August 1, 2019 - Privacy + Data Security

Back to School Early: FTC Seeks Comments to COPPA Rule Ahead of Schedule

Advancements in technology appear to have spurred the Federal Trade Commission to initiate a review of its rule promulgated pursuant to the Children’s Online Privacy Protection Act (the “COPPA Rule” or “Rule”) four years ahead of schedule. Last week, the FTC published a Federal Register notice seeking comments on the Rule. Although the FTC typically reviews a rule only once every 10 years and the last COPPA Rule review ended in 2013, the Commission unanimously voted 5-0 to seek comments ahead of its next scheduled review. The Commission cited the education technology sector, voice-enabled connected devices, and general audience platforms hosting third-party, child-directed content as developments warranting reexamination of the Rule at this time.

Background

The COPPA Rule, which first went into effect in 2000, generally requires operators of online services to obtain verifiable parental consent before collecting personal information from children under the age of 13.  In 2013, the FTC amended the COPPA Rule to address changes in the way children use and access the internet, including through the increased use of mobile devices and social networking.  Its amendments included the expansion of the definition of “personal information” to include persistent identifiers that track online activity, geolocation information, photos, videos, and audio recordings. The new review could result in similarly significant amendments.

Questions for Public Comment

In addition to standard questions about the effectiveness of the COPPA Rule and whether it should be retained, eliminated, or modified, the FTC is seeking comment on all major provisions of the Rule, including its definitions, notice and parental consent requirements, exceptions, and security requirements. 

The Federal Register notice poses 29 wide-ranging questions for public comment, including:

  • Should general audience platforms that have large numbers of child users be subject to the COPPA Rule?  In other words, should the COPPA Rule be amended to address online services that do not meet the current definition of “web site or online service directed to children” but that have large numbers of child users? 
  • Should the COPPA Rule be modified to encourage general audience platforms to identify and police child-directed content uploaded by third parties? For example, should such platforms be able to rebut the presumption that all users interacting with child-directed content are children, thereby allowing them to collect personal information from users who are 13 or older?
  • Should the COPPA Rule expressly address behavioral targeting, profiling, and advertising? Information processing to support the internal operations of an online service is exempt from the Rule’s parental consent obligation. Should “support for internal operations” be modified to (1) expressly exclude practices such as behavioral targeting and profiling or (2) add certain permitted activities, such as advertising attribution?
  • Should the definition of “personal information” be expanded? Presumably to keep pace with the rise of “big data” and the collection of biometric information, the Commission asks whether the definition should be expanded to include personal information that is inferred about, but not directly collected from, children and biometric information (e.g., fingerprints, retinal patterns).
  • Should the COPPA Rule be more specific about the appropriate methods for determining the age of users? In other words, would additional guidance regarding age screening result in stronger protections for children’s privacy?
  • Should methods of obtaining verifiable parental consent be added to or removed from the Rule? 
  • Should there be additional exceptions to prior parental consent? The FTC is particularly interested in comments on exceptions for (1) the use of education technology, where the school provides consent for the collection of personal information from children, and (2) the collection of audio files containing a child’s voice as a replacement for text, where the audio files are promptly deleted.
  • Should the Rule include more specific information security requirements, such as requiring encryption of certain personal information?
  • What are the implications for COPPA enforcement raised by technologies such as interactive television, interactive gaming, or other similar interactive media?

The FTC’s questions evince awareness of technological developments since the FTC’s last review in 2013 and reflect a concern for how to apply COPPA protections when children under 13 are increasingly agile with technology and may visit websites and online services that are targeted to a general audience. The questions further evidence the Commission’s exploration of how to employ modern technological capabilities in COPPA compliance, including through up‑to-date solutions for age screening and information security. Ultimately, the FTC’s notice shows the FTC’s continued commitment to children’s privacy matters, suggesting more frequent review of the COPPA Rule if necessary to keep pace with technological advances and potentially increased activity in this sphere.

How to Submit a Comment

Comments can be submitted on or before October 23, 2019. Comments may be submitted online at https://www.regulations.gov or sent by mail to the address listed in the Federal Register notice.

The FTC will hold a public workshop on October 7, 2019, to examine the COPPA Rule.

The FTC’s press release announcing the request for public comment is available here.