“Anyone who believes that children deserve to explore and play online without being tracked and manipulated should support this update.”
To ensure that tech giants will not have “carte blanche with kids’ data,” as one advocacy group said, the Federal Trade Commission on Wednesday unveiled major proposed changes to the United States’ online privacy law for children for the first time in a decade, saying that companies’ evolving practices and capabilities require stronger protection for young people.
“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” said FTC Chair Lina Khan as she announced proposed changes to the Children’s Online Privacy Protection Act (COPPA) of 1998.
For more than two decades the law has restricted companies’ online tracking of children through social media apps, video games, and advertising networks by requiring firms to obtain parental consent before gathering or using young users’ personal information.
Platforms like Instagram and TikTok have sought to comply with COPPA by prohibiting children under age 13 from having accounts and requiring users to provide their birth dates, but regulators have accused several tech companies of failing to adequately protect children, and firms including Amazon, Google, and Epic Games have been hit with multimillion dollar penalties for COPPA violations.
Under the proposed changes, companies would be:
- Required to obtain verifiable parental consent to disclose user information to third parties including advertisers, “unless the disclosure is integral to the nature of the website or online service”;
- Prohibited from using personal information to send “push” notifications urging kids to use their services or platforms more;
- Required to establish and implement a written children’s personal information security program;
- Required to establish and make public a written retention policy for children’s data; and
- Prohibited from using any retained personal user information for any secondary purpose or from retaining the information indefinitely.
Education technology firms would also be permitted to collect and use students’ personal information only for school-authorized educational purposes and not for commercial use, and COPPA Safe Harbor programs—industry groups which are permitted to seek FTC approval for self-regulatory guidelines that are the same as or stronger than COPPA’s—would be required to publicly disclose their membership lists and report additional information to the FTC.
Haley Hinkle, policy counsel for children’s digital advocacy group Fairplay, said the proposed rulemaking builds on the FTC’s recent enforcement actions against companies including Epic Games—which charged users, including children, for unwanted purchases—and Meta, which misled parents about controls on its Messenger Kids app and about who could access kids’ data.
“With this critical rule update, the FTC has further delineated what companies must do to minimize data collection and retention and ensure they are not profiting off of children’s information at the expense of their privacy and well-being,” Hinkle said. “Anyone who believes that children deserve to explore and play online without being tracked and manipulated should support this update.”
Katharina Kopp, director of policy for the Center for Digital Democracy, said that strengthened online safeguards are “urgently needed” as markets and web companies increasingly pursue children “for their data, attention, and profits.”
The rule will “help stem the tidal wave of personal information gathered on kids,” Kopp said.
“The commission’s plan will limit data uses involving children and help prevent companies from exploiting their information,” she added. “These rules will also protect young people from being targeted through the increasing use of AI, which now further fuels data collection efforts. Young people 12 and under deserve a digital environment that is designed to be safer for them and that fosters their health and well-being. With this proposal, we should soon see less online manipulation, purposeful addictive design, and fewer discriminatory marketing practices.”
Khan said the updated rules will make clear that safeguarding children’s data online is the responsibility of tech firms.
“The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children,” she said. “Our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents.”
Zamaan Qureshi, co-chair of the Design It for Us coalition, said the proposed rules, which are subject to a 60-day public comment period before the FTC votes on them, “will make kids and teens much safer online.”
BIG! FTC releases new proposed rulemaking under COPPA. Initial reaction: this will make kids+teens much safer online. Proposed changes include:— Zamaan Qureshi (@zamaan_qureshi) December 20, 2023
▪️ required separate opt-in for targeted ads
▪️ limits on nudges
▪️ strengthens data security/limits collectionhttps://t.co/uoPmPROECH
“We applaud the FTC’s new proposed rules that strengthen COPPA by centering the experience of children online, rather than Big Tech’s bottom line,” said Qureshi. “The proposed rule directly targets Big Tech’s toxic business model by requiring the invasive practice of surveillance advertising to be off by default, limiting harmful nudges that keep young people coming back to the platform even when they don’t want to, and including protections against the collection of biometric information.”
“The FTC is acting where Congress has failed to, imposing strict rules for Big Tech who have spent years profiting off our personal information and data,” Qureshi added. “This proposal should signal to Congress to act quickly in 2024 to advance bipartisan kids’ privacy and safety legislation.“
This work is licensed under Creative Commons (CC BY-NC-ND 3.0).