The Federal Trade Commission (FTC) has proposed amendments to an existing law aimed at restricting the ability of websites to collect, disclose, and monetize children’s personal information.
Under the current Children’s Online Privacy Protection Act (COPPA), website operators are required to obtain verifiable parental consent before collecting personal data from children under 13 years old.
The COPPA rule also limits the personal data that websites and other online services can collect from children, restricts how long they can retain such data, and requires them to secure the data.
“The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children,” Ms. Khan said.
“By requiring firms to better safeguard kids’ data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents,” she added.
The FTC also proposed prohibiting operators from using online “persistent identifiers” to boost user engagement with the website, such as through sending push notifications, without getting parental consent.
“If operators claim this exception in the future, the FTC wants them to provide an online notice explaining the specific operations for which they’re collecting those identifiers and how they will ensure identifiers aren’t used to contact specific people, including through targeted advertising,” it stated.
In addition, operators would be prohibited from utilizing specific COPPA exceptions to send push notifications aimed at encouraging children to increase their usage of the website or online services.
The FTC also suggested allowing operators to retain children’s personal information “only for as long as necessary to fulfill the purpose for which it was collected.” Operators would be prohibited from using retained information for secondary purposes.
Operators will need to create a written children’s personal information security program and implement it, including safeguards appropriate to the sensitivity of the information collected from kids.
Urgently Needed Online Safeguards
Katharina Kopp, director of policy at the nonprofit Center for Digital Democracy, said the FTC’s proposed new rules provide “urgently needed” online safeguards.“These rules will also protect young people from being targeted through the increasing use of AI, which now further fuels data collection efforts. Young people 12 and under deserve a digital environment that is designed to be safer for them and that fosters their health and well-being.
Haley Hinkle, policy counsel at the nonprofit organization Fairplay, urged people to support the proposed new rules, especially if they believe that children should be able to play online without being tracked.
“With this critical rule update, the FTC has further delineated what companies must do to minimize data collection and retention and ensure they are not profiting off of children’s information at the expense of their privacy and well-being,” Ms. Hinkle said.
Ms. Hinkle said the FTC’s recent COPPA enforcement actions against Epic Games, Amazon, Microsoft, and Meta demonstrated that “Big Tech does not have carte blanche with kids’ data.”
In response, the company filed a lawsuit at the same court on Nov. 29, asking it to “permanently” prohibit such FTC proceedings. Meta also called the FTC’s proposed expansion of the 2020 privacy order a “political stunt.”
