In the final days of the Lina Khan-led U.S. Federal Trade Commission, the Children's Online Privacy Protection Act Rule has been officially updated for the first time since 2013.
The process started way back in 2019 under U.S. President-elect Donald Trump's first administration, when the FTC began its statutorily enabled process of refreshing the COPPA Rule to keep up with changes in technology and business practices. The unusually lengthy rulemaking has gone through two robust sets of public comment, multiple proposed drafts and untold hours of drafting and negotiation within the commission.
In 2013, the relationship between young people and technology looked very different than it does today.
Minecraft was only just beginning to see popularity as a PC game. Xbox One and PlayStation 4 had just been released. Snapchat was gaining traction. But there was no TikTok — not even Musical.ly had yet been born.
One thing we will never see in a regulatory update to the existing COPPA statute is a rule that applies to users aged 13 or above. Although the FTC has a clear interest in protecting teenagers from the unique privacy risks and harms they face, it lacks the statutory authority to change the scope of the COPPA. Only federal lawmakers can do that, and they have promised to try yet again with some version of a COPPA 2.0 in the 119th Congress.
Edtech rollback
For those who were acquainted with the proposed COPPA Rule updates, the biggest surprise in the final rule is the change of direction on education technology providers, known as the edtech industry.
One of the constant refrains from stakeholders across the kids' privacy world relates to the complexity of the COPPA in the educational context. Not only does it interact with the federal law governing school use of personal data, the Family Educational Rights and Privacy Act, but the COPPA's application to the widespread use of third-party software in U.S. schools is debated and generally agreed to be ambiguous.
The FTC previously issued warnings and brought enforcement actions against edtech companies, but most agree ongoing regulatory uncertainty has left privacy gaps.
The proposed rule would have clarified these debates. Among other things, it would have formalized a school authorization exception to parental consent requirements. Perhaps even more important for regulatory certainty, it would have required discrete contractual responsibilities between schools and edtech providers, putting uniform control over personal data in the hands of schools.
The official explanation for the FTC's departure from the proposal is somewhat unusual, though not implausible. Since the U.S. Department of Education has recently "affirmed its intentions to propose" amendments to FERPA, the FTC is rolling back its guidance to the existing rules so as to avoid conflicts.
Another possible explanation: Part of the cost of strong bipartisan agreement on a new regulation in a five-person commission is political compromise. Though there is no indication in commissioners' statements, it may be that the final rule was shaped by a desire to ensure all five commissioners could agree to the regulatory update.
The vast majority of the remainder of the rule update is consistent with the proposal. For those who may not have read the proposal, or in case your memory has been overwritten with other privacy issues in the past 14 months, here is a quick rundown of the most notable changes.
Age verification updates
The COPPA is at its strongest when an online service is "child directed," based on a multifactor test. Some child-directed services can be classified as "mixed audience," which allows them to create a neutral age gate and treat children differently than other users.
The updated rule clarifies how these mixed audience services can incorporate age analysis into their user flow, allowing the collection of some personal information — but only for age estimation purposes — before users are sorted into the proper version of the service.
The proposed rule had also toyed with the idea of providing an exemption from the definition of child-directed service for companies that conduct an analysis of their users to determine there is not a certain threshold of users under 13.
List every third-party recipient, or else
Modernized notice requirements were one of the goals of this round of COPPA Rule updates. The COPPA requires a "direct notice" to parents when seeking parental consent and the updated COPPA Rule has adjusted these requirements, in general, to "expand the disclosures required in direct notices," as the FTC explains.
Moving forward, parental disclosures must list any and all third parties to whom children's personal information will be shared, including the public if information will be made publicly available. For each third party, the disclosure should also include the purpose for sharing.
In a concurring statement, FTC Commissioner Andrew Ferguson explored his concerns with the effect of listing all third parties when seeking parental consent, when coupled with COPPA's requirement to obtain new parental consent whenever a "material change" is made. Ferguson worries there is insufficient clarity as to whether every newly listed third party will constitute a material change.
