Listen to this post

Keypoint: The FTC finalizes changes to bolster COPPA Rule, the first updates to the Rule since 2013.

The Federal Trade Commission (“FTC”) finalized changes to the Children’s Online Privacy Protection Act (“COPPA”) Rule today, making the first updates to the Rule since 2013. In January 2024, the FTC proposed changes to the COPPA Rule and those changes went through a year-long rulemaking process. The changes set new requirements around the collection, use, and disclosure of children’s personal information and provide parents with new tools and protections.

In the below post, we provide background on the COPPA Rule and a summary of the finalized changes, which will go into effect 60 days after publication in the Federal Register and require compliance one year from publication.

Background

The COPPA Rule first went into effect in 2000, targeting operators of websites and online services directed to children under 13 or operators with actual knowledge of the collection of personal information from children under 13. The COPPA Rule requires operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. In addition to other requirements, the COPPA Rule provides parents with rights regarding their children’s personal information, including the right to access, delete, and restrict processing. 

Separate Parental Consent for Disclosure

The amendments to the Rule require operators to obtain separate verifiable parental consent to disclose children’s personal information to any third parties. The Rule currently states that an operator must obtain verifiable parental consent before collecting, using, or disclosing a child’s personal information. The amendment makes consent for the disclosure piece separate from the collection and use of a child’s personal information. In its proposed changes, the Commission found it appropriate to provide parents with greater control over the disclosure of their children’s personal information, especially due to the prevalence of the disclosure of persistent identifiers (i.e., cookies) for targeted advertising.

Data Retention

The Rule amends the data retention requirements to specifically require operators to have a business need for retaining a child’s personal information and requires operators to only retain such information for as long as it is necessary for the specific purpose for which it was collected. The amendments specifically prohibit operators from retaining personal information indefinitely. The amendments to the Rule also require operators to maintain a data retention policy that addresses personal information collected from children. Although the Commission clarified that operators do not need a separate children’s data retention policy, an operator’s data retention policy must specifically address the retention of children’s personal information.

Safe Harbor

The COPPA Rule provides industry groups with the option to submit to the FTC self-regulatory guidelines that implement the protections under the COPPA Rule. Upon approval from the FTC, the group is deemed to be in compliance with COPPA and a member of the Safe Harbor program. The amendment provides that the FTC shall review the operator’s privacy and security policies, practices, and representations. The FTC is adding clarity that its review is not limited to just privacy practices but extends to a security review as well. In addition, the amendments will require Safe Harbor programs to publicly disclose and provide to the FTC a list of all operators under the Safe Harbor program.

Definitions

The amendments to the COPPA Rule include a new separate definition for “mixed audience website or online service.” The definition provides that a mixed audience website or online service meets the criteria of the Rule’s multi-factor test but does not target children as the primary audience. In addition, the amendments also expand the definitions of “online contact information” and “personal information.” Personal information now includes biometric data and government issued-identifiers, both definitions including examples.

Compliance

The final rule will go into effect 60 days after publication in the Federal Register and entities subject to the Rule will have 1 year from the publication date to comply. Since it has been over a decade since the last updates to the Rule, entities subject to COPPA should take this year to re-evaluate their practices under COPPA and to take the necessary steps to comply with these new amendments.