The Federal Trade Commission finalized changes to the Children’s Online Privacy Protection Rule to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children.
The final rule requires parents to opt in to third-party advertising and includes other changes to address the emerging ways that consumers’ data is collected and used by companies, and particularly how children’s data is being shared and monetized.
“The updated COPPA rule strengthens key protections for kids’ privacy online,” said FTC Chair Lina M. Khan. “By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission. The FTC is using all its tools to keep kids safe online.”
In January 2024, the FTC proposed changes to the COPPA rule to ensure it keeps pace with changes in the marketplace since the rule was last updated in 2013. The COPPA Rule, which first went into effect in 2000, requires certain websites and other online services to obtain verifiable parental consent before collecting, using or disclosing personal information from children under 13. It also provides other important rights for parents, including the right to require operators to delete personal information collected from their children, and imposes independent obligations on covered operators, for example with respect to data minimization and data retention.
In a notice that will soon be published in the Federal Register, the FTC made several amendments to the rule, including:
- Requiring opt-in consent for targeted advertising and other disclosures to third parties: Website and online service operators covered by COPPA will be required to obtain separate verifiable parental consent to disclose children’s personal information to third-party companies related to targeted advertising or other purposes.
- Limits on data retention: The rule requires covered operators to only retain personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected. This provision explicitly states that operators cannot retain the information indefinitely.
- Increasing Safe Harbor programs’ transparency: The FTC-approved COPPA Safe Harbor programs, which are self-regulatory programs that implement the protections of the COPPA Rule, will be required to publicly disclose their membership lists and report additional information to the FTC as part of efforts to increase accountability and transparency in the programs.
The final rule includes several amended definitions, including expanding the definition of personal information to include biometric identifiers as well as government-issued identifiers.
After reviewing the nearly 300 comments the agency received on the proposed changes to the COPPA Rule, the Commission decided against adopting some proposed changes, including proposed requirements that were intended to limit the use of push notifications directed to children without parental consent and changes relating to the requirements applicable to educational technology companies operating in a school environment.
While the Commission declined to finalize those particular proposals, the agency notes that it remains concerned about the use of push notifications and other engagement techniques to keep kids online in ways that could harm their mental health.
The Commission vote approving publication in the Federal Register of the final rule was 5-0. Chair Lina Khan and Commissioner Andrew Ferguson issued separate concurring statements. Commissioner Alvaro Bedoya and Commissioner Rebecca Slaughter issued a joint concurring statement. The final rule will become effective 60 days after its publication in the Federal Register. Entities subject to the final rule will have one year from that publication date to come into full compliance with amendments that do not specify earlier compliance dates.
The lead attorneys on this matter are James Trilling and Elizabeth Averill in the FTC’s Bureau of Consumer Protection.
The Federal Trade Commission works to promote competition and protect and educate consumers. The FTC will never demand money, make threats, tell you to transfer money, or promise you a prize. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.
Source: FTC