On December 20, 2023, the US Federal Trade Commission (“FTC”) announced a Notice of Proposed Rulemaking (“Rulemaking Notice”), proposing changes to the Children’s Online Privacy Protection Act (“COPPA”) Rules. The FTC clarified that these proposed changes aim to strengthen children’s privacy by placing new restrictions on the use and disclosure of children’s personal information, as well as limiting the ability of companies to condition access to services on monetizing children’s data. The proposal further aims to shift the “burden” from parents to providers to ensure that digital services are safe and secure for children.
The COPPA Rule, initiated in 2000, applies to operators of websites and online services directed to children (defined as individuals under the age of 13) or otherwise that “knowingly” (as defined therein) collecting children’s personal information (“Operators”), obligations related to disclosures and verifiable parental consent to be obtained before collecting, using, or sharing children’s personal information under certain circumstances, as well as impose restrictions how such personal information can be used, including for internal purposes.
The FTC’s proposed changes to the COPPA Rules detailed under the Rulemaking Notice, includes among others:
- Requiring separate opt-in consent for third-party disclosures. Operators will be required to obtain parents’ separate verifiable consent to disclose personal information to third parties, including third-party advertisers (unless the disclosure is integral to the nature of the website or online service). Meaning, the default settings of such websites and online services would have to disallow third-party behavioral advertising and allow it only when parents expressly opt in.
- Limiting the “support for internal operations” exception. Currently, Operators can collect persistent identifiers without first obtaining parental consent if no other personal information is collected and such are used solely to provide support for internal operations. The proposed changes will require Operators to provide an online notice explaining the specific internal operations for which identifiers are collected and how they will ensure such are not used to contact specific individuals, including through targeted advertising.
- Limiting the means used to encourage children to stay online. Operators will not be allowed to use certain COPPA exceptions to send push notifications to encourage children to use their service and will be required to flag that use in their COPPA-required direct and online notices.
- Limiting data retention. Strengthen retention standards will restrict Operators from retaining children’s personal information in excess of the necessary period to fulfill the purpose for which it was collected or use it for any secondary purpose. Operators will be further required to clearly disclose their data retention policy.
- Increasing accountability for Safe Harbor programs. To increase transparency and accountability of COPPA’s Safe Harbor programs, the proposed changes would require the safe harbor programs to publicly disclose each of its Operators members, as well as all Operators that have left the program, and report additional information to the FTC, as well as requirements to ensure Operators subject to the self-regulatory program guidelines provide substantially the same or greater protections for children as those contained in COPPA, to implement an effective, mandatory mechanism for the independent assessment of Operators’ compliance with the FTC-approved COPPA Safe Harbor program’s guidelines; and to apply disciplinary actions for subject Operators’ non-compliance with self-regulatory program guidelines.
- Strengthen data security requirements. For example, by mandating that Operators create a written children’s personal information security program, including safeguards appropriate to the sensitivity of the information collected from children.
- Expanding the definition of “personal information” and the assessment of websites and online services which are subject to the COPPA Rule. The term “personal information” is proposed to further include biometric identifiers. In addition, the FTC further intend to propose considering marketing materials, consumer representations, user or third-party reviews, and the age of users on similar websites or services when assessing whether a website or online service targets children.
The Rulemaking Notice and proposed changes thereunder are currently open for public consultations and comments for a period of 60 days as of publication.
We will keep you updated on the development of such proposed changes and potential implications.
APM Technology and Regulation Team.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding.
APM & Co. is not licensed to practice law outside of Israel.
