The FTC has proposed several revisions to its 24-year-old Children’s Online Privacy Protection Rule (COPPA) to keep up with evolving technology and make it harder for companies to collect and monetize data from kids.
For app builders, website operators and online services aiming to reach children in the US, COPPA is an ever-present and important gatekeeper that already requires providing notice and getting parental consent before collecting information from kids under the age of 13.
The updates that are currently on the table factor in tech advancements made over the last decade. For example, the FTC is proposing an expansion of the definition of “personal information” to include biometric identifiers—which typically include fingerprints and voice/face recognition software—because they can all be used in fraud, says commissioner Alvaro Bedoya in a statement.
Also proposed are new restrictions on retention. For example, operators that tap into data to send kids notifications or encourage them to spend more time using their services/products would have to specifically flag this data usage to their parents.
The FTC’s new rules would more tightly control how companies can gather info, with requirements for getting parental consent if an operator planned to disclose a child’s info to third-party advertisers. And they couldn’t make opting into this a requirement for accessing the service, either.
Under the proposed changes, companies would also only be able to collect as much info as is “reasonably necessary” for a child to participate in a game or receive a prize. And the amount of time companies can keep personal info would be limited to “only for as long as necessary to fulfill the specific purpose for which it was collected”.
Additionally, the FTC wants to make it crystal-clear that even if services don’t explicitly target kids, they could still be required to be COPPA-compliant. According to the proposal, the org plans to consider elements such as marketing materials, reviews and the ages of users on similar websites to determine whether a service is, in fact, targeting children.
In his nine-page statement, Bedoya shared several examples of how COPPA has been dealing with widespread issues of unauthorized and unnecessary data collection, use, retention and disclosure. Some companies the FTC has filed and settled COPPA charges with include TikTok (formerly Musical.ly), social networking service owner Path and Fortnite-maker Epic Games (which had to pay US$520 million).
“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” says FTC chair Lina Khan. “The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children. By requiring firms to better safeguard kids’ data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents.”
The last time the FTC made changes to COPPA was in 2013, in an effort to better reflect how kids were increasingly using mobile devices and social media.
A full notice containing the proposed changes is available on the FTC website.
Newsletter
