FTC proposes revisions to the COPPA aiming to enhance child safety online
FTC proposes COPPA revisions for children’s online privacy, requiring parental consent for data sharing, limiting exceptions, restricting push notifications, enforcing data retention rules, and mandating security programs, among others.
Following the technological developments, the Federal Trade Commission (FTC) has proposed revisions to the 2000 Children’s Online Privacy Protection Act (COPPA), aiming to provide greater safeguards for children’s personal data. Namely, the FTC has proposed in a 168-page document that, among other things:
- COPPA-covered companies should require consent from parents before sharing their children’s information with third parties, especially third-party advertisers.
- Restrict the exception allowing the collection of persistent identifiers for internal operations without parental consent. If companies claim this exception, the FTC requires them to provide an online notice detailing the operations for which identifiers are collected, ensuring they won’t be used for contacting individuals or targeted advertising.
- Restricts companies from using COPPA exceptions to send push notifications urging kids to stay online. Operators using kids’ data for such notifications must explicitly disclose and obtain parental consent, ensuring parents are aware of and approve of using nudges in their COPPA-required notices.
- Operators can only retain kids’ personal information for the necessary purpose for which it was collected. Holding data indefinitely or for secondary purposes is prohibited. The FTC also mandates operators to publicly share their data retention policy.
- Operators to establish and implement a written children’s personal information security program. This program should include safeguards suitable for sensitive information collected from kids.
Why does it matter?
Ever since 2019, there have been hundreds of millions of fines against big tech companies, including YouTube and Tiktok, for mishandling data of children ages 13 and under. This has resulted in the proposal of various bills focusing on age verification and end-to-end encryption limitations, such as the Protecting Kids on Social Media Act and the EARN IT Act. Essentially, these bills are seen to rather focus on user behavior, thus raising privacy concerns. As the Verge reported, FTC’s proposal does not focus on that but rather centers on data collection, specifically for users aged 13 and under, possibly making them less extreme and more effective. The proposed regulations will undergo finalization only after receiving public feedback. The FTC plans to gather comments from the public for 60 days after announcing the proposal in the Federal Register before making any conclusive decisions.