Ready or Not, Here Comes COPPA

If you’re a parent, you probably have an opinion on screen time. As we get further and further into the internet age and parents rely on online tools for education and entertainment (and even babysitting), more and more online platforms target children. Because of this, the Federal Trade Commission (FTC) also has an opinion on screen time. The FTC recently proposed changes to the Children’s Online Privacy Protection Rule (COPPA) that places new restrictions on the use and disclosure of children’s personal information and further limits the ability of companies to condition services on the collection of children’s data.

COPPA, which first went into effect nearly 25 years ago, requires certain websites that collect personal information from children under the age of 13 to provide notice to parents and obtain parental consent before collecting, using, or disclosing a child’s personal information. The proposed rule also limits the personal data that websites can collect from children, limits how long they can retain such data, and requires them to secure the data.

The FTC has proposed several changes to COPPA, notably:

  • Separate Opt-In for Targeted Marketing: Building off the existing consent requirement in COPPA, websites would now be required to obtain separate parental consent to disclose information to third parties, including third-party marketers—unless the disclosure is integral to the nature of the website or online service. Websites cannot condition access to services on the disclosure of personal information to third parties.
  • Limits on the support for the internal operations exception: The current rule allows websites to collect persistent identifiers without first obtaining parental consent as long as the website does not collect any other personal information and uses the persistent identifier solely to provide support for the internal operations. The proposed rule would now require websites utilizing this exception to provide an online notice that states the internal operations for which the website has collected a persistent identifier and how they will ensure that such information is not used or disclosed to contact a particular individual, including targeted marketing.
  • Strengthening data security requirements: The FTC has proposed strengthening COPPA’s data security requirements by mandating that websites establish, implement, and maintain a written children’s personal information security program that contains safeguards that rise to the sensitivity of the personal information collected from children.
  • Limits on data retention: The FTC also would increase COPPA’s data retention limits by permitting personal information retention only for as long as necessary to fulfill the purpose for which it was collected. The proposal would also prohibit websites from using collected information for any secondary purpose, and it explicitly states that websites cannot retain the information indefinitely. The Rule would also require websites to establish and publish a written data retention policy.

The fact that this is an FTC rule may have been a giveaway, but you may have noticed that this rule is not tailored to banks; it applies across industries. It is meant to target websites geared towards children or those with actual knowledge that they collect data from children, which many bank websites do not. Instead, online accounts are often only available to those older; because of COPPA, many banks set this mark at 13 years old. Thus, websites are probably not child-directed, nor is there actual knowledge of collection.

However, other parts of the business, beyond those tied to banking, could be pulled into COPPA’s scope. For example, some banks have a travel division, and certain parts of that division’s online presence may target children. Another item worth considering is any emphasis on financial literacy education and offering products/services such as student banking. This might involve the online collection of children’s data. This could pose an issue from collecting information passively (e.g., from cookies or web beacons) without first getting parental consent. Still, as this sort of information often cannot be tied to a particular individual without an online account, it may not present an insurmountable problem. Thus, banks should not assume COPPA does not apply to them.