The FTC’s COPPA Rule implements its statutory charge under COPPA to protect the privacy of children under 13 years of age when they are online. The statute and rules require operators of websites and online services directed to children, or who have actual knowledge of use by children, to obtain verifiable parental consent before collecting, using or disclosing personal information collected online from children, and governs the security of the personal information maintained.
The COPPA Rule governs when and how verifiable parental consent is to be obtained, exceptions to when consent is required or when more streamlined methods are permitted, the creation of safe harbor programs for verifiable parental consent, and data security requirements.
FTC May Expedite Rule Changes with Rapid Tech Evolution
The FTC’s last update to its COPPA Rule in 2013 constituted the first major attempt to “broaden and clarify” the Rule since its original adoption in 1999 (following enactment of the statute in 1998). Those changes addressed matters such as application of the rule to plug-ins, software downloads, ad-networks and behavioral-advertising, use of persistent identifiers, and additions to what constitutes children’s personal information, including geolocation data and audio and photo/video files.
Typically, the FTC requests public comment on the various rules that it maintains every 10 years. However, the FTC indicated it is proceeding more rapidly to this next rule review for COPPA given the rapid evolution in technology – likely driven by recent attention to the possibility that IoT devices collect children’s personal information – that change the way children are engaging online.
The Request for Public Comment does not propose specific new Rule provisions or contain any recommendations; instead, it is an open invitation for comment on any aspect of COPPA. This is typical of the FTC’s approach to rule updates, where a request for comment may be followed by a notice of proposed rulemaking, putting forth specific changes to regulation for public comment and, following that, adoption of changes to its rules.
Key Issues of FTC Focus
Notwithstanding the Request for Public Comment’s open-endedness, the FTC does, however, focus attention on the following issues:
- COPPA’s application to educational technology; specifically whether educators should be able to consent to an educational technology product or service’s collection of personal information on the parent’s behalf;
- COPPA’s application to voice-enabled connected devices, and specifically, whether the FTC’s should incorporate into the Rule itself its “Audio Guidance” governing voice data that serves navigation purposes that allows operators to collect and use it in limited ways without first obtaining verifiable parental consent;
- Whether de-identification of data could substitute for outright deletion that the COPPA Rule requires. This could, for example, allow an operator to use the de-identified information for product improvement; and
- Whether general audience websites and online services lack incentive to assess whether content that third parties upload is child-directed, thus leaving children unprotected, and whether the FTC should adopt new rules to encourage general audience websites and online services to “identify and police” child-directed content.
FTC Seeks Comment on COPPA Definitions
The FTC also opens the door to comments on COPPA’s definitions, which could significantly affect the scope of products and services that must comply with the Rule.
In particular, the FTC asks:
- Whether to update the definition of "personal information" to expressly include genetic data, fingerprints, retinal patterns, or other biometric data, or information that is inferred, but not collected directly from, children; and
- Whether the definition of “support for the internal operations of the Web site or online service” should be modified. Currently, the less onerous “email plus” method of parental consent is available only to operators that disclose a child’s personal information to service providers that commit to using that information for an enumerated set of low-risk, internal purposes. If this definition were expanded, “email plus” could conceivably become a viable option to obtain parental consent in circumstances where it was previously inapplicable.
The open-ended nature of the FTC’s inquiry may also generate additional ideas that could lead to significant changes for operators. The October 7 workshop likely will shed more light on the interests of the FTC and the various stakeholders in COPPA governance and compliance.
Considerations for Child-Directed Content Operators
Operators of websites or online services that collect children’s personal information, or that host content that is child-directed within their platforms, products, and services, or that collect personal information from operators that host child-directed content, should stay engaged with FTC efforts in this area in order to understand how any proposed changes might affect compliance obligations.