Probing the FTC’s COPPA Proposals: Updates to Kids’ Privacy Rule Follow Agency’s Focus on Technological Changes

Photo by Igor Starkov on Unsplash

With calls to strengthen kids’ online privacy and safety protections growing louder by the day, 2023 was supposed to be the year that Congress would pass new legislation. That didn’t happen. Enter the Federal Trade Commission (FTC).

The agency pursued several blockbuster children’s privacy enforcement actions in 2023, including two against video game companies, that resulted in hundreds of millions in fines and landmark legal remedies. Then, at the very end of the year, the agency issued long-awaited proposals for changes to the Children’s Online Privacy Protection Rule, a process it began in 2019.

The COPPA Rule, last updated in 2013, implements the Children’s Online Privacy Protection Act, which dates back even earlier — to 1999. Although the agency can’t change the Act itself (that’s Congress’ job), it can make far-reaching changes to the Rule. It’s still unclear what a final rule will look like and when (or whether) it will arrive, but the FTC’s cusp of the year move means that 2024 will certainly be a consequential year for children’s privacy.

As a longstanding FTC-authorized COPPA Safe Harbor program, we follow the agency’s COPPA work closely. We’ve delved into the Notice of Proposed Rulemaking (NPRM) to understand what the NPRM will mean for our member video game and toy companies – and for the millions of kids and teens (and their parents) that play games. (Although the average age of a gamer is 32, 76% of people under the age of 18 play video games.) We plan to file a comment on the proposed rule changes within the 60-day comment period that will start to run once the NPRM is published in the Federal Register, most likely later this week.

Although we’re still considering our responses to the NPRM, we’re providing a summary of the most important provisions to spare you reading all 164 pages of the document. (LinkedIn estimated that it would take me 228 minutes to read the NPRM. Once. I’ve already ready it multiple times.) So, if you don’t have four – or forty – hours to devote to COPPA Rule reform, read on. It shouldn’t take four hours, but this blog is on the longer side. For convenience, we’ve divided it into three categories: (1) Changes; (2) Emphasis; and (3) Status Quo.

CHANGES
First up, notable changes to definitions and substantive aspects of the Rule:

• Personal Information: Currently, the COPPA Rule’s definition of personal information includes information collected from a child such as name, address, online contact information, screen or user names (when they function as contact information), phone numbers, social security numbers, geolocation information and photography, video, or audio files that contain a child’s image or voice. The Rule also includes “persistent identifiers” (such as IP addresses) that can be used to recognize users over time and across different web sites or online services in the definition of personal information.
  • Proposal: In the NPRM, the agency proposes expanding this definition to include biometric identifiers and all forms of government identification, not just SSNs. The FTC’s inclusion of biometric identifiers including “fingerprints or handprints; retina and iris patterns; genetic data, including a DNA sequence; or data derived from voice data, gait data, or facial data” as personal information is not surprising. In its May 2023 Biometric Policy Statement, the FTC articulated its concerns about the “new and increasing risks associated with the collection and use of biometric information” and FTC Commissioner Alvaro Bedoya has regularly sounded the alarm bell on how “companies are protecting children’s biometric data against breaches, fraud, and abuse.”
  • Questions: Beyond biometric information, the agency raises questions about two other categories of information – avatars and online screen or user names – that may be of interest to video game companies:First, the NPRM asks whether screen or user names should be treated as online contact information “even if the screen or user name does not allow one user to contact another user through the operator’s website or online service, when the screen or user name could enable one user to contact another by assuming that the user to be contacted is using the same screen or user name on another website or online service that does allow such contact?”
    Second, referring to the popularity of avatars in online services such as video games, the NPRM asks whether the Rule should explicitly designate avatars generated from a child’s image as personal information “even if the photograph of the child is not itself uploaded to the site or service and no other personal information is collected from the child.” The agency is interested in receiving specific feedback on these issues.
• Target Audience: The target audience for a digital service is key to determining when an online service is “directed to children.”
  • Proposal: Although the FTC does not propose moving away from the multi-factor test it uses to determine whether a site is child-directed, it proposes adding a list of examples of evidence that the agency will consider in analyzing audience composition and intended audience. This will include “marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services.”
  • Questions: The NPRM also seeks feedback on whether the FTC should provide an exemption from designation as a child-directed service, for companies that have empirical evidence that no more than a specific percentage of its users are likely to be children under the age of 13. It also asks a number of questions about the contours of such an exemption.
    • Mixed Audience: The NPRM also proposes adding an express definition of “mixed audience” sites to the Rule. As with the current Rule, mixed audience services are directed to children, but do not target children as their primary audience. Such services cannot collect, use, or disclose users’ information without verifiable parental consent unless they use a neutral method “that does not default to a set age or encourage visitors to falsify age information” to collect a user’s age or use another method “reasonably calculated to determine if the user is a child.” This would permit companies to apply COPPA protections only to users under the age of 13.

