7 Things Businesses Need to Know About the FTC’s COPPA Amendments
by: Larisa Kupinszky Gamberg
The Federal Trade Commission (FTC) kicked off the new year by announcing significant updates to the Children's Online Privacy Protection Act (COPPA). Here are some of the critical changes that organizations should understand:
1. New Security Program Requirements
The FTC has implemented prescriptive information security program requirements. This includes the mandatory designation of a security program coordinator, regular risk assessments covering both internal and external threats to personal information, the implementation of risk-based safeguards based on the “volume and sensitivity of the children’s personal information that is at risk,” regular testing and monitoring of the program, annual program evaluations and modifications, and due diligence requirements when sharing personal information with third parties.
While several jurisdictions have mandated similar data protection requirements, COPPA’s security rules may extend those obligations to a broader range of businesses, regardless of the location of their users in the United States.
2. Expanded Definition of “Directed to Children”
The FTC has cemented clearer criteria for determining whether a platform is "directed to children." Of note is the Commission’s emphasis on “empirical evidence regarding audience composition and evidence regarding the intended audience,” which includes an operator’s marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services. The Commission acknowledged that reviews on a platform may not always be accurate or “fully aligned with determining whether a website or online service is directed to children,” and has expressed its intent to “take such considerations into account when determining whether to rely on such evidence in assessing child-directedness.”
3. Text Message Parental Consent Option
The FTC has introduced a new "text plus" verification method for obtaining verifiable parental consent, similar to the existing "email plus" option. The new rule includes several key compliance points for operators to keep in mind when launching this new option, since text message verification carries a risk that children may impersonate their parents:
As with “email plus,” text plus is not available to obtain consent for the disclosure of children's personal information to third parties;
Text message consent requires additional verification steps after the initial text; and
Texts must include a notice to parents that they may revoke consent.
4. Expanded Definition of “Personal Information”
The definition of “personal information” now includes any government-issued identifier, as opposed to just Social Security numbers. More significantly, “personal information” now also includes biometric identifiers “that can be used for automated or semi-automated recognition.”
Notably, this definition differs from how biometric information is typically regulated. Most states with consumer privacy bills regulate biometric data that will be used or is intended to be used to identify individuals. Here, the FTC adopted a definition of "biometric identifier" that focuses solely on the identifiability of the biometric information, regardless of how an operator intends to use it.
5. Two-Tier Parental Consent Requirement
Operators must now obtain separate verifiable parental consents for the collection and disclosure of children's personal information. This creates a two-tier consent requirement: after parents give consent to the initial collection of their children’s data, they must separately consent to their children’s information being disclosed to third parties for targeted advertising or other purposes, unless the personal information is disclosed to support the internal operations of the website or online service.
6. Data Minimization Requirements
Operators must not retain children’s personal information for longer than is necessary to fulfill the specific purpose for which it was collected, and the new rule explicitly prohibits the indefinite retention of children’s personal information. Operators will need to create written and publicly available data retention programs, and complete due diligence to ensure its data deletion techniques prevent unauthorized access to children’s personal information.
7. “Mixed Audience” Definition
The FTC introduced a standalone definition for "mixed audience" websites and services, clarifying that a “mixed audience” platform is one “that is directed to children . . . but that does not target children as its primary audience,” and does not collect any personal information from visitors prior to determining visitors’ ages. Mixed audience operators can collect limited personal information without parental consent to determine a visitor’s age, and COPPA will apply to those visitors who are determined to be younger than 13 years old. Age verification mechanisms must not encourage visitors to falsify their age information (e.g., by defaulting to a set age).
Bonus Takeaway: Push Notifications and Other Engagement Techniques
The FTC initially proposed regulating the use of push notifications and other engagement techniques that encourage children to stay online, but ultimately declined to include the amendment. However, in declining to regulate these engagement techniques, the Commission explicitly stated that they “may pursue enforcement under Section 5 of the FTC Act in appropriate cases to address unfair or deceptive acts or practices encouraging prolonged use of websites and online services that increase risks of harm to children.”
Businesses should note that, while certain practices may not be explicitly prohibited by COPPA, children's data privacy is an especially sensitive issue for regulators. Organizations should approach their children's privacy compliance programs with caution to avoid violating the “spirit” of these regulations, even if they are complying with the text of the law.
What's Next for Your Business?
Organizations should begin reviewing their current practices against COPPA’s new requirements and prepare for implementation. COPPA’s new rules are slated to go into effect 60 days after the amendments are published in the Federal Register. Organizations will want to pay particular attention to:
Assessing if COPPA will apply to their websites and other platforms;
Updating consent mechanisms to accommodate additional parental consent for disclosures;
Reviewing, expanding, or possibly creating their data security and data retention programs;
Evaluating if children’s biometric data is collected on their platforms;
Determining whether they are utilizing user engagement techniques that could attract enforcement actions; and
Determining how their new COPPA compliance obligations overlap or diverge from their obligations under other consumer and children’s data privacy laws.
Businesses should also remember that several states have passed laws governing the data collection and processing of Minors – children younger than 16, 17 or often 18, as we discussed here.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.