FTC Seeks to Strengthen Rules Around Monetizing Children’s Data

The Federal Trade Commission (FTC) has proposed changes meant to enhance children’s privacy and restrict companies’ ability to exploit children’s data for monetization purposes.

The proposed changes to the Children’s Online Privacy Protection Act Rule (COPPA Rule) aim to shift the responsibility of ensuring the safety and security of digital services for children from parents to service providers, the FTC said in a Wednesday (Dec. 20) press release.

The COPPA Rule, implemented in 2000, mandates that certain websites and online services that collect personal information from children under 13 must notify parents and obtain verifiable parental consent before collecting, using or disclosing such information, according to the release. The rule also sets limits on the types of personal data that can be collected from children and requires data security measures.

The proposed changes address the evolving landscape of data collection, usage and disclosure, the release said.

Some of the key provisions include requiring websites and online services to obtain separate verifiable parental consent before disclosing information to third parties; prohibiting them from conditioning a child’s participation on personal information collection; and requiring operators to provide online notice specifying the specific internal operations for which persistent identifiers are collected, per the release.

Additional changes would prohibit operators from using online contact information and persistent identifiers to send push notifications encouraging children to use their service more; prohibiting the commercial use of children’s information in educational technology; and requiring COPPA Safe Harbor programs to publicly disclose membership lists, according to the release.

Strengthening data security requirements is another proposed change, the release said. Operators would be mandated to establish, implement and maintain a written children’s personal information security program with appropriate safeguards.

The FTC also proposes expanding the definition of “personal information” to include biometric identifiers and considering marketing materials, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services when determining whether a website or online service is directed toward children, per the release.

The public will have a 60-day period to submit comments on the proposed changes to the COPPA Rule after the notice is published in the Federal Register, according to the release.

In one application of the existing COPPA Rule, the FTC said in December 2022 that Fortnite game creator Epic Games would pay $520 million for violating its rules.

Epic Games replied at the time that the video game industry experiences fast-moving innovation, that player expectations are high and that decades-old statutes don’t specify how today’s gaming ecosystems should operate.