United States: FTC Proposes Significant Amendments To Children's Privacy Regulations

On January 11, the FTC published a notice of proposed rulemaking (the NPRM) to modify the agency's regulations implementing the Children's Online Privacy Protection Act (the COPPA Rule). The proposed changes (the Proposed Amendments) include expanded requirements for providing privacy notices, obtaining parental consent, data security and record retention, as well as updated obligations for COPPA Safe Harbor Programs. The NPRM discussed these proposed changes in detail, addressing positions taken by interested parties in the more than 175,000 comments submitted in 2019 in response to the FTC's solicitation of comments as part of its statutorily required periodic review of COPPA's implementation and effectiveness. Comments on the NPRM are due on March 11, 2024.

Key Proposed Changes

Scope

The COPPA Rule applies to (1) any operator of a website or online service directed to children under age 13 (referred to here simply as "children"), as well as (2) any operator who has actual knowledge that it is collecting or maintaining personal information from a child. The Proposed Amendments would clarify the scope of these categories by, among other things:

• Adding examples of evidence for the FTC to consider when evaluating whether a website or online service is directed to children, including marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services
• Expanding the definition of "website or online service directed to children" to apply to companies that have actual knowledge that they collect children's information but do not collect that information directly from users of a child-directed site or service (e.g., they receive that information from third party sources)

The FTC is soliciting comments on whether the FTC should (1) retain the position that an operator will not be deemed to have "collected" personal information, and therefore does not have to comply with the COPPA Rule, if it employed automated means to delete all or virtually all personal information from one-to-one communications and (2) provide an exemption for operators being deemed directed to children if such operators undertake an analysis of their audience composition and determine no more than a specific percentage of its users are likely under the age of 13.

Personal Information Definition

"Personal information" is currently defined in the COPPA Rule as "individually identifiable information about an individual collected online," including, among a variety of other specific types of identifiers, "[a] photograph, video, or audio file where such file contains a child's image or voice."¹ The Proposed Amendments would add to the list of identifier types "a biometric identifier that can be used for the automated or semi-automated recognition of an individual, including fingerprints or handprints; retina and iris patterns; genetic data, including a DNA sequence; or data derived from voice data, gait data, or facial data." In addition, the FTC, while not actually proposing it, is requesting comments on whether "personal information" should be defined to include all government-issued identifiers, rather than just Social Security numbers.

Notice and Consent Requirements

The COPPA Rule currently requires operators to post a privacy policy on their website or other online service describing the operator's practices with respect to children's information collected online. Operators must also provide direct notice to parents and obtain verifiable consent, with limited exceptions, before collecting children's information. The Proposed Amendments would clarify and expand these notice and consent requirements by:

• Requiring operators that collect a persistent identifier² for use in "support for internal operations of the website or online service," which is permissible without parental consent,³ to (1) specify the particular internal operation(s) for which the operator has collected the persistent identifier and (2) describe the means the operator uses to ensure that it does not use or disclose the persistent identifier to contact a specific individual or for any other purpose other than to support internal operations
• Requiring, as a condition for disclosure of children's personal information to third parties:

• Additional verifiable parental consent: Operators would have to obtain verifiable parental consent to disclose, separate from and in addition to consent to collect, children's information unless such disclosures are integral⁴ to the nature of the website or online service.⁵ Operators required to obtain separate verifiable consent for disclosures would be prohibited from conditioning access to the website or online service on the provision of such consent.
• Direct notice to parents: Operators would be required to state in their direct notice to parents: (1) the identities or specific categories of the third parties to whom children's personal information will be disclosed (with parental consent) and the purposes for such disclosure and (2) that the parent has the above-mentioned option to consent to the collection and use of the child's personal information without also consenting to the information's disclosure.

• Making it easier for parental consent to be provided:

• Consent via text message: Parents would be able to provide verifiable consent via text message. Currently, the COPPA Rule permits operators to collect "online contact information" (e.g., email address or instant messaging user identifier) to initiate the process of obtaining verifiable consent. The Proposed Amendments would amend the definition of online contact information to include "an identifier such as a mobile telephone number, provided the operator uses it only to send a text message."
• Facial recognition technology and knowledge-based authentication: Parents would be able to verify their identity by (1) using facial recognition technology that compares an image of a parent's face taken with a phone camera against government-issued identification or (2) answering dynamic multiple-choice questions that children would have difficulty answering.

