The FTC has proposed tightening rules that protect children from the surveillance economy. The updated rules would require companies to get parental approval before sharing data with advertisers and would prohibit retaining data for nebulous “internal operations,” among other things.
“The proposed changes to COPPA are much needed, especially in an era where online tools are essential for navigating daily life and where companies are deploying increasingly sophisticated digital tools to monitor children.” said FTC Chair Lina Khan. in a blog post. “Children should be able to play and learn online without being endlessly tracked by companies seeking to hoard and monetize their personal data.”
The Children's Online Privacy Protection Act, or COPPA, has been around since 2000, and while it remains effective in preventing the most egregious data collection and abuse when it comes to children, it was also last updated in 2013 and He could use a new coat. Of paint. The FTC asked for comments quite some time ago on how it should change the rules, and the response (as is often the case on Internet privacy issues) was voluminous.
“After the FTC announced it was considering revising the COPPA rule, we received more than 175,000 comments.” the agency said in a press release. “The proposed rule reflects what we heard from parents, educators, industry members, researchers and others, as well as our 23 years of experience enforcing COPPA.”
The agency will soon publish a Notice of Proposed Rulemaking, or NPRM, which is a draft of the new COPPA rules that the public can comment on and criticize over the next 60 days. The exact timing depends on when the document appears in the Federal Register, something that is out of the FTC's control but likely will be in the coming weeks. In the meantime you can see a draft here.
Here's what the updated rule would require:
- Option for parental involvement before sharing any child's information with third parties, unless such sharing is “integral” to the service. Expect a lot of things to suddenly become “comprehensive” next year!
- Reduce the legal loophole of “support for internal operations”. Amazon, for example, abused this exception and retained children's information indefinitely to improve its speech recognition models. Less than that, hopefully.
- A better justification for “nudges,” like push notifications to get kids to open an app or stay online.
- Children should not be forced to provide personal information to use an app or feature, such as things like “enter your birthday to get 100 free crystals.”
- No data will be retained beyond its original stated use. As in the Amazon example, they could use a child's voice command to launch an application (main use), but “safely” nothing more afterward.
- Schools and school districts may authorize educational technology providers to collect and use students' personal information, but only for educational purposes.
- “Personal information” now includes biometrics.
And a couple more things, plus many more details (which will be of interest primarily to those directly interested) in the NPRM itself. If you're curious about why some of these things are necessary, or even why COPPA is necessary, Commissioner Álvaro Bedoya posted a helpful explanation on the topic..
Sen. Brian Schatz (D-HI) approved the update, calling it “an encouraging step toward implementing safeguards to protect younger social media users from constant surveillance and manipulation.”
But, he continued, “rulemaking is no substitute for law: Congress must act. “We urgently need to pass legislation that protects children online by establishing minimum age requirements for social media use and prohibiting algorithmic targeting of children and adolescents.”
Given the current state of Congress and the prospect of 2024 being lost (at the very least) in a contentious election, I suspect the senator's urgency will not materialize into law anytime soon. The FTC rules will have to stay in place for a while.
