Summary
Under the finalized amendments to its children's privacy rule, the Federal Trade Commission will mandate that companies obtain opt-in consent before targeting advertising to children and prohibit them from retaining children's data indefinitely.
Bloomberg Law
"The Federal Trade Commission will require companies to secure opt-in consent for targeting advertising to children and bar them from retaining kids’ data indefinitely under finalized amendments to its children’s privacy rule being unveiled Thursday.
But the update to the FTC’s rules implementing the 1998 Children’s Online Privacy Protection Act drops proposed changes that would have prohibited businesses from sending kids push notifications without prior consent from parents and required companies to disclose when they collect personal information from those notifications.
The agency also pulled back on a proposed effort to ban educational technology providers from using students’ data for commercial purposes, which would have codified guidance in a May 2022 policy statement. The proposed amendment would have also allowed ed tech providers to get consent from schools instead of parents in some circumstances, a move that some parent groups opposed.
During outgoing FTC Chair Lina Khan’s tenure, the FTC has brought COPPA enforcement actions against big tech companies including Amazon and referred TikTok to the Justice Department. The finalized rule, formally proposed just over a year ago, is the first change to the agency’s COPPA rule since 2013. COPPA requires online service providers to obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13.
“As technology continues to develop at a swift pace, and risks to privacy along with it, the FTC must continue to build on the strong foundation that it has laid over the past three years to vigorously protect kids and teens online,” Khan wrote in a statement in which she also urged Congress to pass stronger protections for kids and teens online.
Under the finalized rule, covered entities will be allowed to retain the personal information of those young users only “for as long as reasonably necessary to fulfill a specific purpose for which it was collected,” according to an FTC press release. The amended rule explicitly outlines that companies cannot retain information indefinitely.
It also expands the definition of personal information to include biometric and government-issued identifiers. Safe Harbor programs—which allow companies to self-certify their compliance with children’s privacy protections—will also be subject to new transparency requirements including public disclosure of their membership lists.
As for the proposals it dropped, the commission said it will enforce COPPA in alignment with existing guidance.
“While the Commission declined to finalize those particular proposals, the agency notes that it remains concerned about the use of push notifications and other engagement techniques to keep kids online in ways that could harm their mental health,” according to the press release.
The agency said..."
