What is the context behind the COPPA Rule and the proposed changes?
On December 20th 2023, the Federal Trade Commission (‘FTC’) outlined a number of changes which they are proposing in order to make online services safer for children.
The Children’s Online Privacy Protection Rule (‘COPPA Rule’) implements the Children’s Online Privacy Protection Act 1998 (‘COPPA’) which imposes requirements on operators of websites and online services that are collecting personal information.[1] The COPPA Rule targets unfair or deceptive practices related to the use of personal information of children online.[2] In the past, the FTC has found that Musical.ly was in breach of COPPA requirements when they collected personal information of children before seeking parental consent.[3]
Previously, the FTC amended the COPPA Rule in 2013 where the definition of personal information was updated to include geolocation information and cookies tracking users’ online activities. [4] According to FTC Chair Lina M Khan, the latest proposals, which are currently open for public consultation, aim to tackle the “increasingly sophisticated digital tools to surveil children” and to prevent firms from “outsourcing their responsibilities to parents”. [5]
How does the COPPA Rule function?
Under the COPPA, obligations are placed on websites which are ‘directed’ towards children. A child is considered to be anyone under the age of 13, for whom consent for collecting personally identifiable information must be granted by a parent.[6]
‘Personal information’ under the COPPA includes an individual’s full name, contact details, social security number, physical address, online username, ‘persistent identifiers’ such as IP addresses, or any photographs, videos or audio recordings of a child.[7] Where the United Kingdom General Data Protection Regulation (‘UK GDPR’) takes a broad approach, [8] the COPPA provides an explicit list of characteristics which constitute personal data. Although this list is not exhaustive and still allows for some flexibility to include other ‘individually identifiable information’, it gives an indication of the main personal data fields that are covered by the regulation.
Proposed changes to consent required for disclosing information
Currently, website operators are required to have taken ‘reasonable care’ to obtain parental consent for collecting, using and disclosing the personally identifiable information of children. ‘Reasonable care’ refers to methods such as providing a consent form which parents must sign and return to the website operator (physically or electronically), allowing parents to call a specific phone number, or providing verification through government issued identification documents.[9]
The new changes would expand on the current requirements by stating that website operators must obtain ‘separate verifiable parental consent’ for disclosing the child’s personal information to a third party,[10] thus they would not be able to share data until collecting specific parental consent to do so using one of the methods outlined above. The only exception is where the information is ‘integral’ to ‘supporting the internal operations’ of the website.[11]
Additionally, website operators will not be permitted to make a child’s ability to access the website dependent on providing consent for disclosing their personal information to third parties.[12] They will not be permitted either to require that a child consent to disclosure of their data in order to participate in an ‘activity’ on the website,[13] though the FTC are yet to define what constitutes an ‘activity’ for the purposes of this provision.[14]
More transparency on ‘internal operations exceptions’
Currently, operators are not required to collect consent when using ‘persistent identifiers’, such as an individual’s IP address, for the purposes of supporting ‘internal operations’ of the site.[15] If the new changes are implemented, operators who are relying on this exception would need to issue an online notice that outlines what the specific internal operations are and explain how they will protect against such identifiers being used to contact individuals or for targeted advertising.[16]
Expansion of definitions
The COPPA currently places obligations on websites which are ‘directed’ towards children through aspects such as the subject matter of the site, its visual features, as well as where the operator has actual knowledge that they use personal information which is collected from a site directed towards children.[17] The FTC proposes to expand this list of features to include marketing materials, representations operators make to consumers or third parties, reviews left by users or third parties, and also comparisons with the age of those using similar websites or services.[18]
Additionally, biometric identifiers such as fingerprints, genetic data, retina and iris patterns, and data extracted from voice, gait or facial data will be included under the definition of ‘personal information’ under the new changes.[19]
Restrictions on ‘nudging’
The new changes would prevent operators from being able to use personal information that was collected under the ‘internal operations exception’ to send push notifications to children to ‘encourage’ them to use the online service. [20] Typically, such notifications provide ‘nudges’ which aim to elicit further engagement on a platform. Service providers who have used personal information for the purposes of ‘nudging’ children to use their online service are required to highlight this in the online notice which they must provide under the new changes.[21]
Evaluation of the proposed changes
Bringing the COPPA Rule in line with the development of new technologies, notably through the inclusion of biometrics in the definition of personal information, is one of the key elements of this proposal. This review is required for an instrument such as the COPPA due to the narrower approach taken in defining ‘personal information’ by listing specific characteristics.
If implemented, the new changes would also increase the transparency of the use of personal information by operators. A mandatory notice on how personal identifiers are used regardless of consent would give children and parents more visibility on what activities operators are conducting under the umbrella of ‘internal operations’.
Overall, the proposed changes appear to increase the level of control given to parents over the use of the personal information of their children. By requiring a separate parental consent for disclosure to third parties, the proposed changes ensure that ‘blanket consent’ cannot be relied on for sharing children’s data with other organisations and that parents are given the choice to opt-out of activities such as targeted advertising.
