FTC updates closely watched children’s online privacy rule

The Federal Trade Commission (FTC) on Thursday announced updated online privacy protections for children that require opt-in consent from parents, who will have to explicitly authorize targeted advertising to their children. 

The new rule, which will take effect 60 days after it is posted in the Federal Register, also sets strict parameters minimizing how long companies can hold on to children's data.

The FTC’s move is intended to block businesses from monetizing children’s data and update regulations under the Children’s Online Privacy Protection rule (COPPA rule) that went into effect in 2000. The newly amended rule has been hotly anticipated by privacy and children’s rights advocates since the agency proposed it in December 2023.

Incoming FTC Chair Andrew Ferguson voted in favor of the new stricter COPPA rule, a development privacy advocates have closely watched as they seek to understand how he will prioritize data privacy during his tenure. The five-member commission will flip to a Republican majority after the Senate confirms President-elect Donald Trump’s choice to fill a third seat.

Ferguson issued a statement noting that he disagreed with elements of the new rule, including the broad prohibition on indefinite data retention and requirements that third-party data sharing must receive parental consent across the board.

After accepting 300 comments about the proposed rule, the FTC decided to forego potential updates that would have barred companies from sending push notifications to children without their parents’ signoff. The dropped push notification requirement also would have mandated that companies tell parents when they gather personal data from the notifications.

COPPA, which mandates that online platforms get “verifiable parental consent” before gathering and sharing personal data belonging to children 12-years-old and younger, had not been updated in more than a decade.

A proposed measure to prohibit educational technology vendors from using students’ data commercially also was abandoned. That decision comes at a time when ed tech companies have been criticized for collecting, storing and sharing data with third parties, and a few weeks after a massive data breach of the educational technology vendor PowerSchool.

Nearly 96% of educational apps share children’s personal data with third parties and 78% of the time they funnel the data to advertising and data analytics firms, usually without the consent of users or schools, the nonprofit research organization Internet Safety Labs said in a December 2022 report.

In May 2022, the FTC warned ed tech companies that its concerns about data collection are “particularly acute in the school context, where children and parents often have to engage with ed tech tools in order to participate in a variety of school-related activities.” It promised to “scrutinize” the sector for COPPA violations.

The data retention rule limits included in the updated regulation assert that operators can only store children’s data “for as long as reasonably necessary to fulfill a specific purpose for which it was collected” and specifically mandate that the data not be stored indefinitely.

The new rule also broadens the definition of personal data to incorporate biometric and government-issued identifiers, the FTC said in a press release.

It additionally increases transparency of Safe Harbor programs, which allow companies to self-certify that they are complying with COPPA safeguards. The programs are now required to publish the names of members and report how efforts to boost accountability are faring.

“The updated COPPA rule strengthens key protections for kids’ privacy online,” FTC Chair Lina M. Khan said in a statement. “By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission.”