They grow up so fast! A sentiment – and challenge – shared by parents and technologists alike. Just when you think you’ve finally figured it out, you blink, and they’re unrecognizable. The old rules can no longer be trusted to keep them in check. That’s the story of little Jimmy – but also – with the rules meant to protect him online. A decade ago, little Jimmy would surf his favorite kid-friendly website from his desktop if he finished his homework on time. A mobile flip phone would have been a real treat. But today’s little Jimmys send Snaps when the teacher isn’t watching, track their learning using educational technology inside and outside the classroom, watch TVs that can predict their tastes and habits, and ask Alexa to order the latest video game for them.
Spurred by the rapid evolution of technology, the Federal Trade Commission (“FTC” or “Commission”) decided unanimously to begin a review of the Children’s Online Privacy Protection Act (“COPPA”) Rule. The review could upend compliance plans for many businesses with a digital footprint.
COPPA, which took effect in 2000, aims to protect child privacy online by requiring websites directed at children to notify parents and obtain their verifiable consent before collecting, using, or disclosing personal information from users under 13. The FTC reviews the COPPA Rule about every ten years to ensure it keeps pace with evolving technology. Accordingly, the last review was initiated in 2010 and the revised COPPA Rule took effect in 2013.
The breakneck speed of recent technological advances, as well as their ubiquity among children, however, has pushed the FTC to act sooner. For example, the rise of voice-enabled connected devices, interactive entertainment, general audience platforms that host third-party content directed at children, and advances in the educational technology sector all present new and rising privacy risks for children online. These devices were not yet on the FTC’s radar during the 2013 review, and it has now initiated a new review – merely six years later – to address these evolving challenges.
The FTC is seeking comment of every major aspect of the COPPA rule, and if changes to the rule are adopted, it will affect the data collection and compliance practices of any company that operates websites, apps or connected devices that kids may be using. As part of the “refresh” the FTC is seeking comment on the scope of COPPA, and the revised rule may be applied to companies it did not previously cover.
The trend of tightening up privacy restrictions is consistent with other new privacy laws such as Europe’s General Data Protection Regulation and the California Consumer Privacy Act.
The Costs of COPPA Compliance
For many smaller applications aimed at children, the costs of complying with new stricter policies can be prohibitive. After the 2013 COPPA revisions went into effect, for example, some entities could not afford to make the necessary changes to come into compliance, and instead chose to convert to a general audience or close entirely. FTC enforcement actions for COPPA violations have also been on the rise, making the risk of non-compliance even greater. Recently, the FTC brought COPPA-related enforcement actions against lip sync app Musical.ly (now TikTok), online dress-up game i-Dressup.com, internet-connected toymaker VTech, and sent warning letters to the makers of a smart watch targeted to children. The actions demonstrate the FTC’s growing appetite to police privacy concerns as they relate to emerging technology.
Possible Changes on the Horizon
With children engaging daily on their mobile devices with media companies not traditionally geared toward younger age groups, the FTC is considering revising its guidance on what factors determine whether a website or online service is directed to children, and therefore, covered by COPPA. Many media companies – such as Youtube and Snapchat – take steps to restrict access to users under 13, but still find themselves with many users – and user data – belonging to that category. While the Commission declined to impose a numerical percentage trigger for COPPA applicability regarding the number of users under 13 in its 2013 review, it is possible that it may revisit that determination. Under the 2013 rules, however, websites may ask users for their ages and provide a separate, more limited experience to users under 13 that likely involves little or no data collection.
On the other hand, the review may result in loosening other children’s privacy regulations. For example, the FTC seeks comment on whether it should loosen parental consent requirements when education technology is used in schools.
In the Federal Register notice announcing the review, the FTC seeks comment on numerous issues. Some of the specific questions it poses include:
-
Has the Rule affected the availability of websites or online services directed to children?
-
Does the Rule correctly articulate the factors to consider in determining whether a site or online service is directed to kids, or should additional factors be considered? For example, should the Rule be amended to better address sites and services that may not include traditionally child-oriented activities, but have large numbers of users under 13?
-
Do technologies like interactive TV, interactive gaming, etc., have specific implications under COPPA?
-
Should the Rule be modified to encourage general audience platforms to police child-directed content uploaded by third parties?
-
Does the Rule overlap or conflict with any other federal, state, or local government laws or regulations?
Stakeholder Participation
One lawmaker who has previously been on the front lines of children’s privacy has already said he will add his voice to the review. Senator Ed Markey (D-MA), the original author of COPPA, has been working to extend its protections to minors aged 13 through 15. In March 2019, he introduced a bipartisan bill, S. 748, that would accomplish this, as well as other changes to COPPA, along with Senator Josh Hawley (R-MO). The legislation would also create an “Eraser Button,” so parents and children can delete personal information and a “Digital Marketing Bill of Rights for Minors” that limits the collection of personal information. It is possible that Senator Markey will try to raise these concepts in the COPPA review as well.
The Request for Public Comment was published in the Federal Register on July 25, and comments are due on October 23. In preparation for the regulatory review, the FTC will also host a workshop on October 7 to examine whether to update the COPPA rule in light of changing business practices. The agenda for The Future of the COPPA Rule: An FTC Workshop has not yet been announced, but will likely involve panels and presentations on various child privacy-related topics by industry representatives, experts, government officials, and individuals.