Online privacy and safety of children and teens are hot legislative topics this year. In a companion post we provide an update of federal and state legislative efforts to fundamentally change how online content and advertising are delivered to children and teens. We have previously discussed legislation in California and Connecticut to require assessments of online privacy impacts on minors. In this post we focus on proposed regulatory and legislative changes to the 1998 Children’s Online Privacy Protection Act (COPPA) (effective in 2000) and its corresponding regulations (COPPA Rule), which were last updated in 2013.
The COPPA Rule is the result of Congress’ delegation of rule-making authority to the Federal Trade Commission (FTC). In a January 11 notice of proposed rulemaking, the FTC proposed revisions to the COPPA Rule (Proposed Rule), subject to a 60-day public comment period, i.e., through March 11, 2024. Based on 2013 and current rule makings, a large number of comments are expected. (More than 175,000 comments were filed with the FTC in response to a process started in 2019.) Multiple rounds of amendments to the Proposed Rule possible.
Congress has considered COPPA updates several times in recent years, but such legislation stalled. A recently amended version of a bill entitled the “Children and Teens’ Online Privacy Protection Act” or “COPPA 2.0” currently has bipartisan support. The most material change proposed in COPPA 2.0 is to bring in teens age 13 to age 17. COPPA is currently restricted to coverage of children under 13.
In addition, the Senate recently amended the proposed Kids Online Safety Act (KOSA) bill, now supported by 62 co-sponsors. KOSA, as amended, is explained in a companion post. In short it looks at youth (under age 17) online safety beyond COPPA, and further proposes to require transparency and choice obligations for the use of “opaque algorithms” (i.e. determines content shown based on user-specific data not provided by the user) for user content community services regardless of the age of the data subject. While COPPA 2.0 and KOSA requirements overlap in some spots (noted below), KOSA goes well beyond privacy to address other online safety concerns and mitigation of them. Also discussed in the companion post are radical proposals by California known as the Children’s Data Privacy Act (CDPA) and the Social Media Youth Addiction Law, which would in some ways be far more burdensome for publishers than any of the current federal proposals, but in other ways less burdensome. For instance, COPPA 2.0’s definition of targeted advertising to children and teens is broader than under California proposals, and its restriction more burdensome than under KOSA, but the CDPA’s obligations on general audience sites regarding targeted advertising to children is more impactful than under COPPA 2.0 or KOSA.
Because the FTC’s COPPA rule making is constrained by the parameters of the COPPA Act, the FTC’s proposed changes are less robust than those of COPPA 2.0. If the proposed regulations were to pass as published for comment, the following material changes would be apply:
- Changes in Technology
- Limitations on mobile app push notifications that may encourage use (i.e., an exclusion from the “support foe the internal operations” exception would not apply and thus the requirements for direct notice and verified parental consent (VPC) would apply).
- Biometric identifiers would be added to the definition of personal information. The FTC is seeking comment about whether an avatar generated from a child’s image should be deemed personal information, and if so under what circumstances.
- Increased obligations on audio files, including notice and purpose limitation to qualify for the limited VPC exception.
- Knowledge-based and facial recognition forms of VPC would be specifically enumerated as acceptable.
- Parental Control
- Operators would need a stand-alone VPC to opt-in to targeted/behavioral advertising to children. VPC for targeted advertising could not be bundled with consent for other use cases. In addition, a two-layer VPC would be required for disclosures to third parties and/or use of personal information for purposes of maximizing user activity.
- Although the COPPA Rule already prohibits conditioning an activity on VPC beyond what is necessary to engage in the activity, the Proposed rule strengthens this prohibition by narrowing the scope of “activity.”
- Processing personal information, including via machine learning, to encourage or prompt use of the services is not a permitted internal purpose and would require VPC.
- The exception to VPC for use of persistent identifiers for “internal operations” would be revised to require notice of the specific internal operations, and to clarify that internal operations cannot include processing related to targeted/behavioral advertising.
- The ability of schools to consent to uses of personal information would be conditioned on related edtech vendors contractually committing to limit use to those educational (and no commercial) purposes. Schools would need to provide online notice to parents. Schools would also be given parental review and deletion rights to help monitor and police operators.
- Additional Protections
- Operators would be prohibited from using online contact information and persistent identifiers to encourage more use of the service. Any use of other types of personal information to encourage service use must be disclosed in direct notices and the online child privacy notice. (Similarly, one of the key elements of KOSA is requiring covered online platforms to use due care to avoid design features that encourage compulsive use or other addicting behaviors.)
- COPPA provides for approved organizations to review an operator’s COPPA compliance and provides a safe harbor for operators that have been found by such a review to be compliant. The Proposed Rule call for greater transparency in that process, including publication of certified operators.
- “Mixed Audience” services, which can rely on age gating and self-reported age in determining if COPPA applies, would be defined as a service “that meets the criteria of the Rule’s multi-factor test (for being child directed / attractive) but does not target children as the primary audience.”
