On Jan. 16, 2025, FTC finalized changes to the COPPA rule to set new requirements around the collection, use and disclosure of children’s personal information and data.
New tools, protections to help parents control what data is provided to third parties.
Requires opt-in consent for targeted advertising and other disclosures to third parties.
In addition, requires covered operators to only retain personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected.
Approved COPPA Safe Harbor programs, self-regulatory programs that implement the protections, will be required to publicly disclose membership lists, information to FTC.
Includes several amended definitions, including expanding the definition of personal information to include biometric identifiers as well as government-issued identifiers.
FTC decided against adopting some changes, including requirements that were intended to limit use of push notification directed to children without parental consent.
Also, requirements applicable to educational technology companies operating in school.
FTC noted that it remains concerned about the use of push notifications and other engagement techniques to keep kids online in ways that could harm mental health.
Final rule effective 60 days after publication in federal register, except with respect to 312.11(d)(1), (d)(4), and (g), regulated entities have until 365 days after publication.
Placed new restrictions on the use and disclosure of children’s personal information.
Limit ability of companies to condition access to services on monetizing children’s data.
Aims to shift burden from parents to providers to ensure services are safe for children.
Rule Provisions
Online service operators must obtain separate verifiable parental consent to disclose information to third parties including third-party advertisers; may not condition access.
Prohibited conditioning a child’s participation on collection of personal information.
Additionally, proposal put limits on the support for the internal operations exemption.
Required operators utilizing this exception to provide an online notice that states the specific internal operations for which the operator has collected a persistent identifier.
Also how they ensure that identifier is not used/disclosed to contact specific individual.
Prohibited operators from using online contact information and persistent identifiers to send push notifications to children to prompt or encourage use of their service more.
Proposed codifying current guidance related to the use of education technology to prohibit commercial use of children’s information and implement additional safeguards.
Increased safe harbor program accountability; strengthened data security standards.
Personal information may only be retained for as long as necessary to fulfill a purpose.
Expanded the definition of personal information to include biometric identifiers.
Consultation
Comments due within 60 days of publication in federal register., i.e., Feb. 18, 2024.
Jan. 11, 2024 FTC Fed Reg Proposal
On Jan. 11, 2024, FTC published proposed changes to COPPA rule in federal register.
Proposed rule changes due to changes in technology and online practices, to clarify and streamline the rule, and based on review of public comments and enforcement.
Comments on proposed rule changes must be submitted no later than Mar. 11, 2024.
Jan. 2025 FTC Final Rule
On Jan. 16, 2025, FTC finalized changes to the COPPA rule to set new requirements around the collection, use and disclosure of children’s personal information and data.
New tools, protections to help parents control what data is provided to third parties.
Requires opt-in consent for targeted advertising and other disclosures to third parties.
In addition, requires covered operators to only retain personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected.
Approved COPPA Safe Harbor programs, self-regulatory programs that implement the protections, will be required to publicly disclose membership lists, information to FTC.
Includes several amended definitions, including expanding the definition of personal information to include biometric identifiers as well as government-issued identifiers.
FTC decided against adopting some changes, including requirements that were intended to limit use of push notification directed to children without parental consent.
Also, requirements applicable to educational technology companies operating in school.
FTC noted that it remains concerned about the use of push notifications and other engagement techniques to keep kids online in ways that could harm mental health.
Final rule effective 60 days after publication in federal register, except with respect to 312.11(d)(1), (d)(4), and (g), regulated entities have until 365 days after publication.
