By Melissa Steinman, Christopher Crook, and Kathleen Sheridan
The Federal Trade Commission held a workshop yesterday in Washington, D.C., to discuss possible updates to the COPPA Rule, which implements the Children’s Online Privacy Protection Act (“COPPA”). COPPA was originally enacted in 1998 and regulates the way entities collect data and personal information online from children under the age of 13. The Rule hasn’t been updated since 2013, and the intervening years have produced seismic technological advances and changes in business practices, including changes to platforms and apps hosting third-party content and marketing targeting kids, the growth of smart technology and the “Internet of Things,” educational technology, and more.
The Federal Trade Commission held a workshop yesterday in Washington, D.C., to discuss possible updates to the COPPA Rule, which implements the Children’s Online Privacy Protection Act (“COPPA”). COPPA was originally enacted in 1998 and regulates the way entities collect data and personal information online from children under the age of 13. The Rule hasn’t been updated since 2013, and the intervening years have produced seismic technological advances and changes in business practices, including changes to platforms and apps hosting third-party content and marketing targeting kids, the growth of smart technology and the “Internet of Things,” educational technology, and more.
For the most part, FTC staff moderators didn’t tip their hand as to what we can expect to see in a proposed Rule revision. (One staff member was the exception, whose rapid-fire questions offered numerous counterpoints to industry positions, so much so that the audience would be forgiven for thinking they were momentarily watching oral argument at the Supreme Court.) Brief remarks from Commissioners Wilson and Phillips staked out their positions more clearly, but their individual views were so different that they too offered little assistance in predicting what a revised Rule may look like. Commissioner Wilson opened the workshop by sharing her own experience as a parent trying to navigate and supervise the games, apps and toys played by her children, and emphasized the need for regulation to keep up with the pace of technology to continue protecting children online. Commissioner Phillips also referred to his children at one point, but his remarks warned against regulation for regulation’s sake, flagged the chilling effect on content creation and diversity when businesses are saddled with greater compliance costs, and advocated a risk-based approach.
The divergent views of the Commissioners were echoed throughout the workshop’s many panels, which comprised members of industry, consumer advocacy groups and academia. A majority of the participants agreed that the COPPA Rule should be updated and enforcement stepped up, but agreement largely ended there.
Industry clamored for clarity in the COPPA Rule, particularly in terms of the multifactor test for determining that a service is child-directed. Industry representatives also sought consistency across legal regimes, noting that COPPA, the European Union General Data Protection Regulation, the California Consumer Privacy Act, and various similar laws around the world set different age limits and impose differing legal obligations. Some in industry also feared regulations that would require them to collect more personal information than they currently do, and argued that doing so undermines the principle of data minimization. As would be expected in any discussion about regulation, industry also argued against any Rule changes that increase the cost of doing business. Finally, many of the industry representatives expressed a strong desire to continue limiting the COPPA Rule to one addressing the collection of children’s data, and to confine the rulemaking proceeding accordingly. They opposed turning COPPA Rule reform into a referendum on children’s content standards.
By contrast, consumer and child privacy advocates argued against weakening existing protections and repeatedly pressed the Commission to invoke its 6(b) authority to gather more information from industry. They argued that children’s privacy cannot be protected without understanding current industry practices on child data collection, use and disclosure, as well as the relative value of various advertising types and algorithms that utilize varying degrees of personal information for targeting and personalization. Advocates also pushed to expand the list of factors for child-directed services to include operators’ representations about their audiences. They argued that if an operator tells app stores, investors, advertisers, ad networks and others that their service is a good way to reach children, it constitutes constructive knowledge at the very least. Finally, advocates argued that teens have been largely ignored and should be offered some level of protection through regulation.
All in all, the workshop made for a lively day of discussion on what, if anything, should be done to update the COPPA Rule, with FTC staff listening intently to the discussions. If you’re interested in this topic and missed the workshop, it is not too late for your voice to be heard. The public comment period is open until October 23 and comments can be submitted here. This rulemaking is critically important to multiple industries and is of particular relevance to online video/streaming platforms, esports/gaming companies, and app developers, among others. If you would like to discuss the COPPA Rule or possible updates, or would like assistance submitting a comment, please feel free to contact Katie, Chris, or Melissa.