- Security and Retention
- The current security requirements would be expanded by requiring an operator to establish, implement and maintain a written children’s personal information security program apart from and in addition to its overall security program.
- Limits on personal information retention would be revised to ensure that retention is limited to what is necessary to complete the collection purpose and that secondary uses are prohibited. In addition, operators would need to publish a public, written retention policy and schedule.
Were the Proposed Rule to become final, and COPPA 2.0 to also pass, these new obligations and restriction would seem to apply also to teens, except as otherwise provided in COPPA 2.0 (e.g., teens can exercise their own consents), though different standards could be applied to teens through further FTC rule making.
Beyond the changes in the Proposed Rule, many of which are also in COPPA 2.0, were COPPA 2.0 to pass, Congress would expand COPPA’s reach as follows:
- Age
- Would add coverage of “teens” defined as over the age of 12 and under the age of 17. (The same as the definition of minors under KOSA, but this is different from the “at least 13 but less than 16 years of age” approach taken by some state privacy laws.)
- However, teens would have the ability to manage their own consents rather than needing VPC and would be empowered to exercise their own privacy rights (e.g., right to know, delete, copy and correct, as well as COPPA-mandated consent). (KOSA has similar requirements, except KOSA also offers certain parental monitoring and controls not applied to teens under COPPA 2.0.)
- Teen consents would need to meet verification standards similar to those required of parents for children. (In KOSA the FTC, NIST and FCC are tasked with studying technologically feasible methods and options for device level and OS-level age verification, which may or may not diverge from COPPA standards.)
- Under COPPA general audience services are only subject to COPPA if they have actual knowledge of a user’s age, and no obligation to check. This actual knowledge standard would be revised to include “knowledge fairly implied on the basis of objective circumstances.” (Under KOSA, which propose the same standard, the FTC would be tasked to issue guidance on best practices and examples as to what is knowledge fairly implied.) While this somewhat expands operator obligations, it is consistent with prior FTC enforcement positions. Compare this approach to California proposals discussed in the companion post that would, unless altered before passage, effectively require general audience sites to verify age before serving targeted advertising or addictive features to children or teens.
- Personal Information
- The definition would be further fleshed out and include “information generated from the measurement or technical processing of an individual’s biological, physical or physiological characteristics that is used to identify and individual…”, which is similar to the biometric identifiers addition to the Proposed Rule.
- The COPPA Rule’s exception for certain audio file use would be codified.
- The definition of geolocation would become “information sufficient to identify a street name and name of a city or town.” (The KOSA definition defines geolocation as city and street name when applied to minors; for the sections related to opaque algorithms, “approximate geolocation” is within 5 miles.)
- Advertising
- The restrictions on targeted/behavior advertising, including excluding such from internal operations purposes that do not require VPC, would be expanded to include “individual-specific advertising to children or teens,” which means:
- “Advertising or any other effort to market a product or service that is directed to a specific child or teen or a connected device that is linked or linkable to a child or teen based on –
- Personal information from the data subject, or a group of similar children or teens; orProfiling the data subject or a group of children or teens; orA unique identifier of a connected device.
- But excluding –
- Ads based on search query;
- Contextual advertising where the ad does not vary based on the personal info of the viewer;
- Measurement and frequency capping; and
- An age-appropriate ad based only on knowledge that the viewer is under age 17 and no other personal information.
- “Advertising or any other effort to market a product or service that is directed to a specific child or teen or a connected device that is linked or linkable to a child or teen based on –
- The restrictions on targeted/behavior advertising, including excluding such from internal operations purposes that do not require VPC, would be expanded to include “individual-specific advertising to children or teens,” which means:
KOSA applies the same term and definition to its regulation of targeted advertising, but so far is, at least explicitly, limited to transparency requirements. This definition is broader than that of targeted advertising or cross-context behavioral advertising already regulated under many state consumer privacy laws. As noted above, these restrictions and obligations will not apply to general audience services that do not have knowledge, fairly implied, that a user is a child or teen. Unfortunately, the same cannot be said of the proposal under California’s CDPA.
- International Transfers
- Personal information would not be transferable outside of the U.S. without direct notice to the parent of the child, or to the teen in the case of teens.
- Universal Consent Mechanism
- The FTC would be empowered to set regulatory standards for a common verifiable consent mechanism to be used by multiple operators, and must report to Congress on that within one year from the effective date.
So, COPPA 2.0 would codify much of what the FTC seeks to accomplish in its Proposed Rule, plus applying its requirements to teens older than age 12 and younger than age 17, though with the ability to act on their own and without VPC, and would be somewhat more restrictive on advertising, communications and internal operations practices than is COPPA currently.
Between the proposed revisions to COPPA and the COPPA Rules, and potential new child and teen online safety provisions in various state and federal legislative proposals more fully explained here, online services may soon have a much higher duty to protect the privacy and safety of children and teens. Some of these legislative efforts are or will likely be subject to Constitutional challenge. Or those that become effective, they will need to be read together in order for operators to comply with their new obligations. For more information, contact the authors.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.