Federal data privacy regulations aimed toward protecting children might be due for a major change.
The Federal Trade Commission on July 17 announced it is seeking public comment on its Children’s Online Privacy Protection Act, or COPPA, Rule. The regulations govern the hoops companies must jump through if they run certain websites or “online services” that collect data from children under 13. The FTC’s call for public comment puts a spotlight on one of the older U.S. data privacy regulations.
“In light of rapid technological changes that impact the online children’s marketplace, we must ensure COPPA remains effective,” said FTC Chairman Joe Simons in a press release. He added that the commission needs to “regularly revisit, and if warranted, update the Rule.”
Certain websites, mobile apps and Internet-of-Things devices are subject to the COPPA Rule if they’re “directed to children” and collect personal information from children. The rule, which first went into effect in 2000, also covers websites or online services that knowingly collect children’s personal information. COPPA requires companies to post a privacy policy outlining what they do with data they collect from kids under 13, as well as what third parties such as plug-ins or ad networks do with the data.
COPPA generally requires companies to get verified consent from parents before they can collect, use or disclose children’s data. It also gives parents the right to revoke that consent, review the personal data collected and have the child’s data deleted. The FTC allows a range of exceptions companies can use so they don’t have to get verifiable parental consent, however.
The COPPA Rule saw a major update in 2013, when the FTC broadened the definition of personal information to include cookies, geolocation or the child’s voice or image. Those amendments came after more than two years of FTC review to modernize COPPA.
With its broad definition of personal information, COPPA might be seen as a precursor to the EU’s General Data Protection Regulation, according to attorney Tom Codevilla, a partner at SK&S Law Group who specializes in data privacy. COPPA rules were instituted long before data privacy became a widespread concern in the U.S., and the initial focus on children was by design.
“COPPA was intended to be a beachhead for privacy issues,” Codevilla said. “The FTC thought [people] would pay more attention if they made it about kids.”
Codevilla regularly handled COPPA issues when he was in-house at Sphero, a robotic toy company in Boulder. The rules require legal departments to work with software and web developers to design interfaces on the front- and backend that comply.
“What developers don’t necessarily like about [COPPA] is it creates a sort of user interface nightmare,” Codevilla said.
The gatekeeping steps required for companies to lawfully collect and process children’s data, which often include additional screens and emails, can make their sites or apps cumbersome and even drive users to disengage from the product or service, he added.
The FTC’s enforcement actions might not be as “high-dollar” as the EU’s for the GDPR, but they appear to be trying to make deterrent examples of companies, Codevilla said.
In February, the FTC issued a record-setting fine of $5.7 million against TikTok, a video sharing app, over alleged COPPA violations. The app knowingly collected data from kids without parental consent, according to the commission. In addition to the fine, TikTok had to delete all of its existing videos and data from children under 13, and it updated its app to verify the user’s age. Now when users say they are under 13, TikTok directs them to a separate, more restrictive network within the app.
Other sites and apps that aren’t necessarily directed toward children but draw a lot of under-13 users appear to be a focus of the questions the FTC is asking for comment on. One question is whether the definition of a “Web site or online service directed to children’ [should] be amended … to cover these types of websites.”
“They’re asking for ways to update COPPA for the YouTube generation, the technical realities of what we see today,” Codevilla said. “It’s kind of an open secret that there are a lot of kids on these general audience platforms, and there’s very little control or attempt to figure out which users are under 13.” Codevilla said “it’s pretty clear” that the current directed-to-children standard isn’t working, “and people are starting to get agitated about it,” prompting the FTC to respond. The FTC appears to be seeking comment on virtually all of COPPA, and Codevilla noted the FTC appears to be considering adding to the rule’s definition of personal information.
It may be difficult to predict which COPPA updates are likely and how they might affect more general audience platforms. Codevilla expects “more requirements for the Facebooks and he YouTubes of the world,” adding that it’s hard to say at this point what those requirements would look like, however.
— Doug Chartier