 

• Verifiable Parental Consent: One of the fundamental features of the COPPA Rule is the requirement that companies obtain verifiable parental consent (VPC) from parents for the collection and use of children’s personal information.
  • Proposal: The NPRM focuses on the sharing of children’s information with third parties, especially with advertisers, by requiring companies to obtain a separate VPC for disclosures of a child’s personal information unless such disclosures are “integral to the nature of the website or online service.” (The NPRM provides the example of an “online messaging forum” as an example of a situation where information disclosure would be “integral.”) As the FTC explains in its Business Blog, this means that “COPPA-covered companies’ default settings would have to disallow third-party behavioral advertising and allow it only when parents expressly opt in.” In addition, as the NPRM makes clear, this requirement is feature-specific. So, if a company implements a “chatbot or other feature that simulates conversation” it must obtain VPC.
  • Questions: Interestingly, although the NPRM states several times that COPPA permits contextual advertising without VPC, the FTC is seeking comment on this issue. Question 10 asks, “Operators can collect persistent identifiers for contextual advertising purposes without parental consent so long as they do not also collect other personal information. Given the sophistication of contextual advertising today, including that personal information collected from users may be used to enable companies to target even contextual advertising to some extent, should the Commission consider changes to the Rule’s treatment of contextual advertising?”

 

• Internal Operations and Notice: The COPPA Rule has long allowed companies to collect and use persistent identifiers without first getting VPC if they don’t collect any other personal information and use the persistent identifiers only to provide support for internal operations. In the NPRM, the agency expressly declined to provide a narrowed or expanded definition of “internal operations.” It also stated that it believes that the practice of ad attribution, which allows an advertiser to associate a consumer’s action with a particular ad, “currently falls within the support for the internal operations definition” except when it is used for behavioral advertising, amassing a profile on a specific individual, or directly contacting an individual.
  • Proposal: To increase transparency around the internal operations exception, however, the agency would require companies to specifically identify the way in which they will use a collected personal identifier in their online notices. In addition, the company must “describe the means it uses to ensure that it does not use or disclose the persistent identifier to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, in connection with processes that encourage or prompt use of a website or online service, or for any other purpose, except as permitted by the support for the internal operations exception.”

 

• Internal Operations and Engagement: As foreshadowed in the quoted language immediately above, the FTC is interested in issues that go beyond pure privacy concerns like “nudging.”
  • Proposal: The NPRM also proposes to expand the Rule’s restrictions on the internal operations exception to processes (including machine learning processes) that would “encourage or prompt” a child’s use of an online service. This would include “push notifications” that encourage kids to use their service more. Companies that use persistent identifiers to send these push notifications would also be required to flag that use in their direct and online notices. This would ensure parents are aware of, and have consented to, these processes.
  • Questions: Here, too, the agency seeks additional comment, asking how companies are currently using persistent identifiers to maximize user engagement and how it could distinguish between “user-driven” personalization versus personalization driven by a business. In a separate question, the NPRM also asks whether the Rule should address other engagement techniques, as well as whether the Rule should “differentiate between techniques used solely to promote a child’s engagement with the website or online service and those techniques that provide other functions, such as to personalize the child’s experience on the website or online service?”

 

• Data security: Consistent with concerns that the FTC has raised about data security in the recent COPPA enforcement cases, the proposed Rule significantly expands the COPPA Rule’s existing data security requirement.
• Proposal: The NPRM requires companies to have written comprehensive security programs that are proportional to the “sensitivity of children’s information and to the operator’s size, complexity, and nature and scope of activities.” It also sets out requirements for performing annual data security assessments, implementing and testing safeguards, and evaluating and modifying their info security programs on an annual basis. The proposed Rule would also require companies to obtain written assurances from third parties to whom they transfer personal information, such as service providers, to maintain the confidentiality, security, and integrity of information.

