Summary
This week, the Federal Trade Commission (FTC) has proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule) to impose new restrictions on the use and disclosure of children's personal information, aiming to limit company’s ability to monetize such data.
The last change was made in 2013, and a much-needed update was required to protect children in a time where their digital access has drastically increased.
The proposal shifts the responsibility from parents to providers to ensure the safety and security of digital services for children. The COPPA Rule, initiated in 2000, mandates websites and online services collecting information from children under 13 to obtain parental consent, limit data collection, and ensure data security.
The proposed changes include:
-
Separate opt-in for targeted advertising: operators must obtain verifiable parental consent for disclosing information to third-party advertisers, with access to services not contingent on such disclosure.
-
Prohibition against conditioning participation: an explicit ban on collecting more personal information than necessary for a child's participation in an activity.
-
Limits on support for internal operations: operators using persistent identifiers must provide online notice about specific internal operations and ensure non-disclosure for targeted advertising.
-
Limits on nudging kids to stay online: prohibiting the use of online contact information and persistent identifiers to send push notifications encouraging extended service use.
-
Changes related to ed-tech: codifying guidance to prohibit commercial use of children's information in educational technology, allowing collection only for school-authorized educational purposes.
-
Increasing accountability for safe harbor programs: enhancing transparency by requiring disclosure of membership lists and additional information.
-
Strengthening data security: mandating operators to establish, implement, and maintain a written children’s personal information security program.
-
Limits on data retention: information can be retained only as long as necessary for its collected purpose, with operators required to establish and disclose a written data retention policy.
The FTC also proposes expanding the definition of "personal information" to include biometric identifiers. The public has 60 days to comment on these proposed changes.
What do you think about the impact of the digital age on children? Join the conversation in our Yes We Trust community, a free discussion group for data privacy professionals and enthusiasts, on LinkedIn: