It will soon be more difficult for corporations to collect and monetize kids’ data in the US if the FTC goes ahead with several changes to the Children’s Online Privacy Protection Act (COPPA).
The American consumer watchdog on Wednesday proposed several modifications to data privacy law, which it says will better reflect “changes in technology and online practices” and “strengthen its protection of personal information collected from children.” [PDF]
Some of the proposed COPPA changes would mandate that businesses maintain a children’s personal information security program and data retention policy that only allows them to keep kids’ data for as long as is needed to fulfill the specific purpose for which it was collected.
They are also requiring a separate opt-in from parents to allow websites to disclose kids’ info to third-parties, including advertisers. Plus, it would prohibit companies from limiting access to online services based on parents’ opting in.
Another proposed change also bans firms from collecting more personal information “than is reasonably necessary” for a child to participate in a game, or offering to receive a prize, or activities of that nature. The FTC is also considering adding new language to the act to clarify the meaning of “activity.”
The commission also wants to set limits on the “internal operations exception,” which allows website operators to collect kids’ persistent identifiers without parental consent as long as they are only using these identifiers to support the website’s internal operations. If the changes are approved, operators will be required to post an online notice stating the specific internal operations for which they have collected a persistent identifier.
Businesses would also be prohibited from using online contact details and persistent identifiers to send push notifications to kids encouraging them to spend more time online.
The FTC plans to pay special attention to educational technology providers, only allowing them to collect, use and disclose students’ personal information for school-authorized learning purposes — not for commercial uses.
And finally, there’s the expanded definition of “personal information,” which the commission says should also include biometric identifiers.
All of these proposed changes have been published in the Federal Register, and the public now has 60 days to submit comments on them.
In a statement on the proposed rule changes, FTC Commissioner Alvaro Bedoya cited harms to children from privacy invasions, including specific cases where adults used kids’ data collected online to communicate with and harass children, as well as the potential for kids’ biometric data including fingerprints and voices, to be used for nefarious purposes.
“We are only at the beginning of an era of biometric fraud,” Bedoya said [PDF]. “The corporate practices I have encountered as a commissioner make me highly concerned about how companies are protecting children’s biometric data against breaches, fraud, and abuse.”
The FTC has been in crack-down mode when it comes young people’s data. This year alone, it accused huge tech companies including Amazon and Epic Games of violating COPPA. Amazon’s Alexa allegedly retained voice recordings of kids under 13 — resulting in a $25 million payment — while Epic Games shelled out $275 million for allegedly violating children’s privacy and tricking customers into making unwanted purchases.
Meanwhile, Meta is being sued by 33 states’ attorneys general who say the social media titan knowingly harms children and teenagers by, among other things, collecting and storing their personal data without first getting their parents’ permission, thus violating COPPA. Meta has also filed a lawsuit challenging the FTC’s authority to regulate the social advertising giant, including making money off of kids’ data. ®
source: The Register