Protecting children's information has always been a top priority in privacy protection. In 2019, TikTok (formerly Musical.ly) was accused of illegally collecting children's information. Ultimately, TikTok agreed to pay $5.7 million to settle with the U.S. Federal Trade Commission. At the TikTok hearing convened by the U.S. House of Representatives this March, online protection for teenagers was also a focal point of lawmakers' inquiries.
The Children's Online Privacy Protection Act (COPPA) of 1988 aims to safeguard the safety and privacy of children under 13 by prohibiting websites and online service providers from collecting personal information from children without permission or necessity. COPPA regulations require websites and online service providers collecting personal information from users under 13 to notify parents and obtain verifiable parental consent. The rules also limit how long such entities may retain collected children's data and mandate safeguards for its security.
In 2019, the U.S. FTC initiated a review of the COPPA rules. On December 20, 2023, the FTC issued a notice seeking public comment on proposed amendments to the COPPA rules. The proposed revisions impose new restrictions on the use and disclosure of children's personal information, further limiting companies' ability to monetize children's data as a condition for providing services. The proposed amendments shift the responsibility for safeguarding children's online privacy from guardians to service providers.
Key revisions to COPPA under the proposed rules include:
(1) Requiring separate opt-in for targeted advertising: Building upon existing consent requirements in Section 312.5, operators of websites and online services covered by COPPA must now obtain separate, verifiable parental consent to disclose information to third parties (including third-party advertisers), unless providing children’s user data is an essential part of the website or online service. Companies cannot condition service provision on disclosure of personal information to third parties.
(2) Prohibition on conditioning participation on personal information collection: The proposal strengthens existing prohibitions against conditioning participation in activities on collecting personal data, clarifying that this extends beyond what is reasonably necessary for children to play games, receive prizes, or obtain other benefits.
(3) Restrictions on Internal Operations Exceptions: Current COPPA rules permit operators to collect children's persistent identifiers without prior verifiable parental consent, provided no other personal information is collected and the persistent identifiers are used solely to support the internal operations of the website or online service.
The proposed rules require operators applying this exception to publicly disclose specific internal operations for collecting persistent identifiers and methods ensuring such identifiers are not used to contact specific subjects (including for targeted advertising).
(4) Restrictions on encouraging children's continued online engagement: Operators are prohibited from using collected online contact information and persistent identifiers to push messages to children encouraging increased usage.
(5) Changes related to educational technology: Prohibits educational technology companies from using collected children's personal information for commercial purposes and requires implementation of additional safeguards.
(6) Strengthening accountability for the Safe Harbor program: The proposed rules will enhance transparency and accountability for the COPPA Safe Harbor program, including requiring each program to disclose its member list and report additional program details to the Commission.
(7) Strengthened Data Security Requirements: The FTC proposes to enhance the data security requirements under COPPA rules, mandating that operators implement a child personal information security program containing safeguards commensurate with the sensitivity of the personal information collected from children.
(8) Data Retention Limitations: The FTC strengthens COPPA's data retention limitations, permitting personal information to be retained only for as long as necessary to fulfill the specific purpose for which it was collected.
The proposed amendments would also prohibit operators from using retained information for any secondary purposes and explicitly prohibit indefinite retention. The rule further requires operators to establish and publish data retention policies for children's personal information.
Additionally, the FTC proposes modifying certain definitions in the rules, including expanding the definition of “personal information” to encompass biometric identifiers and similar data. It further states that when determining whether a website or online service is directed to children, the FTC will consider factors such as marketing materials, statements made to consumers or third parties, comments from users or third parties, and the age of users of similar websites or services.
Link to proposed COPPA rule modifications (open for public comment):
https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf
