On December 20, 2023, the Federal Trade Commission ("FTC") issued a Notice of Proposed Rulemaking ("NPRM") that would make significant changes to the Children's Online Privacy Protection Rule ("COPPA Rule"), which implements the Children's Online Privacy Protection Act of 1998 ("COPPA"). The proposed rule would make a number of changes intended to expand the COPPA Rule, in order to address perceived shortcomings in how information about children under the age of 13 is collected, used, and shared by websites and online service operators. The FTC's last major change to the COPPA Rule occurred in 2013.

Opt-In for Disclosure of Personal Information and Targeted Advertising

First, the NPRM adds to the COPPA Rule's existing, verifiable parental consent requirements, requiring additional consent for the disclosure of a child's personal information and for target advertising to children. Under the current COPPA Rule, websites or online service operators must "obtain verifiable parental consent before any collection, use, or disclosure of personal information from children."1 Operators must obtain such consent using a method that is "reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent."2 The proposed rule adds to this requirement by specifying that an operator is required to "obtain separate verifiable parental consent"3 from a parent for the disclosure of a child's personal information, unless such disclosure is integral to the nature of the website or online service.

As such, the proposed rule would require separate opt-in consent from parents for the disclosure of personal information to third parties, including advertisers. Targeted advertising to children would also be prohibited by default, and could only occur if a parent opts in. Additionally, operators would be prohibited from restricting access to a website or online service based on a parent granting such consent.

Push Notifications

Second, the current COPPA Rule provides an exception to the parental consent requirement in situations where "the purpose of collecting a child's and a parent's online contact information is to respond directly more than once to the child's specific request, and where such information is not used for any other purpose, disclosed, or combined with any other information collected from the child."4 However, the FTC has expressed concern that operators would utilize this exception to repeatedly nudge children to use a service, including through push notifications. The proposed rule addresses this concern by clarifying that "an operator may not utilize this exception to encourage or prompt use of a website or online service."5 In its press release on the proposed rule, the FTC noted that this change is intended to deter push notifications to children designed to encourage them to use, or continue to use, a service.

School Authorization

Third, the proposed rule addresses the "school authorization exception." Previous FTC guidance has indicated that schools may authorize operators (in practice, such providers are usually ed tech providers) to collect the personal information of children in certain circumstances. In other words, this guidance has permitted schools to effectively act as intermediaries between parents and operators, and operators which are authorized by schools to collect personal information may presume that such schools have obtained consent from parents.

The NPRM would codify this guidance, stating that schools, state educational agencies, and local educational agencies may authorize the collection of personal information from students younger than 13, in circumstances in which the data is used for a school-authorized education purpose and no other commercial purpose. Under these requirements, student data could be used for product improvement and development, but not for general marketing purposes.

Additionally, the codification of this exception would require a written agreement between an ed tech provider and a school specifying, among other measures, which school individuals have authority to provide consent, limitations on the use of student data, and an operator's data retention policy. Finally, operators would be required to provide schools with the same rights regarding data as are provided to parents—such as the right to review personal information that is collected, to refuse to permit operators' further use or future online collection, and to direct deletion of such information.

Data Security Requirements

Finally, the proposed rule adds to the COPPA Rule's data security requirements. In particular, the proposed rule requires that operators "establish, implement, and maintain a written children's personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children and the operator's size, complexity, and nature and scope of activities."6 In order to implement such a program, operators would be required to designate an employee to coordinate the program, perform at least annual assessments to identify risks and modify the program accordingly, and obtain written assurances from third parties that they will employ measures to maintain data confidentiality, security, and integrity.

Additionally, operators would be required to retain personal information for only as long as reasonably necessary to fulfill the specific purpose for which such information was collected, and not for a secondary purpose. To ensure this, operators would be required to establish and maintain written data retention policies.

Conclusion

The FTC's NPRM would add substantial requirements to the COPPA Rule, and comes just as a bill to update COPPA has been introduced in the US Senate and reported favorably by the Senate Commerce Committee. The FTC will take public comments for 60 days following publication on the proposed rule in the Federal Register; interested parties should closely monitor this process as it develops.

Footnotes

1. 16 C.F.R. § 312.5(a)(1).

2. 16 C.F.R. § 312.5(b)(1).

3. Federal Trade Commission, Children's Online Privacy Protection Rule, Proposed Rule, to be codified at 16 C.F.R. § 312.5(a)(1) ("Proposed Rule").

4. 16 C.F.R. § 312.5(c)(4).

5. Proposed Rule at 16 C.F.R. § 312.5(c)(4).

6. Proposed Rule at 16 C.F.R. § 312.8(b).

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.