Privacy Law

COPPA Notice of Proposed Rulemaking

By Kate Aishton

The FTC’s proposed updates for the Children’s Online Privacy Protection Act hit the Federal Register on January 11, starting the clock on its 60-day comment period. The Notice of Proposed Rulemaking for COPPA does not impact the underlying law but provides updated implementation and enforcement guidance while COPPA 2.0 and the Kids Online Safety Act, two legislative efforts for updating the now 25 year old law, remain blocked in Congress.

Several changes promise big impacts for companies sharing children’s data and the third parties they share with. Sharing with third parties would require separate parental consent from collection and use of children’s data and disclosure of the categories and purposes of those third parties. Particularly since persistent identifiers remain in COPPA’s definition of personal information, this change would have massive implications for targeted advertising. Third parties with actual knowledge that they’ve obtained data from children would also be considered “directed to children” and themselves subject to obligations under the changes. 

Further impacting when companies may need to get parental consent, he proposed rules update “internal operations” to exclude encouraging (or “nudging”) kids to use or continue using an app or website (e.g. via push notification). Nudging would then fall outside that exception to parental consent and enhanced notice requirements. At least one former FTC advisor has questioned whether these limits on nudging fall outside COPPA’s core purview of protecting children’s privacy, an inclusion the FTC vigorously defends. 

Some changes update COPPA for a much-changed technology landscape, such as explicitly including biometric data in the definition of “personal information”, including text messages and facial recognition as a method of providing parents notice and obtaining their consent, and specifying data security requirements. Clarification and narrowing of schools’ ability to consent to collection, use, and sharing of their students’ personal information will particularly impact edtech companies. 

The NPRM requests additional input on some big questions likely to impact many companies, including: the possibility of creating platform-based parental consent mechanisms; whether avatars and usernames should be considered “personal information”; and whether some types of personalization and contextual advertising should excluded from the “internal operations” exception.

Some keystone elements of COPPA remain unchanged despite heavy debate. The definition of “personal information” still excludes inferred or proxy data (for instance, qualities of an individual predicted by the actions they take on a site). Likewise, companies will still be held to an “actual knowledge” standard rather than a “constructive knowledge” standard for knowing their data comes from a child. Updates to those rules will likely require action by Congress. 


Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.

Payment