Proposed Rule Shifts Burden of Compliance from Parents to Online Providers
The Federal Trade Commission dared to go where Congress and many state legislatures have failed to go in regulating online safety and privacy for children. The FTC took steps this week to strengthen regulations under a law on the books since 1998.
The Children’s Online Privacy Protection Act (COPPA) restricts online tracking of children by social media apps, video game platforms, toy retailers and digital advertising networks. FTC unveiled this week a 150-page proposal that would shift the burden of online safety from parents to apps and other digital services, while curbing how platforms can use, retain and monetize children’s data.
“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” says Lina M. Khan, FTC chair. “By requiring firms to better safeguard kids’ data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents.”
Numerous states have adopted or proposed related child privacy legislation. Most of the measures have been struck down in court or bogged down in legislative committees because of challenges by major online providers.
“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data.”
What the New Rule Changes
FTC’s proposed changes would require online services to turn off targeted advertising for children under 13 and prohibit them from using personal details, such as a child’s cellphone number, to induce youngsters to stay on their platforms longer and be bombarded with push notifications. Online services would be subject to strengthened security requirements when collecting children’s data and time limits on retaining that data.
The changes also would limit collection of student data by learning apps and other educational-tech providers by allowing schools to consent to collect children’s personal details only for educational, not commercial purposes.
And, the proposed changes would narrow an existing exception that allows online services to collect and retain data without parental consent for internal operations such as product improvement, consumer personalization and fraud prevention.
FTC’s move to stiffen COPPA regulations comes as complaints have grown about ads aimed at young children without parental consent, as well as the ability of strangers to contact children online and prolonged retention of children’s personal data.
The FTC action also is in response to heightened concern over the effects of online media on the mental health and physical safety of children. The New York Times reported, “Parents, pediatricians and children’s groups warn that social media content recommendation systems have routinely shown inappropriate content promoting self-harm, eating disorders and plastic surgery to young girls. And some school officials worry that social media platforms distract students from their schoolwork in class.”
History of COPPA Rules
The attempt to revise COPPA regulations began in 2019 and has been informed by more than 175,000 comments sent in by industry and advertising trade groups, child safety and consumer advocates and frustrated Members of Congress. The proposed rule change under the act is the first in a decade. The FTC signaled a tougher line in a crackdown to limit Meta’s ability to monetize children’s personal data.
The existing COPPA rule, implemented in 2000, mandates that websites and online services collecting data for children under the age of 13 notify their parents first. The rule also seeks to rein in companies’ use of Children’s data, limiting what they can collect, how long they can store it and how to secure it.
The FTC updated the rule in 2013 to strengthen regulation of children’s use of cell phones and social media. That update broadened the definition of personal information by regulating how companies could use geolocation data, photos, videos and audio recordings, as well as online tracking tools such as cookies.
Digital Tools and Child Surveillance
In a statement, Khan said the proposed rule changes are vital in an era “where firms are deploying increasingly sophisticated digital tools to surveil children.” Some of the proposed changes Khan highlighted are:
- Bars companies from gathering more personal information than is “reasonably necessary” for a child to participate in online games and contests.
- Limits companies’ ability to use kids’ personal information to send them push notifications or otherwise “nudge” them to stay online.
- Prohibits educational technology companies from using kids’ data commercially and requires protections for that data.
- Makes data security rules stronger by requiring that operators implement a “written children’s personal information security program” to protect sensitive data.
- Ensures data is only retained for as long as needed for the task at hand and bars companies from keeping data for secondary purposes.
- Broadens how personal information is defined to include biometric identifiers.
Once notice of the rule change is published in the Federal Register, there will be a 60-day comment period. The FTC website notes, “Remember that we welcome the perspectives of academics, consumer groups, tech experts, etc., but we also want to hear from parents, small businesses and others who deal with COPPA day-to-day in real world settings.”