Continuing its recent tying of loose ends prior to a change in administration, the U.S. Federal Trade Commission issued its final rule amending the Children's Online Privacy Protection Rule by a unanimous vote.
The rule change represents the first amendment to the COPPA Rule since 2013. On 11 Jan. 2024, the FTC issued a notice of proposed rulemaking to amend the COPPA. The NPRM followed the agency's 2019 request for comment to update the law.
The amended COPPA Rule addresses several major issues children's privacy advocates have long pushed for to reflect technological advancements and children's online safety best practices. The changes include specifying conditions under which consent can be given by responsible parties, limiting business-to-business exchanges of children's data, formalizing data security requirements and modifying definitions of key terms, which were all contained in the draft amended rule.
Key amendments include provisions requiring opt-in consent on the part of parents for the sale of their children's personal data to third parties to engage in targeted advertising after obtaining "separate verifiable parental consent," as well as limiting retention of children's personal data to fulfill a specific purpose for a certain duration and increasing transparency for FTC-approved Safe Harbor programs.
"The updated COPPA Rule strengthens key protections for kids' privacy online," FTC Chair Lina Khan said in a statement. "By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children's data without active permission. The FTC is using all its tools to keep kids safe online."
The finalized changes to the COPPA Rule feature amended definitions of terms, such as "personal information" to include biometric and government-issued identifiers and "mixed audience website or online service."
Under the final rule, companies are allowed to collect personal information for "limited purposes … prior to determining the visitor age."
"The Commission believes the proposed definition provides sufficient guidance and flexibility for operators to select from age assurance methodologies and declines to incorporate the suggested harm-based calculation into the rule," the final COPPA rule states. "The Commission agrees with commenters expressing the view that it is important to allow operators to innovate and develop alternative, improved mechanisms to determine age that do not rely on a visitor’s self-declaration and finds that the proposed language best accomplishes this."
In a joint-concurring statement, FTC Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter said following the 2013 COPPA Rule update, companies deemed the "reasonably necessary" period to retain data was indefinite, which they said was "not reasonable." Bedoya and Slaughter said the new final rule is necessary at this current juncture with the state of development of large language artificial intelligence models within Big Tech.
"This clarification is especially important at a time when the developers of large language models and other AI products are caught in a race to acquire ever-increasing amounts of training data," Bedoya and Slaughter said in their statement. "Claims from businesses that data must be indefinitely retained to improve algorithms do not override legal bans on indefinite retention of data. Companies eyeing children’s data would do well to heed this lesson."
Although he voted for the final COPPA Rule amendments, Commissioner Andrew Ferguson issued a statement raising several issues with the rule he found objectionable, such as requiring companies to receive multiple opt-in consent steps for different specific potential use cases for a child's personal data from their parents.
"No one should have any doubt that these issues are the result of the Biden-Harris FTC's frantic rush to finalize rules on their way out the door," said Ferguson, who will become FTC chair when President-elect Donald Trump takes office 20 Jan. "The Commission under President Trump should address these issues and fix the mess that the outgoing majority leaves in its wake."
Notable cuts
The biggest change from proposals contained in the NPRM is the final rule's omission of provisions clarifying how COPPA applies to the use of educational technologies by schools and students.
The final COPPA Rule amendment refers to an effort by the Department of Education launched last fall to propose amendments to the Family Educational Rights and Privacy Act regulations that would "clarify … provisions governing non-consensual disclosures of personally identifiable information from education records to third parties," per the text.
"These changes may be relevant to provisions of the COPPA Rule related to ed tech and school authorization that the Commission proposed in the 2024 NPRM," the final rule states. "To avoid making amendments to the COPPA Rule that may conflict with potential amendments to DOE's FERPA regulations, the Commission is not finalizing the proposed amendments to the Rule related to ed tech and the role of schools at this time."
Public Interest Privacy Center President Amelia Vance told the IAPP that she was "extremely frustrated" the FTC retreated from issuing edtech requirements in the final COPPA Rule update, saying their justification to wait on potential FERPA updates is "ridiculous."
"Schools have consistently asked the FTC to include this language, and the Department of Education has declared its intention to release new FERPA regulations since its Office of Inspector General mandated that it do so in 2018," Vance said. "The FTC, not the Department of Education, regulates companies like edtech vendors. The FTC's decision not to codify the school authorization language undermines schools' ability to hold vendors to clearly stated standards that would have increased privacy for all students."
Another significant departure from the draft update to the final rule was a decision to drop language limiting app notifications children receive because of stakeholder objection, such as depriving children the ability to receive notifications for doing schoolwork online and First Amendment concerns.
The rule was ultimately amended to redefine "Support for the internal operations of the website or online service" by clarifying that "information collected for the enumerated activities … may be used or disclosed to carry out those activities," per the text.
However, the final rule notes commissioners shared other stakeholders' concerns that companies may ultimately abuse the ability to send notifications to children and may pursue enforcement actions under Section 5 of the FTC Act against those who violate the spirit of this provision.
"The Commission shares supportive commenters' concerns regarding practices that operators employ to maximize children's engagement with online services," the final rule states. "(The Commission) notes it may pursue enforcement … in appropriate cases to address unfair or deceptive acts or practices encouraging prolonged use of websites and online services that increase risks of harm to children."
Alex LaCasse is a staff writer for the IAPP.
