FTC publishes updates to children’s privacy rule, easing fears that Trump admin would nix it

After a six-year effort to update a landmark children’s online privacy protection rule dating to 2000, the Federal Trade Commission this week made a tougher version of the regulation official and announced it will go into effect on June 23.

The development is noteworthy because despite the agency having previously adopted a final rule outlining its updated Children’s Online Privacy Protection Act (COPPA) regulation, the new Trump-appointed FTC Chair, Andrew Ferguson, could have significantly changed or chosen not to move forward with the reforms, which beef up restrictions for how children are treated online.

The new rule was published in the Federal Register on Monday, a step which finally guarantees that the highly anticipated, more restrictive rule will be implemented.

Privacy advocates had been concerned about the stricter rule’s fate prior to its appearance in the Federal Register, they said.

“The delay, coupled with Chairman Ferguson's written critique of some aspects of the final rule, led to a lot of speculation among the policy community that [Ferguson] could potentially nix it or try to amend the rule before submitting it to the Federal Register,” said Cobun Zweifel-Keegan, managing director of the Washington office of the IAPP.

“This development puts such speculation to rest and provides a due date for these new compliance obligations.”

Advocates say the new rule will have a major impact on children’s privacy.

“This is the first real significant regulatory change on the federal level as it relates to kids’ online privacy in decades,” Suzanne Bernstein, counsel at the Electronic Privacy Information Center said. “In addition to new disclosure requirements and a massive requirement to create an information security program, it also slows the flow of data to third parties for advertising and other purposes.”

The updated COPPA rule broadens websites’ and apps’ obligations to protect children’s confidentiality and data security by mandating that they establish information security programs monitored for risks on an annual basis.

It also sets tough deletion and retention requirements for children’s personal data and mandates that digital companies clearly lay out how they collect and use the data.

Under the latter provision, websites and apps must post information listing “identities and specific categories of any third parties to which the operator discloses personal information and the purposes for such disclosures.”

The new rule also constrains how websites and apps can share data outside of their organization, including with advertisers and data brokers, and mandates separate and additional verifiable parent consent before doing so.

Congress attempted to pass a new version of its own COPPA law, known as COPPA 2.0, last year but it failed. 

That legislation would have been even tougher than the new FTC COPPA rule by requiring parents to greenlight websites collecting or using data from kids under age 13. The FTC’s COPPA rule does not include such a provision. 

Congress’s COPPA 2.0 legislation was merged with a separate children’s online safety bill known as the Kids Online Safety Act (KOSA). The combined bill, the Kids Online Safety and Privacy Act (KOSPA), passed the Senate last July but ultimately died.