On Dec. 20, 2023, the Federal Trade Commission announced its intent to file a notice of proposed rulemaking related to the Children’s Online Privacy Protection Rule — the first proposed changes to the rule in 10 years.
What are some of the key proposed changes?
- Separate Opt-In for Targeted Advertising. Covered service operators are required to obtain separate verifiable parental consent before disclosing children’s personal information to third parties unless the disclosure is integral to the nature of the online service. Access to services cannot be conditioned on disclosure of personal information to third parties.
- Writing Current Ed Tech Guidance into the Rule. As in the current policy statement on education technology and COPPA, schools and school districts may authorize ed tech providers to collect, use, and disclose students’ personal information only for school-authorized educational purposes and not for any commercial purpose.
- Children’s Personal Information Security Program. Services operators must implement a written children’s personal information security program with safeguards appropriate for the sensitivity of the personal information collected from children.
- Data Retention Limits. Data may only be retained for as long as necessary to fulfill the purpose for which it was collected (and may not be retained for any secondary purpose) and may not be retained indefinitely. Operators must create and publish a written data retention policy for children’s personal information.
Why It Matters
These proposed changes come at a time when the effects of children’s use of the internet and social media are receiving significant media scrutiny and legislation on children’s privacy continues to proliferate. States across the country are considering and enacting children’s online privacy bills and the U.S. Senate recently passed out of committee two such bills that await a floor vote. Organizations that handle children’s data are subject to a regulatory environment with overlapping requirements and that is changing rapidly.
Once the NPRM is published in the Federal Register, comments to the proposed regulations will be due 60 days later. The FTC will then take those comments into consideration and presumably publish a final rule, should Congress not enact any legislation. Impacted organizations will need to watch this area closely to update compliance programs and internal practices implicated by any regulatory changes.