The Federal Trade Commission (FTC) has proposed new changes to the regulations it currently enforces under the Children’s Online Privacy Protection Act (COPPA), seeking to further limit the collection and use of children’s data by tech companies, especially when used for targeted advertising.
“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” FTC Chair Lina Khan said in the official announcement. According to Khan, the proposed changes would prevent companies “from outsourcing their responsibilities to parents” when it comes to managing children’s data.
According to the FTC, the agency received more than 175,000 public comments in 2019 when it began its most recent review of its regulations under COPPA. That same year, the regulator issued hundreds of millions of dollars in combined fines to YouTube and TikTok — the vast majority from YouTube — for mishandling data from users ages 13 and under.
Since then, calls to regulate Big Tech companies further have only grown, flooding Congress with various internet childproofing bills ranging from restricting what kids can see to undermining encryption and mandating age verification — and even outright bans on young kids using social media.
The revised COPPA rulemaking is generally less extreme than these bills — which is unsurprising since, theoretically, agency regulations are made within the limits of what Congress has already greenlit. Where many of these legislative bills go after users’ behavior and can directly impact personal privacy, the FTC’s proposed rules instead target the collection of data — specifically, the data of users ages 13 and under. For instance, companies wouldn’t be able to opt kids in to targeted ads by default, and they’d need to “separate verifiable parental consent” for disclosing data to third parties unless it’s strictly necessary for the service or website. Neither would companies be allowed to withhold services if those children withhold consent to targeted advertising.
Companies would also have to justify why they want to keep persistent identifiers on hand and would be forbidden from using them in push notifications to encourage kids to return to their apps when they aren’t actively using them.
The proposed rule changes include additional limits on data retention. Data would only be allowed to be maintained for specific purposes and could not be kept indefinitely. Data collection on children by education tech firms would be subject to school approval and couldn’t be used for commercial purposes.
For what it’s worth, a few of these proposed changes overlap with provisions in the Protecting Kids on Social Media Act, which was introduced earlier this year. But where Congress is deadlocked, regulatory action like agency rulemaking is a much more predictable process. The new regulations will only be finalized after feedback from the public — the FTC will be collecting public comment on the proposal for 60 days after posting notice in the Federal Register.