Regulators Look To Improve Online Privacy For Minors

The Federal Trade Commission (FTC) has proposed updates to a 1998 law that regulates how companies can use the personal data of children online, the Associated Press reported.

The Children’s Online Privacy Protection Act (COPPA), passed in 1998 and enacted in 2000, requires websites and apps geared toward children to receive parental consent before collecting the personal data of those under the age of 13.

The FTC, which last updated COPPA in 2013, has proposed new changes to the law which FTC Chair Lina Khan said in a December 20 statement are especially needed now that “online tools are essential for navigating daily life” and companies have deployed “increasingly sophisticated digital tools to surveil children.”

The FTC is proposing that websites, apps, and online games used by children should be required to obtain separate and verifiable parental consent before disclosing information about children under 13 to third-party advertisers except when disclosure is “integral” to the online service.

The proposal also includes limits on the use of online contact information and identifiers like cookies that track a child’s online activity to send push notifications prompting children to use more of their service.

The FTC is also proposing adding to COPPA its current guidance on the use of education technology to prohibit the commercial use of a child’s personal information. The rule proposed would permit school districts to allow ed-tech providers to collect, use, and disclose a student’s information only for educational purposes authorized by the district and not for commercial use.

The FTC is also proposing rules on data retention that would limit companies from keeping a child’s personal information only for as long as needed for the companies to “fulfill the specific purpose” for which the information was collected.

The proposal would prohibit the indefinite retention of a child’s personal information and prohibit operators from retaining it for secondary purposes. Operators would also be required to create a written data retention policy on children’s personal information that must be made public.