As laid out in our earlier blogpost, part of Ropes & Gray’s Data, Privacy & Cybersecurity Group’s “12 Days of Data” series, one thing to look out for in 2024 is an update from the Federal Trade Commission (FTC) on its Children’s Online Privacy Protection Act Rule (COPPA Rule) review. Well, we did not have to wait until 2024. On December 20, 2023, the FTC announced proposed changes to the COPPA Rule.
The Notice of Proposed Rulemaking (NPRM) is the culmination of a process that began on July 25, 2019, when the FTC first solicited comments on the COPPA rule promulgated in 2013. The NPRM is seeking comments on the proposed changes as well as some related questions within 60 days of publication in the Federal Register (the deadline will likely fall in late February).
The NPRM proposes a series of significant changes detailed below:
- Reinforces the prohibition on operators collecting more personal information than is reasonably necessary for a child to participate in a game, offering of a prize, or another activity. This prohibition applies even if the operator obtains consent.
- Further, the FTC is soliciting comment on defining “activity” as “any activity offered by a website or online service, whether that activity is a subset or component of the website or online service or is the entirety of the website or online service.”
Separate Parental Consent for Disclosures Including for Advertising
- Requiring the operator to obtain separate verifiable parental consent for disclosures of a child’s personal information unless such disclosures are integral to the nature of the website or online service. This includes disclosure of persistent identifiers for targeted advertising purposes, as well as disclosure of other personal information for marketing or other purposes. Additionally, operators may not condition access to the website or online service on obtaining such consent.
Additional Parental Consent Mechanisms
- Adds methods of parental consent including knowledge-based authentication and the use of facial recognition technology already approved by the FTC.
- The use of facial recognition technology as a parental consent mechanism is different from the use of facial age-estimation technology as a parental consent mechanism that the FTC solicited comments on this past July.
- Significant expansion of the COPPA Rule’s data security requirements including designating an employee to coordinate the information security program; identifying and, at least annually, performing additional assessments to identify risks to the confidentiality, security, and integrity of personal information collected from children; designing, implementing, and maintaining safeguards to control any identified risks, as well as testing and monitoring the effectiveness of such safeguards; and, at least annually, evaluating and modifying the information security program.
- Further, operators must obtain written (not verbal or other) assurances from third parties or other operators that they will employ reasonable measures to maintain the confidentiality, security, and integrity of the information they receive from the operator.
- Codifies existing FTC guidance, which states that schools, state educational agencies, and local educational agencies may authorize the collection of personal information from students younger than 13 (in lieu of parental consent) where the data is used for a school-authorized education purpose and no other commercial purpose.
- A school-authorized education purpose includes product improvement and development (as well as other uses related to the operation of the product, including maintaining, supporting, or diagnosing the service), provided the use is directly related to the service the school authorized.
- Requires the written agreement between the ed-tech provider and the school to identify the name and title of the person providing consent and specify that the school has authorized the person to provide such consent.
- Operators that collect personal information from a child under school authorization must include an additional notice on their website or online service.
- Require operators to provide schools with the right to review personal information collected from a child, refuse to permit operators’ further use or future online collection of personal information, and direct operators to delete such information.
Scope of Coverage
- No changes to the actual knowledge standard (the FTC did not adopt a constructive knowledge standard).
- Expands scope of the “website or online service directed to children” definition to include entities that have actual knowledge that they receive children’s information but don’t collect that information directly from users of a child-directed site or service.
- Additionally, the FTC is seeking comment on whether it should provide an exemption under which an operator’s site or service would not be deemed child-directed if the operator undertakes an analysis of the site’s or service’s audience composition and determines that no more than a specific percentage of its users are likely to be children under 13.
- The NPRM adds a standalone definition of “mixed audience website or online service” instead of including it as part of the “website or online service directed to children” definition. As with the current rule, mixed audience services are directed to children, but do not target children as their primary audience.
- Further, consistent with the current rule, mixed audience services do not collect personal information from any visitor prior to collecting age information or using another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child.
- The new definition also codifies FTC staff guidance, which states that any collection of age information, or other means of determining whether a visitor is a child, must be done in a neutral manner that does not default to a set age or encourage visitors to falsify age information.
