Calls for children's privacy reform in the U.S. have become louder in recent years as kids' online presences have deepened at younger ages. To this point, various urgings have fallen on divided and distracted ears in U.S. Congress.
In the absence of a legislative solution, the U.S Federal Trade Commission has stepped in and unveiled its plan to modernize children's privacy enforcement.
The commission announced 20 Dec. 2023 a Notice of Proposed Rulemaking to update its Children's Online Privacy Protection Rule. The NPRM was not a spur-of-the-moment decision by the FTC, which initiated a review of the COPPA Rule in 2019 that involved a dedicated children's privacy forum and generated more than 175,000 comments. The results of the rulemaking will be the first updates to the COPPA Rule since 2013.
"The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children," FTC Chair Lina Khan said in a statement. "By requiring firms to better safeguard kids' data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents."
It will be the second privacy rulemaking endeavor the FTC has initiated during Khan's tenure as the commission opened a broader rulemaking on privacy, commercial surveillance and data security in 2022. It's unclear whether the children's privacy rulemaking will run hand in hand or take priority over the broad privacy rulemaking, which the commission hasn't provided progress reports on in recent months.
The FTC highlighted proposed updates within the children's privacy NPRM that focus on both privacy and online safety. Proposed privacy provisions include requiring verifiable parental opt-in consent for targeted advertising, data retention limits, COPPA Safe Harbor accountability and codifying FTC education technology guidelines.
FTC Commissioner Alvaro Bedoya issued a statement noting how the contents of the NPRM reflect efforts "to keep up with advancing technology." More specifically, Bedoya applauded FTC staff's work on ensuring the proposed updates tackle the protection of "a range of biometric identifiers as personal information," potential consent workarounds, and clear prohibitions on keeping children's data "forever."
Placeholder for legislation?
The FTC's move to modernize the COPPA Rule comes as Congress lags on finalizing children's privacy and online safety legislation. The proposed Children and Teens' Online Privacy Protection Act and the Kids Online Safety Act have been available for full Senate votes since July following green lights from the Senate Committee on Commerce, Science and Transportation.
Movement on both bills has stalled due to competing Senate priorities and general division over various policy points, more specifically with the KOSA proposal. The lack of action comes as U.S. President Joe Biden has made explicit calls for Congress to act on children's privacy legislation, including callouts in two State of the Union speeches and a direct message to lawmakers in July 2023.
White House Office of Science and Technology Policy Director Arati Prabhakar said "there is still more to do" beyond the COPPA Rule updates, noting how "clicks, searches, and payments are tracked by companies that use and often sell our data, track us, and target us with advertisements." She also indicated the Biden's urgings to Congress on children's and broad privacy protections will persist.
Additionally, co-sponsors of the COPPA 2.0 proposal do not want the FTC's rulemaking to be perceived as the replacement for their legislation.
In a statement, U.S. Sens. Ed Markey, D-Mass., and Bill Cassidy, R-La., indicated the FTC's proposed updates "could not come at a more important time," but they also "should not be considered a replacement for congressional action."
"COPPA is now 25 years old and must be modernized to meet the privacy challenges of today, including by extending COPPA’s protections to teenagers and banning targeted advertising to kids and teens. We must quickly pass our Children and Teens’ Online Privacy Protection Act, or COPPA 2.0, to enact these essential rules and prioritize the well-being of our children. Inaction is not an option," Markey and Cassidy said.
The NPRM has not-so-subtle ties to COPPA 2.0 and KOSA that can't be ignored, including targeted advertising and data retention prohibitions as well as provisions for content moderation to mitigate "online nudging" and "screen addiction."
Perkins Coie Partner Janis Kestenbaum, who previously served as senior legal advisor to former FTC Chair Edith Ramirez, told the IAPP the FTC "aims to review its rules every 10 years," however, the commission let modifications to the COPPA Rule "languish" while tending to other matters. She said the congressional stall on children's privacy legislation may be a motivator, but otherwise the NPRM mostly represents "changes in technology and consumer and business practices."
"It appears like the FTC was largely seeking to update, not overhaul, its COPPA rule," Kestenbaum said. "Some may be critical that it hasn’t sought to go further but I think the FTC’s response would, appropriately, be that it is constrained by the limits from the COPPA statute."
Unpacking proposed updates
Some of the updates laid out in the NPRM raise questions as to whether the FTC is stretching the COPPA Rule to cover other digital policy points. Particularly with provisions related to "nudging" and online safety, it's not exactly clear to Kestenbaum if the commission should be blanketing such matters in under a COPPA scope.
"That’s a commendable goal. But it’s hard to see how that falls within the purview of COPPA, which was enacted as a privacy statute in 1998, long before issues of screen addiction were even contemplated," Kestenbaum said.
The FTC explains the proposal around nudging as adding prohibitions on the collection and use of personal data to "send push notifications to children to prompt or encourage them to use their service more." The proposed updates go further in outlining how "the internal operations exception should not be used to allow operators to maximize children's engagement without verifiable parental consent."
Public Interest Privacy President Amelia Vance said the drafting of the proposed rules on nudging balance protections and business models as they don't flat out ban nudging.
"There is a point when (user experience/user interface) testing begins to infringe on user autonomy via manipulative design," Vance said. "The FTC is seeking to draw a line in the sand that prohibits these engagement maximization tools unless parents have proactively chosen to allow the tool to encourage further engagement."
In regards to more traditional privacy provisions, Vance and Kestenbaum said the FTC went as far as they could and no further with the NPRM.
"Some may be critical that it hasn’t sought to go further but I think the FTC’s response would, appropriately, be that it is constrained by the limits from the COPPA statute," Kestenbaum said. "For example, the FTC considered whether it could adopt a constructive knowledge standard and correctly determined that it can’t because the COPPA statute expressly imposes an 'actual knowledge' standard."
The clarity and prescription that is expected to come from the proposed updates can't be overstated, according to Vance, who has watched companies abide by orders within FTC settlements against other organizations that work in different sectors or carry different business models.
"I cannot emphasize enough how much proposals that may seem ho-hum are, in fact, going to substantially change COPPA compliance practices," Vance said. "Not enough people understand that FTC settlements can be considered a type of 'jurisprudence' that they should be following, leading to questionable interpretations of the law by companies of all sizes. Just codifying aspects of those settlements into 'real' law is invaluable."
The NPRM will enter a 60-day public consultation period upon being published in the Federal Register.