Over the last few years, there has been an increased focus on the collection of children's personal information in the United States. For example, many states have begun passing laws that significantly increase regulation for businesses collecting personal information from children, see our previous discussion on California's Age-Appropriate Design Code Act. Additionally, at the federal level, the Federal Trade Commission (FTC) has increased its focus on the Children's Online Privacy Protection Act (COPPA), specifically in the educational context.

COPPA Background. COPPA was enacted in 1998 and required the FTC to issue and enforce regulations regarding the privacy of children's data online. The FTC's COPPA Rule became effective in April 2000, and the goal was to put parents in control over what information is collected from their children in the digital space. Therefore, the COPPA Rule applies to operators of commercial websites and online services that are directed to children under the age of 13 (including websites targeted at all audiences, regardless of age) that collect, use, or disclose the personal information obtained directly from children. The COPPA Rule's general requirements on website operators include, but are not limited to:

  • Posting a clear and comprehensive online privacy policy;
  • Providing direct notice to parents and obtaining verifiable parental consent;
  • Giving parents the choice of consenting to the operator's collection and internal use of a child's information;
  • Providing parents access to their child's personal information;
  • Giving parents the opportunity to prevent further use or collection of a child's personal information;
  • Maintaining the confidentiality, security, and integrity of information they collect from children;
  • Retaining personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected; and
  • Not conditioning a child's participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.

FTC Enforcement.

  • Educational Tools. In 2022, the FTC published a policy statement regarding the use of education technology and the applicability of COPPA. According to the FTC, "concerns about data collection are particularly acute in the school context, where children and parents often have to engage with educational technology tools in order to participate in a variety of school-related activities." The FTC further indicates that the use of these education tools substantially increased during the COVID-19 pandemic and that parents may have reasonable questions and concerns about the personal information being collected by the service providers of such education tools. The FTC indicates in the policy statement that it will focus on:
    • Prohibition Against Mandatory Collection. COPPA-covered companies, including education technology providers, must not condition participation in any activity on a child disclosing more information than is reasonably necessary. This means students must not be required to submit to unnecessary data collection in order to do their schoolwork or engage in any other school activity.
    • Use Prohibitions. Operators of education technology that collect personal information, pursuant to school authorization, may use such information only to provide the requested online education service. This means that education technology companies are prohibited from using such information for any commercial purpose, including marketing or advertising.
    • Retention Prohibitions. Education technology providers must not retain personal information collected from a child longer than reasonably necessary to fulfill the purpose for which it was collected.
    • Security Requirements. Education technology providers must have procedures to maintain the confidentiality, security, and integrity of children's personal information.
    • Use Prohibitions. Operators of education technology that collect personal information, pursuant to school authorization, may use such information only to provide the requested online education service. This means that education technology companies are prohibited from using such information for any commercial purpose, including marketing or advertising.
    • Retention Prohibitions. Education technology providers must not retain personal information collected from a child longer than reasonably necessary to fulfill the purpose for which it was collected.
    • Security Requirements. Education technology providers must have procedures to maintain the confidentiality, security, and integrity of children's personal information.
  • Increased FTC Enforcement. On the FTC's Website, the FTC lists its cases (by year) against companies that allegedly violated the COPPA Rule. Looking at this list of cases between the years 2013 and 2022, there were, at most, 1-3 cases per year. However, as of July, there have already been five cases in 2023 (one of which is an order against an education technology provider).

New Consent Proposal. As noted above, one of the requirements under COPPA is that website operators must provide direct notice to parents and obtain verifiable parental consent prior to collecting personal information from children. Due to this, the FTC implemented a system in which companies could propose new methods for obtaining parental consent online. The FTC would then approve or deny the proposed method. Examples of approved methods include, but are not limited to, (1) providing a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan; (2) requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder; or (3) having the parent call a toll-free telephone number staffed by trained personnel.

On July 19, 2023, the FTC announced that it is seeking comment on a new parental consent mechanism. The new mechanism would use a "Privacy-Protective Facial Age Estimation" technology, which would analyze the geometry of a user's face to confirm that they are an adult. According to the submitted proposal, "facial age estimation uses computer vision and machine learning technology to estimate a person's age based on analysis of patterns in an image of their face. The system takes a facial image, converts it into numbers, and compares those numbers to patterns in its training dataset that are associated with known ages."

The FTC is seeking comments on whether the proposed age verification method is covered by existing methods; whether the proposed method meets the requirements under the COPPA Rule; and whether the proposed method poses a privacy risk to consumers' personal information, including their biometric information. The comment period ends on August 21, 2023.

Taft will continue to monitor developments in this area and will provide updates here and on all our Taft platforms. As always, seek qualified legal counsel whenever making determinations about your company's legal or compliance obligations. Taft's Privacy and Data Security Practice (PDS) stands ready to assist you with a risk-based, common-sense approach to your data governance needs. Stay tuned to Privacy and Data Security Insights and don't forget to download our free mobile app, to give you quick, real-time access to Taft PDS content and updates like this one.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.