In the waning days of the Biden administration, the FTC published an update to its COPPA Privacy Rule. The status of this update, however, is unclear. The revisions to the rule were posted on the FTC website prior to the Trump administration, but had not yet been published in the Federal Register.
Trump's Presidential Memorandum freezing pending federal regulations means that it has not yet been published. And publication is the next step towards it going into effect. Second, and relatedly, the current FTC chair (Ferguson) had expressed concerns about the rule. It is thus likely that it will not be published, at least as currently drafted. As we wait for next steps, for those companies that offer websites directed to or appealing to children, a quick recap. First, the items that were not of concern for Ferguson (and thus likely to be implemented as are):
- Website notice (privacy policy). The content of website notice for those subject to COPPA under the rule as revised will require new content. This includes steps a site takes to make sure persistent identifiers used for operational purposes are not used for behavioral advertising. Additionally, for sites collecting audio files, the privacy policy must indicate how the files are used and deleted.
- Verifiable parental consent. The revised rules provide for new methods of parental verification. This includes comparing a parent's authenticated government ID against their face (using a camera app, for example). It also includes a "dynamic, multiple-choice" question approach, if the questions would be too hard for a child 12 or under to complete. The revision also permits texting for what has been traditionally known as the "email-plus" verification process, which can be used when children's information is not disclosed. Also added is another "one time use" exception to parental consent. Namely collecting and responding to a question submitted by a child through an audio file.
- Security. The new rule will require sites to have a written information security program. This goes beyond the current obligation to have "reasonable measures" in place. The security obligations are detailed, and mirror security obligations that exist under various state data security laws.
- Definitions. As revised the rule will add "biometric identifiers" to the list of personally identifiable information. These are elements like fingerprints or voiceprints that can be used to identify someone. The definition also includes someone's "gait." The rule will also include the definition of "mixed audience" site, a term currently used by the FTC in its COPPA FAQs.
Putting it into Practice: While we await the publication of the revised rules, whether in the format that they took before the new administration, or in a revised format, companies that operate websites subject to COPPA can keep in mind the parts of the new rule that were not of concern to Ferguson. These include new content in privacy policies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
