United States: FTC Proposes Changes To COPPA Rule: What Businesses Need To Know

The Federal Trade Commission (FTC) announced a Notice of Proposed Rulemaking (NPRM) to amend the Children's Online Privacy Protection Act Rule (COPPA Rule). The COPPA Rule applies to operators of websites and online services that are directed to children under 13 or that have "actual knowledge" they are collecting personal information from children under 13. It imposes notice, consent, data security, and data minimization requirements. Below we summarize highlights from the rulemaking.

Significant Changes

The FTC proposes to modify many of the Rule's provisions. Some of the proposed changes could have far-reaching practical effects for companies assessing COPPA's applicability and working to achieve COPPA compliance.

• Parental Consent for Third-Party Disclosures: The FTC's proposal includes a major change to parental consent requirements, which currently permit a single consent for the collection, use, and disclosure of child personal information. Under proposed Rule, when verifiable parental consent is required, operators would be required to bifurcate consent and obtain one for collection/use and one for disclosure to third parties, except where such disclosure is "integral to the nature of the website or online service." This proposal could require companies to not only manage the new requirements, but also address potential parental confusion created by a bifurcated model.
• Internal Operations Exception: The FTC proposes to modify the Rule's internal operations exception to the general requirement that operators obtain parental consent. Under the proposal, an operator would be prohibited from using a persistent identifier collected under the internal operations exception "in connection with processes, including machine learning processes, that encourage or prompt use of a website or online service." By way of example, the FTC noted this new limitation would "prohibit operators from using or disclosing persistent identifiers to optimize user attention or maximize user engagement with the website or online service, including by sending notifications to prompt the child to engage with the site or service." How this new limitation would be reconciled with internal operations activities that companies currently use to operate their sites, including for personalization, is an important question to be answered.
• School Authorization Exception: The rulemaking includes an entirely new parental consent exception for education technology. In certain circumstances, an operator may rely on the consent of a school, as opposed to a parent, in collecting child information. The proposal specifies a number of requirements that must be satisfied to rely on the School Authorization exception, including: (1) that the information collected can only be used for a school-authorized education purpose and not a commercial one; (2) a written agreement between the authorizing school and the operator with specific terms; (3) direct supervision by the school over the operator's use, disclosure, and maintenance of the personal information; (4) that the operator must post an online notice with proscribed information; and (5) the ability for the school to review and request deletion of any child personal information. Although the FTC's proposal makes clear that the new School Authorization exception is merely a codification of existing guidance, both schools and operators will need to address issues left open under the exception, such as what activities fall within the educational purpose limitation.
• Data Security Obligations: The FTC's proposal offers more granular and prescriptive terms on what is required by COPPA's requirements to establish and maintain "reasonable procedures" to protect children's data. Such reasonable procedures would include establishing, implementing, and maintaining a written children's comprehensive security program. It would also include written assurances from third parties to which child personal information is disclosed that they can satisfy requirements to secure and protect child personal information.

• New Parental Consent Options: The FTC proposes allowing parents to provide consent through text messages, knowledge-based authentication, and facial recognition technology. The FTC is also proposing to eliminate the monetary transaction requirement for obtaining consent through a parent's use of a credit card, debit card, or online payment system. Under this proposal, the parent would simply need to enter payment information and no charge would be transacted.
• Defining "Directed to Children": The FTC is proposing to add "a non-exhaustive list of examples of evidence" it would use in its assessment of whether a site or online service is directed to children, including "marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services." It also asks whether websites or online services be able to rebut that they are directed to children through an audience composition analysis.

Anticipated Clarifications

The NPRM also proposes important clarifications that have been previewed in recent COPPA settlements and guidance.

• Data Retention: The NPRM would expand the Rule's express data retention and deletion requirements, making clear that "personal information collected online from a child may not be retained indefinitely" or used for a "secondary purpose" beyond the purpose(s) for which the information was collected. The FTC also proposes to require that companies establish internal policies to limit data retention and disclose their data retention policies in their COPPA privacy policies.
• Defining "Personal Information" to Include Biometrics: In FTC's proposal would expand the definition of personal information to include biometric identifiers that can be used for the automated or semi-automated recognition of an individual, reasoning that "biometric recognition systems are sufficiently sophisticated to permit the use of identifiers . . . to identify and contact a specific individual either physically or online."
• Voice Commands: The FTC proposes to largely codify its 2017 policy statement regarding COPPA and voice recordings (which comes up in the context of smart home assistants or similar technology). The FTC proposes that as long as a business uses the audio file to respond to a specific request and does not (1) use the information for another purpose, (2) disclose the information, or (3) retain the information after responding, COPPA direct notice and consent requirements do not apply.

Open Questions

Finally, the FTC asks a series of questions regarding its approach to COPPA rulemaking. Some of the questions that stood out to us include:

• Screen and User Names: The FTC asks whether it should expand the definition of "personal information" to include screen or user names that do not allow contacting an individual, despite the fact that the FTC's rulemaking authority to define "personal information" is limited to identifiers that can be used to "contact[] . . . a specific individual." The NPRM reasons that children may use the same screen or user name across websites or online services, and they may be able to be contacted on platforms not controlled by the operator.
• Limiting Personalization and Contextual Advertising: The existing COPPA Rule permits businesses to use persistent identifiers for internal operations without parental consent. The FTC asks whether certain types of personalization and contextual advertising remain appropriately categorized as internal operations. For example:
  • The NPRM explains that personalization that is "user driven" may be permitted under the internal operations exception, but it asks whether personalization that is "driven by an operator" and that is designed to "maximize user engagement" should be permitted.
  • Similarly, the NPRM questions whether to continue to permit contextual advertising under this exemption. It explains, "given the sophistication of contextual advertising today, including that personal information collected from users may be used to enable companies to target even contextual advertising to some extent, should the Commission consider changes to the Rule's treatment of contextual advertising?"
• Role of Platforms: The NPRM asks whether platforms can play a role in establishing consent mechanisms to enable obtaining verifiable parental consent. In particular, the FTC states it would be interested in understanding the benefits that platform-based consent mechanisms would create for businesses and parents.

* * *

For 60 days after publication in the Federal Register—which should occur in the next couple of weeks—the FTC is accepting public comment on the proposed changes to the Rule and the questions the agency raises in its NPRM. We will continue to monitor developments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.