Privacy & Information Security Law Blog

On March 8, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) filed its response to the Federal Trade Commission’s notice of proposed rulemaking (“NPRM”), which addresses amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule”).

CIPL commended the FTC for deciding not to modify the COPPA Rule’s definition of “website or online service directed to children,” and for retaining the COPPA Rule’s “actual knowledge” standard. CIPL also agreed with the FTC that the definition of “personal information” cannot be expanded to include inferred data, though CIPL asked for clarification on how inferred data could nevertheless fall within the scope of the COPPA Rule’s so-called catch-all provision (16 CFR § 312.2).

CIPL agreed with the FTC that the COPPA Rule’s multi-factor test is the most practical and effective means for determining whether a website or online service is directed to children, but CIPL did not support adding “reviews by users or third parties, and the age of users on similar websites or services” to the non-exhaustive list of examples of evidence for consideration in analyzing audience composition and intended audience. It is not clear how such reviews would be authenticated as genuine, nor is it clear how the “age of users” would be determined or measured, or how a given website or service would be deemed “similar.”

CIPL also sought clarification on the proposed definition for “mixed audience website or online service,” noting, among other things, that the proposed requirement to collect age information “in a neutral manner that does not…encourage visitors to falsify age information” presents considerable challenges.

As for the proposed requirement to obtain separate verifiable parental consent for disclosures of a child’s personal information, CIPL noted that attempting to secure multiple consents could negatively impact the user experience and risk contributing to consent fatigue. Furthermore, it could degrade the quality of users’ experience where, for example, parents may be required to enter the same information twice in rapid succession. CIPL asked the FTC to take such factors into consideration and permit a more flexible approach that addresses when and to what extent a separate notice would be warranted.

While CIPL generally supports the FTC’s proposal to create a school authorization exception, CIPL sought additional clarification regarding the roles for persons providing authorization and attestation on behalf of schools. CIPL also encouraged the FTC to collaborate with the Department of Education to ensure that the COPPA Rule’s proposed school authorization exception will align with the “school official exception” in the Family Educational Rights and Privacy Act (“FERPA”).

As for the FTC’s proposed modifications to the COPPA Rule’s security requirements, CIPL agreed that operators should put in place safeguards for data that are appropriate for the sensitivity of children’s information. However, CIPL does not believe that operators should necessarily be required to establish, implement and maintain security programs specifically tailored to children’s personal information. To the extent operators already have a comprehensive security program in place, the need for a separate program addressing children’s personal information would be unnecessary.

Read CIPL’s Response to the Notice of Proposed Rulemaking on the Children's Online Privacy Protection Rule. It augments CIPL’s 2019 response to the FTC’s 2019 Request for Public Comment.