the team at CARU put together some holiday tips.
Read more