Children’s information protection has always been a central priority in the field of privacy protection. In 2019, TikTok (formerly Musical.ly) was accused of illegally collecting children’s data and ultimately agreed to pay $5.7 million to settle with the U.S. Federal Trade Commission (FTC). During the TikTok hearing held by the U.S. House of Representatives in March this year, the protection of minors online was also a key focus of lawmakers’ questioning.
The Children’s Online Privacy Protection Act of 1998 (COPPA) aims to safeguard the safety and privacy of children under the age of 13 by prohibiting websites and online service providers from collecting children’s personal information without authorization or necessity. The COPPA Rule requires that websites and online service providers collecting personal information from children under 13 must provide notice to parents and obtain verifiable parental consent. The rule also restricts how long such entities may retain children’s data and requires that children’s data be kept secure.
In 2019, the FTC initiated its most recent review of the COPPA Rule. On December 20, 2023, the FTC issued a notice seeking public comments on proposed amendments to the rule. The proposed revisions introduce new restrictions on the use and disclosure of children’s personal information and further limit companies from monetizing children’s data as a condition for providing services. The proposed amendments also shift the responsibility for protecting children’s online privacy from guardians to service providers.
The proposed revisions to the COPPA Rule mainly include the following aspects:
(1) Separate Opt-In Requirement for Targeted Advertising
Building upon the existing consent requirements in Section 312.5, operators of websites and online services covered by COPPA must obtain separate verifiable parental consent before disclosing children’s personal information to third parties, including third-party advertisers, unless the disclosure is integral to the provision of the service.
Companies may not condition access to services on a child’s agreement to allow disclosure of personal information to third parties.
(2) Prohibition on Conditioning Participation on Data Collection
The proposal reinforces the existing rule that operators may not require children to provide more personal information than is reasonably necessary to participate in an activity such as playing a game, receiving a prize, or accessing another service.
(3) Restrictions on the Internal Operations Exception
Currently, the COPPA Rule allows operators to collect persistent identifiers without prior verifiable parental consent, provided that no other personal information is collected and the identifiers are used solely to support the internal operations of a website or online service.
The proposed amendments would require operators relying on this exception to publish clear notices describing:
The specific internal operations for which persistent identifiers are collected; and
The methods used to ensure such identifiers are not used to contact specific individuals or for purposes such as targeted advertising.
(4) Restrictions on Encouraging Excessive Online Engagement
Operators would be prohibited from using collected online contact information or persistent identifiers to push messages that encourage children to increase their use of the service.
(5) Changes Related to Educational Technology
The proposed rule prohibits educational technology companies from using children’s personal information collected through educational services for commercial purposes and requires additional safeguards for such data.
(6) Increased Accountability for Safe Harbor Programs
The proposed amendments would strengthen transparency and accountability within COPPA Safe Harbor Programs, including requirements that each program disclose its list of participating members and provide additional reporting to the FTC regarding program operations.
(7) Enhanced Data Security Requirements
The FTC proposes strengthening COPPA’s data security requirements by requiring operators to implement a comprehensive information security program appropriate to the sensitivity of children’s personal information collected.
(8) Data Retention Limitations
The FTC proposes stronger limitations on data retention by requiring that personal information be retained only for as long as necessary to fulfill the specific purpose for which it was collected.
The proposal also prohibits operators from using retained data for secondary purposes and clarifies that operators may not retain children’s information indefinitely. Operators would also be required to establish and publicly disclose data retention policies for children’s personal information.
In addition, the FTC proposes revisions to several definitions within the rule, including expanding the definition of “personal information” to include biometric identifiers.
The FTC also clarified that when determining whether a website or online service is directed to children, it will consider multiple factors, including:
marketing materials,
representations made to consumers or third parties,
user or third-party reviews,
and the age demographics of users of similar services.
Proposed COPPA Rule Amendments (Public Comment Draft):
https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf