The New Face of Privacy: Why COPPA’s Expanded Definition of PII Matters
Charlie Germano, Counsel, Senior Technologist, Children's Advertising Review Unit, BBB National Programs
The Federal Trade Commission (FTC) recently updated the Children’s Online Privacy Protection Act (COPPA) Rule, and one change could have a major impact on how companies handle children’s data: The definition of personally identifiable information (PII) now explicitly includes biometric identifiers such as facial templates and faceprints.
In addition to fingerprints, voiceprints, and gait patterns, these new identifiers - facial templates, and faceprints - are now considered protected children’s data. This is significant, as these identifiers can uniquely recognize an individual even without a traditional photo or other obvious personal information.
For companies, this means rethinking how products are designed, how data is managed, and how they work with vendors. For school systems and teaching staff, this means rethinking what tools are used in the classroom. That is because biometric data is sensitive, permanent, and often invisible to both parents and children.
Understanding the new requirements is essential to protecting kids and staying compliant with the Rule.
In this blog, we will break down what facial templates and faceprints are, why they are significant, and what companies that collect personal information from children need to do to handle them responsibly under the amended COPPA Rule.
Figure: Photo and snippet of facial template generated from it.
Both facial templates and faceprints are data collected from an image that can be used to identify attributes of a face or the actual identity of the person in the photo even after the photo is deleted.
For example, an image of this child (left) can be used to generate a facial template unique to that child’s face (right). That facial template is the only data required to uniquely identify that child, as well as to infer dozens of attributes about them such as their gender, ethnicity, and mood.
Open source and commercial tools easily identify several hundred landmarks from a single photo, and 3D models can capture thousands and even tens of thousands of landmarks to generate a detailed model of a person’s face. It is possible to uniquely identify a person with as few as 20-30 landmarks, but the accuracy improves as the number of landmarks increases.
With the amended COPPA Rule, facial templates, faceprints, and other biometric identifiers are now firmly in the privacy spotlight. Companies must understand their responsibilities, ensure compliance, and partner with vendors who respect children’s privacy.
Need help? The Children's Advertising Review Unit, or CARU, is here to guide companies through these new requirements and keep children safe online. Remember to look for the COPPA Safe Harbor seal to confirm that products you use comply with COPPA.
Register Now: Join us for our upcoming webinar on The Truth Behind Age Estimation Technology for Children and Teens (October 16 at 2:00PM ET).
The Federal Trade Commission (FTC) recently updated the Children’s Online Privacy Protection Act (COPPA) Rule, and one change could have a major impact on how companies handle children’s data: The definition of personally identifiable information (PII) now explicitly includes biometric identifiers such as facial templates and faceprints.
In addition to fingerprints, voiceprints, and gait patterns, these new identifiers - facial templates, and faceprints - are now considered protected children’s data. This is significant, as these identifiers can uniquely recognize an individual even without a traditional photo or other obvious personal information.
For companies, this means rethinking how products are designed, how data is managed, and how they work with vendors. For school systems and teaching staff, this means rethinking what tools are used in the classroom. That is because biometric data is sensitive, permanent, and often invisible to both parents and children.
Understanding the new requirements is essential to protecting kids and staying compliant with the Rule.
In this blog, we will break down what facial templates and faceprints are, why they are significant, and what companies that collect personal information from children need to do to handle them responsibly under the amended COPPA Rule.
What Are Facial Templates and Faceprints?
Many privacy discussions in connection with personal information focus on names, email addresses, sound recordings, and photos, but biometric data now has its own special place under the new COPPA Rule.- A facial template is a mathematical model capturing the geometry of a face. Those data points, or “landmarks,” represent the location in terms of (X,Y) coordinates of facial features such as the person’s eyes, nose shape, and jawline.
- A Faceprint is a digital “signature” of a child’s face, like a fingerprint, that can identify a child.
Figure: Photo and snippet of facial template generated from it.
Both facial templates and faceprints are data collected from an image that can be used to identify attributes of a face or the actual identity of the person in the photo even after the photo is deleted.
For example, an image of this child (left) can be used to generate a facial template unique to that child’s face (right). That facial template is the only data required to uniquely identify that child, as well as to infer dozens of attributes about them such as their gender, ethnicity, and mood.
Open source and commercial tools easily identify several hundred landmarks from a single photo, and 3D models can capture thousands and even tens of thousands of landmarks to generate a detailed model of a person’s face. It is possible to uniquely identify a person with as few as 20-30 landmarks, but the accuracy improves as the number of landmarks increases.
Why This Matters
Only a few years ago, access to technology to perform facial analysis or facial recognition was limited to well-resourced teams with deep expertise. Now, open source and commercial tools are widely available and can be easily used by individuals with little to no training. This technology makes it easy to create facial templates or faceprints from a photo of a child, which can then be used to identify or infer attributes about the child even after the original photo is deleted.Responsibilities Under the Amended COPPA Rule
Under the amended COPPA Rule, if you collect, use, or disclose children’s biometric data, you must treat it like you treat any other personal information.- You must obtain verifiable parental consent (VPC) before collecting biometric identifiers just like you do if you collect a child’s name or phone number.
- You must provide clear, comprehensive privacy notices explaining how the data is used, and if a parent asks to view or delete their child’s personal data, you must include this data as part of their request.
- Rules on data retention that apply to all other children’s personal information apply to biometric data as well.
- You are responsible for ensuring that any vendors or third parties you share this data with also comply with COPPA.
Steps To Take Now
Being proactive is the best way to stay compliant.- Audit Data Practices: Identify all sources of faceprints and facial templates, including apps, devices, or third-party tools. Follow the data through its entire lifecycle, from collection and processing to sharing and deletion according to your published retention policy.
- Update Privacy Policies: Clearly disclose your collection of faceprints and facial templates. Where applicable, also disclose any third parties that data is shared with and for what purposes.
- Review Third-Party Agreements: Ensure vendors comply with COPPA’s requirements. You are responsible for how third parties use children’s personal information you share with them.
- Implement VPC Mechanisms: Make consent verifiable in easily understood language. There are several methods to obtain parental consent under COPPA, including newly approved methods such as text messages and knowledge-based authentication (KBA).
- Update Data Subject Access Request (DSAR) Processes: When a parent asks to review personal information provided by or about their child, ensure that your internal processes include biometric data such as faceprints and facial templates as part of that request.
- Train Staff: Educate any of your team members who are involved in the collection, access, and processing of this data on the scope of handling children’s personal information.
With the amended COPPA Rule, facial templates, faceprints, and other biometric identifiers are now firmly in the privacy spotlight. Companies must understand their responsibilities, ensure compliance, and partner with vendors who respect children’s privacy.
Need help? The Children's Advertising Review Unit, or CARU, is here to guide companies through these new requirements and keep children safe online. Remember to look for the COPPA Safe Harbor seal to confirm that products you use comply with COPPA.
Register Now: Join us for our upcoming webinar on The Truth Behind Age Estimation Technology for Children and Teens (October 16 at 2:00PM ET).