 

• Safe Harbor oversight: Of particular interest to us are the additional reporting and transparency requirements for Safe Harbor programs. Several of the proposals reflect comments that we have made to the FTC and to members of Congress inviting additional oversight to ensure that all Safe Harbor programs fulfill their responsibilities under the COPPA Rule. Others may present operational challenges. We will provide detailed responses to these proposals in our public comment on the NPRM.

 

• Online contact information: Recognizing the significant convenience and utility of text communications, the FTC also proposes adding mobile telephone numbers to the list of identifiers that constitute “online contact information” so that parents can provide consent via text message. The NPRM makes clear, however, that companies may only use a child’s number to send a text message, and that the agency will not permit companies to collect and use a child’s mobile telephone number to communicate with the child, unless it has obtained verifiable parental consent to do so.

EMPHASIS
Beyond these proposed changes, it’s worth noting what is staying the same, but with more emphasis. Two issues stand out:

• • Data minimization: The Rule has long prohibited companies from collecting more personal information than is reasonably necessary for a child to participate in a game, offering of a prize, or another activity. The NPRM reinforces this prohibition, making it clear that it applies even if a company has obtained VPC.

 

• • Data retention and deletion: The NPRM emphasizes the FTC’s focus on data retention in recent enforcement actions. Companies can only retain personal information for as long as necessary to fulfill the purpose for which it was collected: they cannot hold on to it indefinitely or use it for any secondary purpose. This means that a company that collects a child’s email address for account creation purposes, cannot use it for marketing purposes without VPC. The proposal would also require companies to post a data retention policy for children’s personal information to enhance parents’ ability to make informed decisions about data collection.

STATUS QUO
Finally, here’s what isn’t changing, at least not as part of the FTC’s rulemaking process:

• • Teens: First, despite making clear, in a variety of contexts (such as the Epic Games settlement and last year’s Advance Notice of Proposed Rulemaking on Commercial Surveillance and Lax Security Practices), that teens should benefit from privacy protections, the NPRM does not address raising the age of a “child” beyond 12, as urged by many commentors. This is because the agency does not have the authority to change the age of a child, which is established in the Act.

 

• • Knowledge Standard: Currently, COPPA only applies to “child-directed” services or when an operator has “actual knowledge.” Despite many comments urging the FTC to change the standard from the “actual knowledge” standard to a “constructive knowledge” or another less definite standard, the agency declined to do so. Instead, it includes a long discussion of the legislative history of the Act on this point, sending a strong signal to Congress that the ball is in its court on that issue – and other issues like teen privacy that would require Congressional amendment of the Act (as opposed to FTC modification of the Rule) — when it reconvenes for 2024.

 

• • Inferred Data: Similarly, the NPRM declines to include “inferred data” in the definition of personal information because the Act makes clear that COPPA applies to information collected from a child, not about a child.

 

• • Rebuttable presumption: The agency also declined to permit general audience platforms to rebut the presumption that all users of child-directed content are children, finding that the “reality of parents and children sharing devices, along with account holders remaining perpetually logged into their accounts, could make it difficult for an operator to distinguish reliably between those users who are children and those who are not.”

• • • • •In announcing the NPRM, FTC Chair Lina Khan stated that, “The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life . . . .” We agree that the COPPA Rule needs updating. As we have said in other comments, kids’ privacy rules should be modernized “to meet the challenges of social media, mobility, ad tech, and immersive technologies – issues that weren’t present when COPPA was enacted nearly 25 years ago.” As the FTC’s rulemaking unfolds, we’ll be following closely and providing guidance to our program members on complying with any new rules and implementing stronger protections for children’s privacy. To learn more about ESRB Privacy Certified’s compliance and certification program, please visit our website, find us on LinkedIn, or contact us at [email protected].

As senior vice president of ESRB Privacy Certified (EPC), Stacy Feuer ensures that member companies in the video game and toy industries adopt and maintain lawful, transparent, and responsible data collection and privacy policies and practices for their websites, mobile apps, and online services. She oversees compliance with ESRB’s privacy certifications, including its “Kids Certified” seal, which is an approved Safe Harbor program under the Federal Trade Commission’s Children’s Online Privacy Protection Act (COPPA) Rule. She holds CIPP/US and CIPP/E certifications from the International Association of Privacy Professionals.