Amidst all of the recent news and developments about the privacy of kids and teens (including multiple Congressional hearings; Frances Haugen’s testimony; enactment of the UK’s and California’s Age Appropriate Design Codes; the Irish DPC’s GDPR decision against Instagram; numerous bills in Congress; and the FTC’s ongoing focus on kids’ privacy in policy statements, workshops, and its “commercial surveillance” rulemaking), the FTC still has a powerful tool that seems to be sitting on the back-burner: the Children’s Online Privacy Protection Act (COPPA) and its implementing rule.
But some members of Congress just wrote a letter to the FTC, asking it to make COPPA a priority.
Background on COPPA
As most of our readers know, COPPA protects the privacy of kids under 13, mostly by requiring kid-directed web sites or apps, or sites/apps that have actual knowledge they’re dealing with kids, to get parental permission before collecting, using, or sharing kids’ data. Enacted in 1998, COPPA is now nearly 25 years old, a dinosaur in today’s fast-moving world of privacy. However, using the APA rulemaking authority granted in COPPA, the FTC has amended its COPPA rule to ensure that it keeps pace with developments – for example, extending the rule to ad networks and plug-ins; adding geolocation, persistent identifiers, photos, and videos to the definition of “personal information”; and strengthening the rule’s requirements governing data security, retention, and deletion.
However, those updates to COPPA became final in 2013 – almost ten years ago – and the FTC hasn’t amended the rule since then. Although the FTC initiated a rule review in July 2019, that review is still pending more than three years later. According to Regulations.gov, the Commission received over 176,000 public comments in the rule review. That’s a lot of comments, but it surely can’t explain such a lengthy delay.
Why hasn’t the FTC moved forward here?
There are likely a few reasons. First, as Commissioner Bedoya reportedly stated at a recent conference, the FTC is hoping that Congress updates the law – whether through amendments to COPPA (aka “COPPA 2.0”) or enactment of general privacy legislation – before the FTC must decide if and how to revise its COPPA rule. This is because Bedoya and other champions of kids’ privacy believe that fundamental changes to COPPA are needed – changes that go beyond what the FTC can do via rulemaking. Such changes include, for example, extending protections to teens or “tweens”; banning certain practices, like targeted advertising to minors; and changing the knowledge standard for general audience sites/apps from “actual knowledge” to “constructive knowledge.”
Second, the FTC appears to be considering whether it can expand kids’ and teens’ privacy protections through its FTC Act/Mag Moss authority – i.e., without having to rely on the COPPA statute. As we blogged a few weeks ago, the FTC’s “commercial surveillance” ANPR includes numerous questions about kids and teens that extend well beyond the FTC’s authority under COPPA, presumably in reliance on the underlying authority for the rulemaking (i.e., the FTC Act and Mag Moss). However, as we mentioned in the blogpost, there are obstacles to doing so, which the FTC is likely mulling. For one thing, the FTC’s power to expand kids’ protections through Mag Moss is limited. Indeed, Mag Moss requires proof that any practice to be regulated is “unfair or deceptive” but includes a specific provision restricting the FTC’s ability to regulate kids’ advertising using unfairness. (Advertising and privacy aren’t exactly the same thing, but there’s a big overlap.) For another thing, Congress and/or the courts might look askance at efforts by the FTC to “fill gaps” in COPPA using its general FTC Act/Mag Moss authority.
Third, the FTC (and its roughly 50-person privacy division) may simply have its hands full with the all of the tasks it has undertaken in privacy – including the “commercial surveillance” rulemaking; the upcoming workshop on “stealth advertising” directed to kids; the still-pending 6(b) study on social media and video streaming services (which included pointed questions regarding kids’ privacy); the “crackdowns” it has announced on EdTech, dark patterns (see here and here), and the misuse of sensitive health and location data; and other ongoing enforcement and policy demands.
The above context makes the letter that four Democratic members of Congress (Senators Markey and Blumenthal and Representatives Castor and Trahan) sent to the FTC last week all the more interesting. The letter, which appears to be a response to Commissioner Bedoya’s statement that the FTC is waiting for Congress to act, essentially says “please don’t wait for us” and “we expect you to move forward on COPPA.” These members are all key players in kids’ privacy: Markey is the architect of the original COPPA statute and all four have sponsored bipartisan bills to expand kids’ and teens’ privacy (with the two bills in the Senate getting markups and votes out of the Senate Commerce Committee). However, they see time running out in this Congress for passage of their bills, and potentially time running out for the FTC before the 2024 election – and they don’t want the opportunity for kids’ privacy reform to slip away.
In particular, the letter commends the FTC for including questions about “surveillance threats to young users” in its “commercial surveillance” ANPR, and recognizes that Congress has a “responsibility to pass strong legislation” protecting kids. However, the letter stresses that the FTC also has a duty to “use its regulatory authority [under COPPA] to institute additional protections that address pressing threats online, a process the Commission has already begun.” According to the letter, such additional protections include expanding the scope of personal information covered by COPPA; fleshing out the prohibition on conditioning a child’s participation in an activity on excessive data collection; and updating and expanding protections related to platforms and online advertising.
What does this mean? At one level, this finger-pointing exchange illustrates why state legislatures are moving forward more swiftly than Congress on privacy. At another, it provides some insight on the status of privacy legislation and the COPPA rulemaking. In particular, it suggests that (1) even the ardent privacy hawks in Congress don’t expect privacy legislation to pass during this session, and are now recognizing that publicly, and (2) FTC action on the COPPA rule might resume when the session in fact ends without passage of a privacy law (especially if Congress continues to send letters to the FTC like this one). We will continue to track all of these developments and dimensions here.