FTC proposes tougher children’s data privacy rules for first time in a decade

The Federal Trade Commission (FTC) is proposing new restrictions on the use and disclosure of children’s personal data and wants to make it much harder for companies to exclude children from their services if they can’t monetize their data, the agency announced Wednesday.

The proposed overhaul of the Children’s Online Privacy Protection Rule (COPPA) is the first suggested update of the landmark regulation in a decade. It comes as the agency is showing new muscle in protecting children online, most notably with its recent crackdown on Meta, which it wants to prohibit from monetizing kids’ data across the board.

Under the new COPPA proposal, the FTC seeks to make providers, not parents, mostly responsible for ensuring digital experiences are safe for kids, the agency said in a press release.

“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” FTC Chair Lina Khan said in a statement.

She went on to say the proposed changes — which the public will be invited to comment on for 60 days before a final rule is issued — are especially vital in an era “where firms are deploying increasingly sophisticated digital tools to surveil children.”

“By requiring firms to better safeguard kids’ data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents,” Khan said.

In addition to the above changes, the new proposal:

• Bars companies from gathering more personal information than is “reasonably necessary” for a child to participate in online games and contests
• Limits companies’ ability to use kids’ personal information to send them push notifications or otherwise “nudge” them to stay online
• Prohibits educational technology companies from using kids’ data commercially and requires protections for that data
• Makes data security rules stronger by requiring that operators implement a “written children’s personal information security program” to protect sensitive data
• Ensures data is only retained for as long as needed for the task at hand and bars companies from keeping data for secondary purposes
• Broadens how personal information is defined to include biometric identifiers

The existing COPPA rule, which was originally implemented in 2000, mandates that websites and online services collecting data for children under the age of 13 notify their parents first. The rule also reins in companies’ use of kids’ data, limiting what they can collect, how long they can store it and how to secure it.

The public has historically shown keen interest in the COPPA rule, with the FTC fielding more than 175,000 comments when it last asked for input on updating the rule in 2019. It did not move forward with formal changes at the time.

The rule was last updated in 2013 in an effort to better regulate childrens’ use of cell phones and social media. That update broadened the definition of personal information by regulating how companies could use youths’ geolocation data, photos, videos and audio recordings as well as online tracking tools such as cookies.

Childrens’ privacy advocates highlighted Wednesday’s announcement as one of several recent FTC actions cracking down on big tech’s use of kids’ data. Some advocates said action is needed now more than ever as artificial intelligence feeds off of data, driving demand for more of it.

“With this critical rule update, the FTC has further delineated what companies must do to minimize data collection and retention and ensure they are not profiting off of children’s information at the expense of their privacy and wellbeing,” Haley Hinkle, policy counsel at the childrens’ advocacy organization Fairplay, said in a statement.