US regulators propose new online privacy safeguards for children

The Federal Trade Commission on Wednesday proposed sweeping changes to strengthen the key federal rule that has protected children’s privacy online, in one of the U.S. government’s most significant efforts to strengthen consumer privacy in more than a decade.

The changes are intended to strengthen the rules underlying the Children’s Online Privacy Protection Act of 1998, a law that restricts the online tracking of young people by services such as social media apps, video game platforms, toy stores and digital advertising networks. Regulators said these measures would “shift” the burden of online safety from parents to apps and other digital services, while limiting how platforms can use and monetize children’s data.

The proposed changes would, among other things, require certain online services to disable targeted advertising to children under 13 by default. They would ban online services from using personal data such as a child’s mobile phone number to entice young people to stay longer on their platforms. This means that online services would no longer be able to use personal data to bombard young children with push notifications.

The proposed updates would also strengthen security requirements for online services that collect data from children and limit the time for which online services can retain that information. And they would limit the collection of student data by learning apps and other education technology providers, only allowing schools to collect children’s personal data for educational purposes and not for commercial purposes.

“Children should be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal information,” Lina M. Khan, chairwoman of the Federal Trade Commission, said in a statement Wednesday. “By requiring companies to better protect children’s data, our proposal imposes positive obligations on service providers and prohibits them from outsourcing their responsibilities to parents.”

COPPA is the central federal law protecting children online in the United States, although members of Congress have since attempted to introduce other bills.

Under the COPPA law, online services that target children, or those who know they have children on their platforms, must obtain parental consent before collecting, using or using personal information (such as first and last names, addresses, and phone numbers). sharing of a child under 13 years of age.

To comply with the law, popular apps like Instagram and TikTok have terms of service that prohibit children under 13 from creating an account. Social media and video game apps typically ask new users to provide their dates of birth.

Yet regulators have filed numerous complaints against major tech companies, accusing them of failing to establish effective age-restriction systems; showing targeted advertisements to children based on their online behavior without parental consent; allowing strangers to contact children online; or retaining children’s data even after parents have requested its deletion. Amazon; Microsoft; Google and its YouTube platform; Epic Games, the maker of Fortnite; and Musical.ly, the social app now known as TikTok, have all paid millions of dollars in fines to settle allegations that they broke the law.

The FTC’s proposal to strengthen children’s privacy protections comes amid heightened public concern about the potential mental health and physical safety risks that popular online services can pose to young people online. Parents, pediatricians and children’s organizations are warning that content recommendation systems on social media are routinely showing inappropriate content that promotes self-harm, eating disorders and plastic surgery to young girls. And some school officials worry that social media platforms are distracting students from their classroom work.

States have passed more than a dozen laws this year restricting minors’ access to social media networks or pornography sites. Industry trade groups have successfully filed lawsuits to temporarily block some of these laws.

The FTC began reviewing the Children’s Privacy Rule in 2019 and received more than 175,000 comments from technology and advertising industry trade groups, video content developers, consumer advocacy groups and members of Congress. The resulting proposal has over 150 pages.

Proposed changes include narrowing an exception that allows online services to collect persistent child identifiers for certain internal operations, such as product improvement, consumer personalization or fraud prevention, without parental consent.

The proposed changes would ban online operators from using such user tracking codes to maximize the amount of time children spend on their platforms. That means online services would not be able to use techniques such as sending cell phone notifications “to entice the child to use the site or service without verifiable parental consent,” according to the proposal.

It is not yet known how online services will comply with such proposed changes. The public has 60 days to comment on the proposed changes to the Children’s Privacy Rule. The committee will then vote on it.