COPPA

Customer loyalty program concept in e-commerce for customer engagement. Man holding phone displaying earning points after purchasing online.

Key point: Whether your business runs a retail loyalty program, a restaurant rewards app, a software referral campaign, or an online sweepstakes, these programs often collect customer information, and that can trigger real privacy compliance obligations that are easy to overlook.

The Rules Vary by Program. Privacy Obligations Do Not.

Online promotional activities frequently involve the collection, use, and sharing of consumer personal information, and data privacy laws play an important role across all of them. Examples:

  • A retailer runs a points-based loyalty program which collects purchase history and behavioral data.
  • A company with a household brand name runs a sweepstakes and collects contact information for prize fulfillment.
  • A manufacturer offers mail-in rebates and collects names, addresses, and receipts to provide the rebates.
  • A mobile app runs a referral campaign and collects device identifiers and app usage data.
  • A sports betting app runs an advertising campaign to attract participants and inadvertently collects personal information from middle school kids who like sports.

All these instances trigger compliance obligations—even if the activities feel informal or low-risk.

Keypoint: The FTC finalizes changes to bolster COPPA Rule, the first updates to the Rule since 2013.

The Federal Trade Commission (“FTC”) finalized changes to the Children’s Online Privacy Protection Act (“COPPA”) Rule today, making the first updates to the Rule since 2013. In January 2024, the FTC proposed changes to the COPPA Rule and those changes went through a year-long rulemaking process. The changes set new requirements around the collection, use, and disclosure of children’s personal information and provide parents with new tools and protections.

In the below post, we provide background on the COPPA Rule and a summary of the finalized changes, which will go into effect 60 days after publication in the Federal Register and require compliance one year from publication.

Keypoint: 2024 will again see numerous developments in children’s privacy law.

As the 2024 state legislative season begins, it’s clear that lawmakers are again focused on children’s privacy. For the past few years, lawmakers have introduced different children’s privacy models, on both the federal and state level. However, regulating this specific area of law has its own set of challenges. We are releasing our 2024 State Children’s Privacy Law Tracker, which identifies enacted legislation and states considering legislation. Bookmark the page and use it as a resource.

For an update on children’s state privacy law, see below where we outline recent developments, children’s privacy laws that go into effect in 2024, and proposed laws this legislative session.

Elementary School Science Class: Little Girl Use Laptop with Gre

Keypoint: Last week, the FTC signaled an increased focus on COPPA enforcement, targeting education technology companies while California and federal lawmakers consider enacting new laws to regulate the processing of children’s data.

Over the past few months there has been a growing bipartisan consensus among lawmakers and regulators of the need for increased regulation around the processing of children’s data. In a sign of the significance of the issue, President Biden specifically addressed children’s data privacy in his State of the Union Address. As discussed below, recent actions by the Federal Trade Commission (the “Commission”) and lawmakers signal that companies processing children’s data should expect to see increased scrutiny.

Keypoint: Advertising platform settles with the FTC over allegations that it collected location data without consent and collected information from child-directed apps without notice or parental consent in violation of the FTC Act and COPPA.

Online advertising exchange platform, OpenX Technologies, Inc., has been ordered to pay $2 million of a $7.5 million judgment to settle Federal Trade Commission allegations that it misrepresented its data collection, use, and disclosure practices as it concerns personal information collected from children and location information collected from consumers who had not granted or had denied requisite location permissions.

Keypoint: Bill would expand COPPA to protect 13 to 15 year olds.

On May 11, Senators Edward J. Markey (D-Mass) and Bill Cassidy (R-La) introduced the Children and Teens’ Online Privacy Protection Act. The legislation seeks to amend the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501-6505, to “strengthen protections relating to the online collection, use, and disclosure of personal information of children and minors.”

Keypoint: Bill would add right to deletion to COPPA.

Senators introduced the “Clean Slate for Kids Online Act of 2021” in the United States Senate last week. The bill seeks to amend the Children’s Online Privacy Protection Act (“COPPA”).

The bill provides individuals with the right to delete personal information the operator collected from the individual as a child. The right to delete applies even in instances where parental consent was provided for the collection of the personal information.