Additionally, preventing operators from being able to require consent to access the website or participate in activities is crucial to address users’ ‘autonomy trap’, where they are often given no choice but to accept terms and conditions which offer a lower level of privacy, to use a website due to the lack of alternatives.[22]
However, it is still relatively burdensome upon parents to provide consent in comparison to the threshold required by other privacy instruments. For example, the Information Commissioner’s Office (‘ICO’) has provided guidance explaining that the ‘reasonable efforts’ needed to verify parental consent under the UK GDPR will depend on the level of risk posed by the online service.[23] This allows for greater flexibility as the ICO has confirmed that ‘low risk’ websites can use a ‘tick box’ to confirm that a user is above 13, while other websites, such as ones allowing children to directly communicate with each other, will require a more robust verification of parents’ consent.[24]
Do the new changes go far enough?
It could be argued that the FTC also had the opportunity to go further with the suggested changes. For instance, the changes could have addressed the demographic of children aged 13 and over who are currently not covered by the COPPA Rule. Given that 97% of teenagers claim to use the internet on a daily basis, [25] the FTC could have potentially considered whether certain provisions, unrelated to parental consent, should also apply to teenagers who are under 18 and would benefit from protections against targeted advertisement and ‘nudging’ as proposed under the new changes.
The California Age-Appropriate Design Code Act, which includes provisions that would have applied to users under 18, was blocked by a district court who granted a preliminary injunction on free speech grounds, though the California Attorney General is trying to appeal the injunction.[26]
It also appears as though the FTC was conscious about the need to keep Congress’s decisions in mind as they looked into changing the threshold of knowledge required by a website operator from ‘actual knowledge’ to ‘constructive knowledge’. They declined to do so after considering the legislative history of Congress which had already rejected a constructive knowledge standard.[27]
The COPPA Rule’s changes have been proposed in a time where the Senate floor has yet to vote through the Children and Teen’s Online Privacy Protection Act and the controversial Kids Online Safety Act, which are poised to make larger changes to the legislative protections given to children’s privacy if they are pushed through.[28]
The challenge in passing such regulations reflects the privacy landscape within the US, which has historically considered privacy as one of many interests to be balanced against, rather than a fundamental right.[29] In this context, the FTC’s proposed rule changes to the COPPA are a welcome, but limited, step forward towards strengthening privacy protections for children online.
[1] Section 312.1 COPPA, https://www.ecfr.gov/current/title-16/section-312.1
[2] Section 312.1 COPPA, https://www.ecfr.gov/current/title-16/section-312.1
[3] https://iapp.org/news/a/ftc-issues-its-largest-ever-coppa-fine/
[4] https://www.ftc.gov/news-events/news/press-releases/2023/12/ftc-proposes-strengthening-childrens-privacy-rule-further-limit-companies-ability-monetize-childrens
[5] https://www.ftc.gov/news-events/news/press-releases/2023/12/ftc-proposes-strengthening-childrens-privacy-rule-further-limit-companies-ability-monetize-childrens
[6] Section 312.2 COPPA, https://www.ecfr.gov/current/title-16/section-312.2
[7] Section 312.2 COPPA, https://www.ecfr.gov/current/title-16/section-312.2
[8] Article 4(1) UK GDPR
[9] Section 312.5 (2) COPPA, https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312/section-312.5
[10] Page 57, https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf
[11] Page 57, https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf
[12] Page 64, https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf
[13] https://www.ftc.gov/news-events/news/press-releases/2023/12/ftc-proposes-strengthening-childrens-privacy-rule-further-limit-companies-ability-monetize-childrens
[14] https://www.ftc.gov/news-events/news/press-releases/2023/12/ftc-proposes-strengthening-childrens-privacy-rule-further-limit-companies-ability-monetize-childrens
[15] Section 312.5 COPPA, https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312/section-312.5
[16] Page 59, https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf
[17] Section 312.2 COPPA, https://www.ecfr.gov/current/title-16/section-312.2
[18] Page 49, https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf
[19] Page 29, https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf
[20] Page 58, https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf
[21] Page 58, https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf
[22] Kim (2019) “Younger generations are infected by continuous socialisation to accept diminished privacy”, https://www.repository.law.indiana.edu/cgi/viewcontent.cgi?article=1705&context=ijgls
[23] Page 26, https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-gdpr-1-0.pdf
[24] Page 26, https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-gdpr-1-0.pdf
[25] https://www.pewresearch.org/internet/2022/08/10/teens-social-media-and-technology-2022/#:~:text=Today%2C%2097%25%20of%20teens%20say,15%20who%20said%20the%20same.
[26] https://oag.ca.gov/news/press-releases/attorney-general-bonta-continues-defense-california%E2%80%99s-age-appropriate-design
[27] Page 14, https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf
[28] https://iapp.org/news/a/ftc-seeks-to-bridge-gaps-with-proposed-coppa-rulemaking/
[29] Page 880, Schwartz and Solove, “Reconciling Personal Information in the United States and European Union” https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2271442#:~:text=At%20the%20foundational%20level%2C%20they,that%20can%20trump%20other%20interests.
