The Federal Trade Commission (FTC) is currently seeking comments on new rules that would further restrict platforms’ efforts to monetize children’s data.
Through the Children’s Online Privacy Protection Act (COPPA), the FTC initially sought to give parents more control over what kinds of information that various websites and apps can collect from their kids. Now, the FTC wants to update COPPA and “shift the burden from parents to providers to ensure that digital services are safe and secure for children,” the FTC’s press release said.
“By requiring firms to better safeguard kids’ data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents,” FTC chair Lina Khan said.
Among proposed rules, the FTC would require websites to turn off targeted advertising by default and prohibit sending push notifications to encourage kids to use services more than they want to. Surveillance in schools would be further restricted, so that data is only collected for educational purposes. And data security would be strengthened by mandating that websites and apps “establish, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children.”
Perhaps most significantly, COPPA would also be updated to stop companies from retaining children’s data forever, explicitly stating that “operators cannot retain the information indefinitely.” In a statement, commissioner Alvaro Bedoya called this a “critical protection” at a time when “new, machine learning-fueled systems require ever larger amounts of training data.”
These proposed changes were designed to address “the evolving ways personal information is being collected, used, and disclosed, including to monetize children’s data,” the FTC said.
Keeping up with advancing technology, the FTC said, also requires expanding COPPA’s definition of “personal information” to include biometric identifiers. That change was likely inspired by charges brought against Amazon earlier this year, when the FTC accused Amazon of violating COPPA by retaining tens of thousands of children’s Alexa voice recordings forever.
Once the notice of proposed rulemaking is published to the Federal Register, the public will have 60 days to submit comments. The FTC likely anticipates thousands of parents and stakeholders to weigh in, noting that the last time COPPA was updated in 2019, more than 175,000 comments were submitted.
Endless tracking of kids not a “victimless crime”
Bedoya said that updating the already-expansive children’s privacy law would prevent known harms. He also expressed concern that increasingly these harms are being overlooked, citing a federal judge in California who preliminarily enjoined California’s Age-Appropriate Design Code” in September. That judge had suggested that California’s law was “actually likely to exacerbate” online harm to kids, but Bedoya challenged that decision as reinforcing a “critique that has quietly proliferated around children’s privacy: the idea that many privacy invasions do not actually hurt children.”
For decades, COPPA has protected against the unauthorized or unnecessary collection, use, retention, and disclosure of children’s information, which Bedoya said “endangers children’s safety,” “exposes children and families to hacks and data breaches,” and “allows third-party companies to develop commercial relationships with children that prey on their trust and vulnerability.”
“I think each of these harms, particularly the latter, undermines the idea that the pervasive tracking of children online is [a] ‘victimless crime,'” Bedoya said, adding that “the harms that COPPA sought to prevent remain real, and COPPA remains relevant and profoundly important.”
According to Bedoya, COPPA is more vital than ever, as “we are only at the beginning of an era of biometric fraud.”
Khan characterized the proposed changes as “much-needed” in an “era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children.”
“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” Khan said.