Federal Trade Commission finalises changes to the Childrens Privacy Rule so as to limit companies ability to monetise children’s data
January 31, 2025 |
The United States has quite an effective child privacy protection law, the Children’s Online Privacy Act. It also has a very sophisticated data broking and analytic industry. And some businesses have no problem in collecting data on children to assist in marketing products and services. The Federal Trade Commission has announced changes to Children’s Online Privacy Protection Rule which sets new requirements about the collection, use and disclosure of childrens’ personal information, requires parents to opt in to the third party advertising and places limits on data retention.
The United States and the European Union are far ahead of Australia when it comes to dedicated privacy protection. The E Safety Commissioner provides some regulatory assistance but it is not focused enough on privacy. In the amendments to the Privacy Act 1988, the Privacy and Other Legislation Amendment Bill 2024, passed late November last year the Commissioner will develop a a Children’s Online Privacy Code to better protect children from a range of online harms. That Code will take effect in 2 years.
The media release from the FTC provides:
The Federal Trade Commission finalized changes to the Children’s Online Privacy Protection Rule to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children.
The final rule requires parents to opt in to third-party advertising and includes other changes to address the emerging ways that consumers’ data is collected and used by companies, and particularly how children’s data is being shared and monetized.
“The updated COPPA rule strengthens key protections for kids’ privacy online,” said FTC Chair Lina M. Khan. “By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission. The FTC is using all its tools to keep kids safe online.”
In January 2024, the FTC proposed changes to the COPPA rule to ensure it keeps pace with changes in the marketplace since the rule was last updated in 2013. The COPPA Rule, which first went into effect in 2000, requires certain websites and other online services to obtain verifiable parental consent before collecting, using or disclosing personal information from children under 13. It also provides other important rights for parents, including the right to require operators to delete personal information collected from their children, and imposes independent obligations on covered operators, for example with respect to data minimization and data retention.
In a notice that will soon be published in the Federal Register, the FTC made several amendments to the rule, including:
-
- Requiring opt-in consent for targeted advertising and other disclosures to third parties: Website and online service operators covered by COPPA will be required to obtain separate verifiable parental consent to disclose children’s personal information to third-party companies related to targeted advertising or other purposes.
- Limits on data retention: The rule requires covered operators to only retain personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected. This provision explicitly states that operators cannot retain the information indefinitely.
- Increasing Safe Harbor programs’ transparency: The FTC-approved COPPA Safe Harbor programs, which are self-regulatory programs that implement the protections of the COPPA Rule, will be required to publicly disclose their membership lists and report additional information to the FTC as part of efforts to increase accountability and transparency in the programs.
The final rule includes several amended definitions, including expanding the definition of personal information to include biometric identifiers as well as government-issued identifiers.
After reviewing the nearly 300 comments the agency received on the proposed changes to the COPPA Rule, the Commission decided against adopting some proposed changes, including proposed requirements that were intended to limit the use of push notifications directed to children without parental consent and changes relating to the requirements applicable to educational technology companies operating in a school environment.
While the Commission declined to finalize those particular proposals, the agency notes that it remains concerned about the use of push notifications and other engagement techniques to keep kids online in ways that could harm their mental health.