FTC Requests Comment on Wide-Ranging Potential Revisions to COPPA Rule
The Federal Trade Commission is requesting comment on a wide range of questions and potential revisions to its COPPA Rule, which provides privacy protections for children under the age of 13. The potential revisions are driven by, as the Commission notes, “continued rapid changes in technology.” The request for comment includes detailed questions about specific areas in which the Rule might be modified to deal with important technological developments, including the rise of voice-enabled connected devices, growth of platforms not directed to children, but which host child-directed content, and use of educational technology in schools. It also seeks feedback on how the current rule is working in practice.
Comments will be due 90 days after publication of a Federal Register notice, which should occur shortly. The FTC will also hold a public workshop on the COPPA Rule on October 7, 2019.
Where the Current COPPA Rule Stands
The Children’s Online Privacy Protection Rule (“COPPA Rule”) requires that operators of websites or online services directed to children younger than 13, and other websites or online services that have actual knowledge that they are collecting personal information from a child younger than 13, comply with certain obligations, including parental notice and consent.
The FTC reviews the COPPA Rule periodically to determine whether amendments are appropriate, and last revised the rule in 2013. Given the rapid pace of technological change, and specifically the growth of widely adopted technology that is used by children, the FTC has initiated this proceeding to determine whether further revisions to the COPPA Rule are warranted.
In addition to its standard regulatory review questions as to whether the rule should be retained, eliminated, or modified, the FTC is requesting comments - and has posed very specific questions - on how COPPA applies or should apply to three specific areas:
- Voice-enabled connected devices.
- General audience platforms that host child-directed third-party content.
- Educational technology.
Below we summarize the FTC’s specific inquiries in each of these three areas and provide an overview of its request for comment on other provisions of rule.
Voice-enabled Connected Devices
Voice-enabled devices have grown dramatically in sophistication and use in recent years – particularly internet-connected (IoT) devices. In 2017, the FTC issued a statement that it would not take enforcement action against an operator that did not obtain parental consent prior to collecting an audio file of a child’s voice, if that audio file was used only as a replacement for written words, used only for that purpose, and was kept for a short period of time. The FTC now asks questions that include:
- Should it amend the rule to make this policy statement an exception to its rules requiring parental consent?
- Should operators be allowed to use the children’s personal data (voice files, search requests, etc.) for other purposes if it is first de-identified?
- Is de-identification of audio files effective at preventing re-identification, and are there certain safeguards to help prevent re-identification?
General Audience Platforms that Host Child-Directed Third-Party Content
The COPPA Rule generally does not apply to websites or online services that are directed toward a general audience unless that operator has actual knowledge that it is collecting information from children younger than 13. The FTC now questions whether this framework incentivizes websites or online services hosting content third-party content to avoid analyzing the target audience of uploaded content. Given the popularity of general-audience websites and online services with younger children, the FTC asks questions that include:
- If a general audience platform monitors third-party child-directed content, should the website be able to rebut the presumption that all users of that child-directed content are children, and treat under- and over-13 users differently? For example, by:
- Permitting users who identify themselves as 13 or older to access the content, and taking reasonable measure to avoid collection of personal information of those under 13?
- Providing clear notices of information collection practices, including though separate communication of those practices through out-of-band notices to account holders?
- Does the ability for general audience websites to age screen users create stronger protections for children’s privacy? What costs and benefits should the Commission consider in making this determination?
- How should COPPA address interactive media technology, such as interactive television, interactive gaming, or chatbots?
Educational Technology
The COPPA Rule currently “does not preclude schools from acting as intermediaries between operators and schools in the notice and consent process, or from serving as the parents’ agent in the process.” The FTC asks:
- Should the rule include an explicit exception to the parental consent requirement for educational technology used in a school?
- If the FTC adopts an exception, how detailed should it be? Should it specify who at the school can provide consent?
- How should operators be able to use the collected information? Should the Rule allow operators to use the information collected from children to improve the product? Should they be allowed to use it for marketing? Should they be required to de-identify the personal information before any use?
- Should a parent be able to request deletion of a child’s information collected under an educational technology exception?
- Should this exception preempt state law where state law (such as the CCPA) provides different rights and obligations?
Other Key Questions
In addition to the specific areas addressed above, the FTC is soliciting comment on a wide range of questions about the COPPA Rule. Some key questions that also pertain to technological advancements include:
- What are the implications for COPPA enforcement raised by technologies such as interactive television, interactive gaming, or other similar interactive media?
- Should the Commission revise the Rule’s definition of personal information to expressly include genetic data, fingerprints, retinal patterns, or other biometric data? What about personal information that is inferred about, but not directly collected from, children?
- Should the Rule incorporate more specific information security requirements, such as requiring encryption of certain personal information?
Additionally, the FTC is requesting comment more generally on:
- How the COPPA Rule has impacted—positively or negatively—the availability of websites or online services directed toward children?
- Does the COPPA Rule overlap with other Federal, state or local regulations? How should conflicts be resolved?
- Are the definitions in COPPA still relevant? Should any definitions be amended, such as the definition of personal information?
- Should the accepted methods of obtaining parental consent be changed?
Wiley Rein’s Privacy, Cyber, and Data Governance practice closely follows privacy regulatory developments and advises clients on compliance strategies as technologies continue to evolve. Please contact us for further information on COPPA, FTC, or other regulatory compliance matters.