The Federal Trade Commission is considering more stringent changes to an online privacy rule that determines how websites and services can collect and use personal information from children.

The Children’s Online Privacy Protection Act, or COPPA, has been in effect since 2000, and details how websites notice, collect and use (especially in marketing) private, personal information. It generally applies to commercial websites that are either directed toward children under 13, and largely exempts recognized nonprofit websites.

What You Need To Know

  • The Federal Trade Commission has proposed more stringent changes to an online privacy rule that determines how websites and services can collect and use personal information from children

  • The changes proposed to COPPA would expand privacy disclosures that companies must provide to parents of children seeking to use websites catered to kids

  • Among other changes, the proposed rules also update the definition of "personal information" to include biometric data — including user finger, hand, retina, voice, face or gait data

“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” FTC Chair Lina Khan said in a statement. “The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children.”

These new proposed revisions, the FTC says, “reflect technological changes, provide greater protections for kids’ personal information, and ensure that parents — not companies — are still in the driver’s seat when it comes to children’s data.”

The changes would expand disclosure requirements that companies must provide to users with privacy agreements, while strengthening requirements for data security, limiting data retention and codifying education tech guidance.

One change to the rule would require parents to opt-in to allowing targeted advertising, making it illegal for companies to disclose kids’ information without first getting separate consent from a parent. Another would urge websites to provide a notice explaining what identifying information they’re collecting as “internal operations” data and how they will prevent users from being contacted, including through targeted ads.

The rule would also reinforce an existing ban on services keeping users from participating in an app or a service on the condition of providing more personal information than is reasonably necessary.

Companies would also be limited from using push alerts and other “nudges” to keep kids using their services without parental consent and from indefinitely holding on to information tied to child-age users. Proposed rule changes would also update the definition of “personal information” to include biometric identifiers, including fingerprints, handprints, retina and iris patterns, genetic data and data derived from a person’s face, voice or gait.

COPPA was last updated in 2013, when it expanded definitions regarding collecting data from children, added requirements for third parties to protect user information.

Major tech companies have faced fines in the hundreds of millions of dollars for COPPA violations, including Fortnite developer Epic Games (a $275 million penalty), TikTok parent company ByteDance (a $5.7 million fine) and YouTube (a $170 million fine).

The YouTube settlement with the FTC led to changes affecting how content creators declare their channels and videos, restrictions on targeted advertising, guidelines determining if a video might be “directed to children” and potential fines up to $42,000 per videos and channels that violate those guidelines.

Public comments can be made on the proposed rule changes 60 days after the FTC runs a Notice of Proposed Rulemaking.

The Associated Press contributed to this report.