The Federal Trade Commission held a workshop yesterday in Washington, D.C., to discuss possible updates to the COPPA Rule, which implements the Children’s Online Privacy Protection Act (“COPPA”). COPPA was originally enacted in 1998 and regulates the way entities collect data and personal information online from children under the age of 13. The Rule hasn’t been updated since 2013, and the intervening years have produced seismic technological advances and changes in business practices, including changes to platforms and apps hosting third-party content and marketing targeting kids, the growth of smart technology and the “Internet of Things,” educational technology, and more.
For the most part, FTC staff moderators didn’t tip their hand as to what we can expect to see in a proposed Rule revision. (One staff member was the exception, whose rapid-fire questions offered numerous counterpoints to industry positions, so much so that the audience would be forgiven for thinking they were momentarily watching oral argument at the Supreme Court.) Brief remarks from Commissioners Wilson and Phillips staked out their positions more clearly, but their individual views were so different that they too offered little assistance in predicting what a revised Rule may look like. Commissioner Wilson opened the workshop by sharing her own experience as a parent trying to navigate and supervise the games, apps and toys played by her children, and emphasized the need for regulation to keep up with the pace of technology to continue protecting children online. Commissioner Phillips also referred to his children at one point, but his remarks warned against regulation for regulation’s sake, flagged the chilling effect on content creation and diversity when businesses are saddled with greater compliance costs, and advocated a risk-based approach.
The divergent views of the Commissioners were echoed throughout the workshop’s many panels, which comprised members of industry, consumer advocacy groups and academia. A majority of the participants agreed that the COPPA Rule should be updated and enforcement stepped up, but agreement largely ended there.
Industry clamored for clarity in the COPPA Rule, particularly in terms of the multifactor test for determining that a service is child-directed. Industry representatives also sought consistency across legal regimes, noting that COPPA, the European Union General Data Protection Regulation, the California Consumer Privacy Act, and various similar laws around the world set different age limits and impose differing legal obligations. Some in industry also feared regulations that would require them to collect more personal information than they currently do, and argued that doing so undermines the principle of data minimization. As would be expected in any discussion about regulation, industry also argued against any Rule changes that increase the cost of doing business. Finally, many of the industry…