The Federal Trade Commission (FTC) has finalized amendments to the Children’s Online Privacy Protection Act (COPPA) Rule, marking the first significant update since 2013. These changes reflect the evolving digital landscape, including the rise of smartphones, social media, and artificial intelligence, and aim to address emerging risks to children’s privacy. While the Final Rule will not take effect until 60 days after publication in the Federal Register, with an additional one-year compliance period for operators, businesses should begin evaluating their privacy practices immediately to ensure timely adherence.
Key Considerations for Businesses To Comply With The FTC COPPA Amendment
- Compliance Timeline: The Final Rule becomes effective 60 days after Federal Register publication, with a one-year grace period for full compliance. However, businesses should proactively assess their privacy practices to avoid delays.
- FTC Act Section 5 Authority: Even if certain provisions, such as limitations on push notifications, were excluded from the Final Rule, the FTC retains broad enforcement authority under Section 5 of the FTC Act. Companies must ensure their data practices do not constitute “unfair trade practices.”
- State-Level Developments: Businesses should monitor state-level privacy laws, which increasingly regulate the collection and use of personal data for teenage consumers not covered by COPPA.
Key Changes to the COPPA Rule
The Final Rule introduces several significant updates to enhance children’s privacy protections:
1. Enhanced Consent Requirements for Targeted Advertising
- Operators must obtain separate verifiable parental consent before disclosing children’s data to third-party advertisers, unless the disclosure is necessary for internal operations.
- This creates a two-tiered consent framework, requiring operators to block third-party behavioral advertising by default unless parents explicitly opt in.
2. Strict Data Retention Policies
- Operators are prohibited from retaining children’s personal information longer than necessary to fulfill the purpose for which it was collected.
- A written data retention policy must be established, detailing the business need for retaining data and the timeframe for deletion. This policy must be included in the operator’s online privacy notice.
3. Expanded Definitions
- Personal Information: Now includes government-issued identifiers (beyond Social Security numbers) and biometric identifiers used for automated or semi-automated recognition.
- Directed to Children: The FTC will consider factors such as marketing materials, user reviews, and the age of users on similar platforms to determine if a service is directed to children.
4. New Parental Consent Method: Text Message
- The FTC has introduced a “text plus” method for obtaining verifiable parental consent, similar to the existing “email plus” method.
- However, this method cannot be used to consent to the disclosure of children’s personal information due to higher risks of impersonation.
5. Increased Accountability for Safe Harbor Programs
- FTC-approved Safe Harbor programs (e.g., CARU, ESRB, iKeepSafe, kidSAFE, PRIVO, TRUSTe) must now publicly disclose membership lists and provide additional information to the FTC to enhance transparency and accountability.
Proposals Excluded from the Final Rule
Several proposed amendments were not adopted in the Final Rule, including:
- Push Notifications: Limitations on push notifications and other engagement techniques, such as requiring verifiable parental consent, were excluded.
- Educational Technology: Amendments addressing educational technology with school authorization were omitted to avoid conflicts with the Department of Education’s updates to the Family Educational Rights and Privacy Act (FERPA).
FTC Vote and Commissioner Perspectives
The Final Rule was approved by a unanimous 5-0 vote, with outgoing Chair Lina Khan and Commissioner Andrew Ferguson issuing separate concurring statements. While the vote reflects consensus on the need for updates, the Commissioners expressed differing views on the scope of the changes:
- Commissioner Ferguson criticized the “frantic rush” to finalize the rule, particularly opposing the prohibition on indefinite data retention and the exception for collecting children’s data solely for age verification.
- Chair Lina Khan emphasized the importance of addressing modern privacy risks, particularly in light of technological advancements.
How To Be COPPA Compliant With the New FTC Ruling
While the Final Rule represents a significant step forward in protecting children’s privacy, its long-term implementation remains uncertain. Commissioner Ferguson’s concerns suggest potential revisions under future FTC leadership. Businesses should remain vigilant, ensuring compliance with both the Final Rule and broader FTC Act requirements while staying informed about ongoing regulatory developments.
By proactively addressing these changes, companies can mitigate risks, enhance transparency, and build trust with consumers in an increasingly complex digital environment.