The FTC is inviting comments on what role platforms can play in establishing consent mechanisms to enable app developers or other websites or online services to obtain verifiable parental consent. In particular, the FTC is seeking responses about the benefits a common consent mechanism might offer operators and parents and what steps the FTC can take to encourage the development of platform-based consent mechanisms.

New Mixed Audience Definition

In response to comments about the ambiguity of the COPPA Rule's application to websites or online services directed to both children and others (a "mixed audience"), the FTC is proposing the creation of a separate, stand-alone definition for "mixed audience website or online service." As proposed, this would be defined as a website or online service that is directed to children but does not target children as its primary audience, and does not collect personal information from any visitor prior to collecting age information or using another means that is reasonably calculated, in light of available technology, to determine whether a visitor is a child.⁶

Data Security

The Proposed Amendments would substantially broaden the data security requirements under the COPPA Rule by requiring that operators, at a minimum, establish, implement, and maintain a written comprehensive security program that contains safeguards appropriate to the sensitivity of children's information and to the operator's size, complexity, and nature and scope of activities. Specifically, the security program would need to (1) designate an employee to coordinate the security program; (2) identify and, at least annually, perform additional assessments to identify risks to the confidentiality, security, and integrity of children's information; (3) design, implement, and maintain safeguards to control any identified risks, as well as test and monitor the effectiveness of such safeguards; and (4) at least annually, evaluate and modify the security program.

Data Retention and Deletion

The Proposed Amendments would prohibit operators from retaining children's information collected online any longer than is reasonably necessary to fulfill the specific purpose(s) for which the information was collected. To adhere to this prohibition, operators would have to implement and make available to the public a written children's data retention policy that sets forth the purposes for which children's information is collected, the business need for retaining such information, and a timeframe for deletion of such information that precludes indefinite retention.

Key Takeaways

The NPRM underscores the aggressive approach the FTC is taking to protect misuse of children's data and resulting online abuses. In the last year alone, the FTC took action against Epic Games, Microsoft, and Facebook related to charges of COPPA violations. As FTC Chair Lina Khan stated in announcing the Proposed Amendments: "[k]ids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data."

The FTC will carefully examine and consider the merits of public comments on the Proposed Amendments. Please feel free to contact any of the authors of this Advisory or your principal Arnold & Porter contact if you might be interested in submitting such comments or have any questions about the NPRM or privacy compliance more generally.

*Adrian Chochorek contributed to this Advisory. Mr. Chochorek is a graduate of the New York University School of Law and is employed at Arnold & Porter's New York office. He is not admitted to the practice of law.

Footnotes

1. 16 C.F.R. § 312.2.

2. The FTC considers a persistent identifier one that can be used to recognize a user over time and across different websites or online services. Examples include a customer number held in a cookie, an IP address, a processor or device serial number, or unique device identifier.

3. Operators that collect persistent identifiers solely for the support of internal operations of the website or service do not need to provide direct notice to and obtain verifiable consent from the parent, but must still comply with the online notice requirement. "Support for internal operations" refers to activities necessary for the site or service to maintain or analyze its functioning; perform network communications; authenticate users or personalize content; serve contextual advertising or cap the frequency of advertising; protect the security or integrity of the user, website, or online service; ensure legal or regulatory compliance; or fulfill certain requests of a child.

4. The FTC explains that an example of integral disclosure might be an online messaging forum's disclosure of online contact information to other users on that forum.

5. Currently, the COPPA Rule provides that operators may rely on a single parental consent for the collection, use, and disclosure of children's information but that they must give parents the option to consent to collection and use without consenting to the disclosure of information to third parties if that disclosure is not integral to the activity the parent is consenting to with respect to collection and use.

6. This definition effectively codifies existing FTC staff guidance that operators, in collecting age information or other means of determining whether a visitor is a child, must do so in a neutral manner that does not default to a set age or encourage visitors to falsify age information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.