The Federal Trade Commission is proposing sweeping changes to a decades-old law that regulates how online companies can track and advertise to children, including turning off targeted ads to kids under 13 by default and limiting push notifications.
The federal Children’s Online Privacy Protection Act, or COPPA, requires kid-oriented apps and websites to get parents’ consent before collecting personal information of children under 13. COPPA was enacted in 1998, went into effect in 2000 and was last updated a decade ago.
“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” said FTC Chair Lina Khan in a statement. “The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life — and where firms are deploying increasingly sophisticated digital tools to surveil children.”
Children’s online safety advocates applauded the announcement.
“The commission’s plan will limit data uses involving children and help prevent companies from exploiting their information,” said Katharina Kopp, director of policy at the nonprofit Center for Digital Democracy. “These rules will also protect young people from being targeted through the increasing use of AI, which now further fuels data collection efforts. Young people 12 and under deserve a digital environment that is designed to be safer for them and that fosters their health and well-being.”
Here are some of the changes the FTC is proposing:
OPT-IN FOR TARGETED ADS
Apps, games and websites used by children would be required to obtain “separate, verifiable parental consent” to disclose information about kids under 13 to third-party advertisers, unless the disclosure is “integral” to the nature of the online service. And they won’t be able to deny access to the games and apps just because parents don’t agree to having their children’s information disclosed — which is possible today.
LIMITS ON NUDGING KIDS TO STAY ONLINE
Operators would be prohibited from using online contact information and “persistent identifiers” such as cookies that track a child’s activity online to send push notifications to children to prompt or encourage them to use their service more.
The FTC is proposing codifying its current guidance related to the use of education technology to prohibit commercial use of children’s information, among other safeguards. The proposed rule would allow schools and school districts to allow educational technology providers to collect, use, and disclose students’ personal information — but only for a school-authorized educational purposes and not for any commercial use.
DATA RETENTION RULES
The proposed rules would only allow companies to keep personal information for “as long as necessary to fulfill the specific purpose for which it was collected.” They would also prohibit operators from using retained information for any secondary purpose and from retaining the information indefinitely. The Rule would also require operators to establish a written, public data retention policy for children’s personal information.