The Federal Trade Commission (FTC) has finalized amendments to its Children's Online Privacy Protection Act (COPPA) Rule, effective 60 days after publication in the Federal Register. We expected an effective date in late March, although this date could be impacted by Trump's recent executive order. Key updates include:
- Notice and Consent Requirements: The amendment requires separate notice and consent for the disclosure of children's data to third parties. Companies must disclose to parents the identities and specific categories of such third parties.
- Data Retention Restrictions: Businesses are barred from retaining children's data indefinitely.
- Expanded Definition of Personal Information: Biometric and government-issued identifiers are now explicitly covered under COPPA protections.
- Safe Harbor Transparency: Self-certified compliance will be subject to enhanced transparency requirements including public disclosure of their membership lists.
- New consent methods: Businesses may use approved text message and knowledge-based authentication methods to obtain verifiable parental consent.
- New data security requirements: Businesses must designate employees to coordinate a security program, conduct risk assessments, and implement, test, and monitor safeguards. Note these do not have to be in a separate children's security program as originally proposed.
Dropped proposals limitations on educational technology providers' use of student data for commercial purposes and school-based (rather than parent-based) consent allowances. The FTC cited potential conflicts with future FERPA amendments as a reason for scaling back these provisions. It also dropped requirements for another separate parental consent to use children's data for purposes of maximizing engagement (e.g., sending push notifications to nudge user activity).
While the rule updates were approved by a 5-0 vote, their future remains uncertain as incoming Chair Andrew Ferguson raised concerns about the timing and scope of the amendments. For an overview of the proposed rules, see FKKS associate Andrew Folk's previous article at https://iapp.org/news/a/still-growing-up-top-takeaways-from-the-ftcs-proposed-coppa-rule-update. We will provide a more detailed analysis on the FKKS Technology Blog promptly.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