Data Retention and Deletion
- Clarifies that that operators may retain personal information for only as long as is reasonably necessary for the specific purpose for which it was collected, and not for any secondary purpose.
- Operators must establish and maintain a written data retention policy specifying its business need for retaining children’s personal information and its timeframe for deleting it.
- Operators cannot retain information indefinitely.
- Require FTC-approved COPPA Safe Harbor programs to identify each subject operator and all approved websites or online services in the program, as well as all subject operators that have left the program.
- Further, requires an FTC-approved COPPA Safe Harbor program to provide: a narrative description of the program’s business model, including whether it provides additional services to subject operators, such as training; copies of each consumer complaint related to each subject operator’s violation of an FTC-approved COPPA Safe Harbor program’s guidelines; and a description of the process for determining whether a subject operator is subject to discipline.
- Submission of triennial reports that provide details about the new disclosure requirements.
Online Contact Information
- The NPRM adds mobile telephone numbers provided the operator uses it only to send a text message to the non-exhaustive list of online contact information identifiers.
Online Notification of Persistent Identifiers
- Requires operators collecting persistent identifiers without consent under the support for internal operations exception to provide an online notice that states the specific internal operations for which the operator has collected the persistent identifier and describe the means it uses to ensure that it does not use or disclose the persistent identifier to contact a specific individual.
Restrictions on Engagement and Nudging
- Restrict operators who collect data without parental consent under an exception from using or disclosing personal information in connection with processes, including machine learning processes, that encourage or prompt use of a website or online service.
- The FTC is soliciting comments on whether there are other engagement techniques the COPPA Rule should address as well as whether and how the COPPA Rule should differentiate between techniques used solely to promote a child’s engagement with the website or online service and those techniques that provide other functions, such as to personalize the child’s experience on the website or online service.
Direct Notice to Parents
- Require that operators sharing personal information with third parties identify to parents the third parties as well as the purposes for such sharing.
- The NPRM allows operators to disclose the categories of third parties with which the operator shares data rather than identifying each individual entity.
- Codifies an enforcement policy that allows for the collection, without parental consent, of an audio file containing a child’s voice, and no other personal information, for use in responding to a child’s specific request and where the operator does not use such information for any other purpose, does not disclose it, and deletes it immediately after responding to the child’s request.
- The Operator must describe how the operator uses the audio files and to represent that it deletes such files immediately after responding to the request for which the files were collected.
Additional Questions Soliciting Comments
There were also a few additional questions for which the FTC is soliciting comments including, but not limited to:
- Should screen or user names be treated as online contact information, even if the screen or user name does not allow one user to contact another user through the operator’s website or online service, when the screen or user name could enable one user to contact another by assuming that the user to be contacted is using the same screen or user name on another website or online service that does allow such contact?
- Should an avatar generated from a child’s image constitute “personal information” under the COPPA Rule even if the photograph of the child is not itself uploaded to the site or service and no other personal information is collected from the child? If so, are these avatars sufficiently covered under the current COPPA Rule, or are further modifications to the definition required to cover avatars generated from a child’s image?
* * *
As a result of these proposed changes, it is a good time for companies that may be covered by COPPA to review their compliance and assess how any of the above amendments to the COPPA Rule will affect their programs. The various proposals that expand consent requirements and limit exceptions should receive particular attention as they may impact how companies obtain verifiable parental consent for advertising purposes. It will also be wise for companies to review the updated provisions on conditioning participation in an activity, data retention, and deletion because these provisions would impose compliance obligations that go beyond obtaining verifiable parental consent. Additionally, the FTC is proposing a significant expansion of its enumerated cybersecurity requirements, so companies will want to investigate whether their existing cybersecurity programs comply with the proposals. Companies wishing to comment on the proposed rule should be prepared to submit any comments in advance of the late February deadline.
After a blockbuster year for COPPA enforcement in 2023, the FTC is poised to continue enforcement actions in 2024. It is also likely that the FTC will release more details on the Commercial Surveillance and Data Security Rulemaking which includes a section on “Harms to Children” that will have implications for the COPPA Rule. We will be watching for these and other developments. Subscribe to RopesDataPhiles.com to receive updates by email.