FTC Proposes Strengthening COPPA to Further Limit Companies’ Ability to Monetize Children’s Data
The Federal Trade Commission (FTC) has proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule) that would place restrictions on the use and disclosure of children’s personal information and limit the ability of companies to condition access to services on monetizing children’s data. This would be accomplished by actions such as a requirement that targeted advertising be off by default, limiting push notifications, restricting surveillance in schools, and strengthening data security. The FTC’s Press Release stated that the purpose of these proposals are to “shift the burden from parents to providers to ensure that digital services are safe and secure for children.”
The COPPA Rule first went into effect in 2000, when it required certain websites and online services that collect personal information from children under 13 to obtain parental consent before collecting, using, or disclosing that personal information. In 2013, the FTC made changes that reflected the increased use of mobile devices, to protect children’s online activity, as well as photos, videos, and audio recordings. The FTC stated that this most recent proposed change comes at a time when “online tools are essential for navigating daily life.” Implementing such tools will not only allow children to be online without being “endlessly tracked” by companies, but also places the obligation on service providers, rather than allowing such providers to outsource their responsibilities to parents.
In order to achieve those goals, the FTC has stated that the proposed changes will include:
● Requiring separate opt-in for targeted advertising
● Prohibition against conditioning a child’s participation on collection of personal information
● Limits on the support for the internal operations exception
● Limits on nudging kids to stay online
● Changes related to Ed Tech
● Increasing accountability for Safe Harbor programs
● Strengthening data security requirements
● Limits on data retention
Once the proposed changes are published in the Federal Register, the public will have 60 days to submit a comment.