Privacy policy changes consistent with this same rule are also required. In fact, the final rule goes farther than the proposal. Rather than allowing companies to list in a public privacy notice the "specific categories" of third parties to which children's information will be disclosed, the final rule has been narrowed to require a list of every individual third party, along with its specific category.
Accordingly, any sharing of children’s personal information with an undisclosed third party will now constitute a COPPA violation.
Privacy policies will also need to be more descriptive in other ways, including by describing any collection of persistent identifiers without consent, under the listed exceptions, which was not previously required. Companies will also need to explain the methods they employ to keep these identifiers from being used to contact children.
Double consent for sharing
Though this arguably is not a change in the COPPA as applied, the updated rule includes full clarity that separate verifiable parental consent is required before disclosing children’s personal information with third parties, "unless such disclosures are integral to the nature of the website or online service."
Conditioning the use of a service on sharing information with third parties is also disallowed, as has been the case since 1999.
Policies, contracts and public disclosures, oh my!
On the cybersecurity front in recent years, the FTC shifted from a broad "reasonable security" framing to embracing more explicit operational and technical safeguards in enforcement actions and rules. The COPPA Rule is no exception.
As the IAPP previously analyzed when the changes were proposed, the updates provide clearer expectations about the measures that are necessary to meet minimum security commensurate with the sensitivity of children’s personal data. They include a requirement to implement a "children's personal information security program" — or a general program that meets the COPPA standards — that includes safeguards such as designated qualified employees, routine risk assessments, ongoing monitoring and annual updates.
When data is shared with any other entity, there is now a clear obligation under the COPPA to "take reasonable steps to determine that such entities are capable of maintaining the confidentiality, security, and integrity of the information" and obtain contractual assurances that recipients will do so.
Not only must companies establish retention policies covering children's personal information under the COPPA, these policies must now be made publicly available. And, consistent with past precedent, companies are explicitly prohibited from indefinitely retaining covered data.
Overhauling the COPPA Safe Harbor
One of the lasting legacies of the COPPA has been its embrace of a multilayered accountability structure in the form of a safe harbor program.
Designated third-party safe harbor organizations must meet a set of structural and operational requirements proving their independence, accountability and transparency in order to receive FTC approval to operate. Once operational, safe harbor programs can establish their own guidelines, consistent with COPPA requirements, and hold their participants accountable to these guidelines via routine privacy reviews.
In a controversial set of updates, the final COPPA Rule update implemented a dramatic increase in the expectations on safe harbor programs. For starters, the FTC clarified that safe harbors must review participants’ security programs as well as their privacy operations.
But the FTC also expanded transparency requirements, including a requirement for safe harbors to provide all consumer complaints to the FTC during routine reviews. Some of the updates were welcomed by existing safe harbors, while others received significant pushback related to concerns that overly zealous reporting obligations would drive participants away from safe harbors and therefore have a chilling effect on COPPA compliance generally.
Though clearly mindful of these risks, the final rule implements most of the proposed adjustments to the safe harbor structure.
Definitional tweaks
Finally, certain weight-bearing definitions in the COPPA were also updated to keep pace with technology.
Parental consent is now sometimes allowed via text message, and services can collect a phone number for that purpose.
Biometric information is now included in the defined list of data within "personal information." The proposed rule would have applied to some biometric derivatives, but this was not included in the final rule. Instead, the open-ended list of biometric identifiers "used for automated or semi-automated recognition of an individual" includes "fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints."
What’s next?
The updated COPPA Rule goes into effect 60 days after it is published in the Federal Register.
As a new U.S. administration kicks off, children's privacy professionals can now rest assured that this long-awaited rule update is in the rearview mirror. Time will tell whether Congress or the FTC next acts to modernize youth privacy rules.
Please send feedback, updates and your kids' favorite videogame to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director, Washington, D.C., for the IAPP.
