After years of rulemaking processes, reviewing submitted comments, and deliberation, the FTC announced final changes to the COPPA Rule. The Rule, which regulates children’s data privacy, has only been updated a few times since it was enacted in 2000, and this is the first update since 2013. There have been monumental changes to the internet and how kids use it over the past decade, and it is welcome news to bring this regulation up to date.
COPPA is one of the defining laws of internet governance and has significantly shaped online platforms and services over the last 25 years. Defining a child as under 13 established that as the cutoff age for many online services, requiring Verifiable Parental Consent influenced the whole ecosystem of notice and consent, and establishing safe harbors as part of compliance were all fundamental in influencing what the platforms and services look like today.
While COPPA is a data privacy law, it is the closest thing the federal government has to one for online safety. Legislative efforts to update COPPA and to pass a standalone online safety law have come close but consistently failed to get across the finish line. Unlike other legislative proposals or state laws that have been paused in court, COPPA is an existing statute, the FTC is a real enforcement agency, and companies must comply. Therefore, this COPPA Rule update is a significant moment that the industry must take seriously.
There are plenty of things to like in the updated Rule:
There are also new definitions of key terms like “mixed audience”, including biometric identifiers as “personal information”, and a new “text plus” VPC method that hopefully eases the barriers for guardians to provide consent.
Interestingly, the rule does not include sections on schools and EdTech, despite those sections appearing in the proposed draft of the updates. Student data privacy is complicated as the Department of Education, not the FTC, oversees the dedicated student data privacy law FERPA. However, as technology use in the classroom has expanded dramatically, student data privacy remains an important issue that must be carefully considered in future rulemaking.
FOSI has engaged with the FTC a number of times on these issues, including responding to the proposed Rule modifications in 2024 and offering advice when the Rule review began in 2019. We have also featured FTC Commissioners at our events including in 2023 and 2022, and met with their offices throughout their Rule review. Organizations dedicated to data privacy have also been providing input and expertise throughout this process, and have also posted their own reactions to the updated Rules, including IAPP and FPF.
We plan to release more analysis of and reactions to the Rule shortly. It is good to see bipartisan work in the kids’ online safety space, as demonstrated by the unanimous vote to approve publication of the new Rule. This update and the broader focus on online safety can serve as a bridge from the end of Lina Khan’s leadership of the Commission to incoming-Chair Andrew Ferguson’s, as he highlighted a couple of areas where he would like to provide additional clarity and make further improvements to the COPPA Rule.
Your information will be subject to a different privacy policy that we recommend you review. FOSI has no control over the content of an external site.
.svg)
