Explainer: COPPA Rule Proposed Changes

Jan 3, 2024 by Rukiya Bonner, Director, Children’s Advertising Review Unit (CARU); Debra Policarpo, Senior Counsel, CARU; Khoury Trombetta, Privacy Counsel, CARU, BBB National Programs

As we enter the new year, the Federal Trade Commission (FTC) has given us a lot to think about by publishing its proposed changes to the Children’s Online Privacy Protection Act (COPPA) Rule. While the FTC does not propose many wholesale revisions to the COPPA Rule, it does call for some notable changes that would place more responsibility on providers and platforms to ensure digital privacy and safety for children. 

An underlying premise of the proposed changes seems to be that as technology evolves, protections must also. Accordingly, the FTC’s newest efforts seek to stop companies from exploiting children’s data for commercial gain.  

Proposed changes include expanding the definition of personal information, changes in connection with verifiable parental consent (VPC), and prohibiting companies from keeping children’s data indefinitely. 

Once the changes have been published in the Federal Register, a 60-day comment period will begin.

BBB National Programs’ CARU, the nation’s first and longest-running COPPA Safe Harbor, will submit timely and formal comments to the FTC. Meanwhile, please find a high-level explainer on what the FTC is proposing.

 

Expansion of the “Personal Information” Definition

When a company has actual knowledge (standard remains unchanged) that users under the age of 13 are interacting with their services, the company must take significant measures to protect children’s personal information (PI). 

Currently PI includes one’s full name, email address, street address, telephone number, persistent identifiers, geolocation, audio recordings, photos, and videos. If a company is collecting PI from a child (about that child or anyone), they must obtain VPC. 

Ten years ago, the definition of PI expanded to reflect cell phone usage in children, and the newest changes again reflect and adjust to new technology. Biometric information, including body movement, facial features, fingerprints or handprints, retina or iris patterns, genetic data, and data derived from voice data, gate data, or facial data will be considered PI with the proposed changes. 

This is certainly consistent with how children engage with technology, especially in gaming and Virtual Reality or Augmented Reality environments in the metaverse. 

 

Changes to Verifiable Parental Consent

The FTC’s changes provide increased options to satisfy the COPPA VPC requirement. New methods of obtaining VPC under the proposed changes would allow companies to collect consent through text messages, knowledge-based authentication (a series of questions too advanced for u13 users), and facial recognition in conjunction with a valid ID. Collecting a parent’s credit card information without an associated charge would satisfy the VPC requirement. Companies would no longer be required to charge parents a fee to confirm consent. 

For companies that share children’s data with advertisers or third parties, the proposed changes require those companies to obtain separate VPC prior to that disclosure. Further, access to the online services may not rely on this consent (i.e., parents should be able to provide VPC for their child to use the online service without having to consent to that data being disclosed to advertisers and other third parties).

 

Limitations to COPPA Exceptions

To the extent companies rely on the “Support for Internal Operations” exception (Section J, 5-8), the proposed rule would require operators to provide an online notice stating the internal operations purpose(s) for the collection and how they'll ensure the persistent identifier won't be used or disclosed to contact a specific individual, including through targeted advertising or to prompt/encourage a child to use their services. 

The proposed changes would also prohibit companies from being able to use contact information and persistent identifiers collected under COPPA’s multiple contact and support for internal operations exceptions to send push notifications and “nudges” to get children to stay online longer. 

 

New Security Requirements & Additional Required Documentation 

The proposed changes to the COPPA Rule would require companies to create, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children. 

In addition to requiring a written children’s personal information security program, the FTC proposes requiring companies to:

  • Designate employees to maintain the information security program;
  • Annually assess the information security program to identify any internal and external security risks to children’s data;
  • Safeguard against the risks identified;
  • Test and monitor the effectiveness of those safeguards; and
  • Make changes to the information security program to reflect the company’s assessment.

 

Additionally, to the extent companies share children’s data with other operators, service providers, or third parties, the FTC may require companies to take reasonable steps to determine whether those entities are maintaining reasonable data security over children’s data. Companies must obtain written assurances from these entities showing they can maintain the confidentiality, security, and integrity of the children’s data.

The FTC would further require companies to create, maintain, and publish a data retention policy for children’s data. In addition to a written retention policy, the FTC proposed changes that bar companies from retaining children’s data indefinitely, stating “children’s data may only be retained for as long as reasonably necessary for its intended purpose at the time of collection and the data cannot be used for additional purposes.”

 

What Hasn’t Changed

  • The proposed Rule does not increase the age of a “child.” Consistent with the COPPA statute, the Rule still applies to children under 13. 
  • The FTC rejected arguments for a constructive knowledge standard, as was proposed in the Kids’ Online Safety Act (KOSA) in 2023, and maintained the actual knowledge standard, relying on legislative history to point to Congress’ intent when passing COPPA.
  • The FTC will not allow operators to “rebut the presumption” that all users of child-directed content are children.
  • The FTC decided not to include “inferred data” in the definition of PI.
  • The FTC retained “persistent identifier” under the definition of PI.

 

Safe Harbor Requirements

The FTC’s proposed changes to the COPPA Rule seek to increase transparency and accountability for COPPA Safe Harbor programs, requiring additional responsibilities, including publicly disclosing their members. CARU takes great pride in providing COPPA protections to our safe harbor participants and we look forward to complying with the FTC’s new Rule changes and continuing to provide stellar service.

Suggested Articles

Blog

What You Missed at NAD 2024: The Global Future of Ad Law

If you missed NAD 2024: Charting the Global Future of Ad Law last month, here is a glimpse of the discussions from the NAD team, leading advertising law lawyers, academics, regulators, and experts from around the world.
Read more
Blog

Industry Self-Regulation Will Shine Post-Chevron

In its landmark decision in Relentless Inc. v. U.S. Department of Commerce and Loper Bright Enterprises v. Raimondo, the U.S. Supreme Court has fundamentally reshaped the landscape of regulatory governance in the U.S. And in the wake of the ruling, the implications for industry self-regulation loom large.
Read more
Blog

What to Know About New Jersey’s Lemon Law

While most cars run smoothly off the lot, it’s important to understand your rights if you find yourself with a potential “lemon” parked in your driveway. New Jersey's Lemon Law protects consumers of new vehicles from persistent defects.
Read more
Blog

U.S. Supreme Court Impact: Judicial Power at Work, Industry Self-Regulation in Play

The U.S. Supreme Court decision, Loper Bright Enterprises v. Raimondo, marked a pivotal shift in administrative law by overturning the Chevron deference doctrine and will have a long-term impact. The ruling also presents a unique opportunity for industries to fill regulatory gaps in a manner that enhances consumer trust.
Read more