FTC NPR to Children’s Online Privacy (COPPA)

KPMG Regulatory Insights

• Privacy Expands: After over a decade, privacy protection rules for children see proposed amendments.
• Collection of Personal Information: Significant changes proposed in the collection of children’s personal information.
• Data Security and Retention: Heightened standards to show ‘reasonable need’ for use/retention and security based on data sensitivity.
• Burden on Providers: The FTC states that “the proposal aims to shift the burden from parents to providers to ensure that digital services are safe and secure for children”.  

 _____________________________________________________________________________________________________________________________________________________

January 2024

In line with regulatory focus around "big tech", data use/access and data security, the Federal Trade Commission (FTC or “Commission”) issues a notice of proposed rulemaking (NPR) to amend its rule implementing the Children’s Online Privacy Protection Act (COPPA), which requires websites and online services to obtain verifiable parental consent before collecting, using, or disclosing children's personal information (the rule was last updated in 2013).

Key amendments proposed by the FTC include:

1. Definition changes to “personal information”, “online contact information”, and “Website or online service directed to children”
2. Additional requirements for the "support for internal operations" exemption
3. Parental consent mechanisms and disclosures to third parties
4. Codifying the school authorization exception
5. Data retention limits
6. Enhanced data security requirements
7. Safe Harbor programs reporting requirements

1.  Definition changes. Proposed definition changes to the FTC’s Children's Online Privacy Protection Rule (COPPA Rule) such as:

• Expanding the definition of "personal information" to include biometric identifiers such as fingerprints, retina and iris patterns, DNA sequences, and data derived from voice data, gait data, or facial data.
• Expanding the definition of "online contact information" to include mobile telephone numbers, with the qualifier "provided the operator uses it only to send a text message."
• Modifying the definition of “Website or online service directed to children”, including changes to remove the word “directly” from the current definition: “a website or online service shall be deemed directed to children when it has actual knowledge that it is collecting personal information directly from users of another website or online service directed to children”. 

The FTC states these proposed modifications aim to clarify the scope, strengthen the protections of the COPPA Rule in response to evolving technology and online practices as well as to address potential compliance “loopholes”. 

2.  Additional requirements for the “support for internal operations” exemption. The COPPA Rule currently exempts from its notice and consent requirements operators of online services that collect persistent identifiers only for the purpose of “providing support for the internal operations of the website or online service.” The proposed amendments would change this by requiring operators of online services currently exempt from obtaining parental consent to provide notice specifying how collected data is used and prohibiting operators from using or disclosing persistent identifiers to “maximize user engagement” including “sending notifications to prompt the child to engage with the site or service, without verifiable parental consent”.

3.  Parental consent mechanisms and disclosures to third parties. The Commission proposes adding knowledge-based authentication and facial recognition technology as additional methods to verify parental consent. Further, updated disclosure requirements entail:

• Requiring operators to provide more information in their direct and online notices about their information practices.
• Requiring operators using the support for the internal operations exception to provide an online notice.
• Requiring operators disclosing information to third parties to “obtain separate verifiable parental consent for such disclosures unless they are integral to the website or service’s nature” (note: this requirement would apply to disclosures of persistent identifiers for targeted advertising purposes).

4.  Codifying the school authorization exception. The proposed school authorization exception would require operators that collect personal information from children under the school authorization exception to provide an additional notice on their website or online service disclosing that: (1) they obtained authorization from a school to collect a child’s personal information; (2) they will use and disclose the information for only a school-authorized education purpose; and (3) the school may review and request deletion of information collected from a child.

Further, the FTC proposes to prohibit commercial use of children’s information and implement additional safeguards as it relates to the use education technology (ed tech). “The proposed rule would allow schools and school districts to authorize ed tech providers to collect, use, and disclose students’ personal information but only for a school-authorized educational purpose and not for any commercial purpose”.

5.  Data retention limits. Under the proposal, the Commission expands on current data minimization requirements, which “prohibit an operator from conditioning a child’s participation in a game, the offering of a prize, or another activity on the child’s disclosing more personal information than is reasonably necessary to participate in such activity”, by proposing:

• To clarify that operators can retain personal information for only as long as is reasonably needed for the specific purpose for which it was collected. Operators must delete the information when it is no longer reasonably needed for that purpose and may not retain the information indefinitely.
• To require operators to establish and maintain a written data retention policy specifying their business need for retaining children's personal information and their timeframe for deleting it. This measure is intended to reinforce data minimization requirements and preclude operators from retaining such information indefinitely.

6.  Enhanced data security requirements. Additional data security requirements proposed by the FTC will require operators to at minimum “establish, implement, and maintain a written comprehensive security program containing safeguards appropriate to the sensitivity of children's information and considering the operator's size, complexity, and the nature and scope of its activities”. These requirements are modelled on the Commission’s original Safeguards Rule implemented under the Gramm-Leach-Bliley Act (GLBA).

7.  Safe Harbor program reporting requirements. In an effort to increase transparency and accountability of COPPA Safe Harbor programs, the Commission proposes requiring FTC-approved COPPA Safe Harbor programs to:

• Identify each subject operator and all approved websites or online services in the program, as well as all subject operators that have left the program.
• Provide, in addition to existing requirements:
  • A narrative description of the program’s business model, including whether it provides additional services to subject operators, such as training.
  • Copies of each consumer complaint related to each subject operator’s violation of an FTC-approved COPPA Safe Harbor program’s guidelines.
  • A description of the process for determining whether a subject operator is subject to discipline.         

Comment period. Public comments on the proposed changes must be submitted by March 11, 2024.