FTC Proposes Major Updates to Children’s Online Privacy Protection Act

Advertising Law

On December 20, the Federal Trade Commission (FTC) proposed its first significant updates to the Children’s Online Privacy Protection Act (COPPA) in a decade. If adopted, the FTC’s Notice of Proposed Rulemaking (the Proposed Rule) would place new restrictions on the use and disclosure of children’s personal information, especially as related to digital services.

COPPA was enacted in 1998 to regulate how businesses use information collected from and about children. COPPA has been revised periodically, largely to update it to reflect advancements in data collection practices. COPPA currently defines “children” as individuals under the age of 13. The FTC continues to actively enforce COPPA, as reflected by actions this year against a major voice recognition service and a major online video gaming platform. 

Expansive Definition of ‘Online Services Directed to Children’

As currently written, COPPA applies to:

  • Operators of websites and online services directed to children
  • Other operators of websites that have “actual knowledge” they are collecting personal information from children under 13 years of age

The Proposed Rule would expand the definition of “websites and online services directed to children” to apply to any operator with actual knowledge that it is collecting personal information from websites or online services directed to children.

Consent Requirements

COPPA currently requires operators to obtain verifiable parental consent prior to any collection, use and/or disclosure of personal information from children. Subject to certain exceptions, the Proposed Rule expands this requirement by requiring operators to identify all third parties a child’s personal information will be shared with and the reason the information will be shared, prior to obtaining the parent’s consent. The Proposed Rule would also require operators to allow a parent to consent “to the collection and use of the child’s information without consenting to the disclosure of such information.”

Notable exceptions to the parental consent requirements include:

  • Audio files of a child’s voice in response to a child’s specific request
  • Children’s data used for purposes of ad attribution and contextual advertising
  • Student data used for school-authorized educational purposes

The Proposed Rule would allow parents to provide verifiable consent in several ways, including by:

  • Answering multiple-choice questions
  • Verifying government photo IDs
  • Using facial recognition technology, confirmed by personnel and deleted as soon as a match is confirmed
  • Replying to a text message

Other Notable Updates

The Proposed Rule would also:

  • Update the definition of “personal information” to include biometric data
  • Require operators to establish, implement and maintain a written comprehensive security program to protect children’s data
  • Strengthen COPPA’s data minimization requirements by requiring operators to maintain a data retention policy specifying the business need for children’s data and the time frame for deleting it
  • Modify COPPA’s Safe Harbor Program by requiring Safe Harbor organizations to provide additional information regarding the operators utilizing the Safe Harbor Program and requiring the Safe Harbor organizations to file triannual reports on the same

What’s Next

The FTC has requested comment on a number of key provisions in the Proposed Rule, which has the potential to affect (and in many cases, burden) nearly all online and online-related businesses—and especially those that market in whole or in part to children. As such, comments on the Proposed Rule are crucial. Interested parties have 60 days following its publication in the Federal Register to submit comments.

If you would like assistance in drafting and filing comments on the Proposed Rule, please contact the authors or your Manatt relationship professional.



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved