FTC Aims to Tighten COPPA Regulations, Addressing Tech Surveillance of Children

The FTC has proposed tightening up the rules protecting kids from the surveillance economy. The updated rules would require companies to get the OK from parents before sharing data with advertisers and prohibit holding onto data for nebulous “internal operations,” among other things.

“The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children,” said FTC Chair Lina Khan in a blog post. “Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data.”

The Children’s Online Privacy Protection Act, or COPPA, has been around since 2000 and, while it’s still effective at preventing the most egregious of data collection and abuse when it comes to kids, it was also last updated in 2013 and could use a fresh coat of paint. The FTC solicited comment quite a while back on how it should change the rules, and the response (as it often is in matters of internet privacy) was voluminous.

“After the FTC announced it was considering revisions to the COPPA Rule, we received more than 175,000 comments,” the agency noted in a news release. “The proposed rule reflects what we heard from parents, educators, industry members, researchers, and others – as well as our 23 years’ experience enforcing COPPA.”

The agency will soon put out a Notice of Proposed Rulemaking, or NPRM, which is a draft of the new COPPA rules that can be commented on and criticized by the public for the following 60 days. The exact timing depends on when the document appears in the Federal Register, which is out of the FTC’s control but will likely be in the next few weeks. In the meantime you can view a draft here.

Here’s what the updated rule would require:

  • Parental opt-in before sharing any child’s info whatsoever with third parties unless that sharing is “integral” to the service. Expect a lot of things to suddenly become “integral” next year!
  • Narrowing the “support for internal operations” loophole. Amazon, for instance, abused this exception, retaining kids’ info indefinitely to improve its voice recognition models. Less of that, hopefully.
  • Better justification for “nudges,” like push notifications to get kids to open an app or stay online.
  • No forcing kids to provide personal data in order to use an app or feature, like “provide your birthday to get 100 free crystals” type stuff.
  • No retention of data past its original, stated use. Like in the Amazon example, they could use a kid’s voice command to launch an app (primary use) but “for sure” not something else afterwards.
  • Schools and school districts can authorize edtech providers to collect and use students’ personal info, but only for educational purposes.
  • “Personal information” now includes biometrics.

And a couple other things, plus a lot more detail (that will be of interest primarily to those directly concerned) in the NPRM itself. If you’re curious about why some of these things are necessary, or even why COPPA is necessary at all, Commissioner Alvaro Bedoya released a helpful explainer on the topic.

Senator Brian Schatz (D-HI) approved of the update, calling it “an encouraging step toward implementing safeguards to protect the youngest users of social media against constant surveillance and manipulation.”

But, he continued, “rulemaking is no substitute for law – Congress needs to act. We urgently need to pass legislation that will protect kids online by setting minimum age requirements for social media use and banning algorithmic targeting for children and teens.”

Considering the state of Congress at present, and the prospect of a 2024 lost to (at the very least) a contentious election, I suspect the Senator’s urgency will not manifest into law any time soon. The FTC rules will have to stand for a while to come.