The Federal Trade Commission proposed new limits for companies collecting data on children younger than 13 and increased standards for retaining that information in an update to its rule protecting kids’ privacy.
Online services would have to meet additional parental consent requirements for targeted advertising to children and limits on how long they can store kids’ data, according to suggested amendments to the FTC’s rule mandated by the Children’s Online Privacy Protection Act.
The potential changes to the agency’s so-called COPPA rule, introduced in a notice of proposed rulemaking released Wednesday, come amid a stalled congressional effort to overhaul the 1988 law and expand its protections to cover teens’ information. If enacted, it would mark the first updates to the FTC rule since 2013. Public comments on the 164-page proposed rulemaking are due 60 days after the notice is published in the Federal Register.
“The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children,” FTC Chair Lina M. Khan said in a statement. “By requiring firms to better safeguard kids’ data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents.”
COPPA requires digital services to obtain parental consent before collecting the personal information of children under age 13 and limits how the data can be used. Regulators notched a record year in enforcing the privacy protections, finalizing settlements with five companies, including
“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” Khan said.
Proposed Changes
The agency last sought feedback on its COPPA regulation in 2019, which yielded more than 175,000 public comments. While there was broad support for the 2013 changes, many comments called for updates to the rule that would account for rapid technological developments, according to the notice.
Under the new proposal, businesses would be prohibited from sending kids push notifications designed to boost online engagement without prior consent from a parent, and they also would be required to disclose when they collect personal information to support such digital nudges.
The FTC wants to ban educational technology providers from using students’ data for commercial purposes, which would codify its guidance for industry compliance with COPPA. Ed tech providers would be limited to only collecting information for “school-authorized” educational purposes under the amended rule.
Safe Harbor programs—which allow companies to self-certify their compliance with children’s privacy protections—would also see a transparency-oriented revamp. The six organizations with approved self-regulatory guidelines would have to publish a list of participating members and disclose more information to regulators about their technological assessments of compliance.
Other proposed changes would clarify the language of certain definitions, mandate new disclosures, and prescribe the creation of a security program and a data retention policy designed specifically to address the sensitivity of kids’ data.
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.