The FTC Reexamines COPPA Rulemaking and Google’s “Consent Decree” to Protect Kids’ Privacy on Social Media

For what it’s worth, a few of these proposed changes overlap with provisions in the Protecting Kids on Social Media Act, which was introduced earlier this year. But where Congress is deadlocked, regulatory action like agency rulemaking is a much more predictable process. The new regulations will only be finalized after feedback from the public — the FTC will be collecting public comment on the proposal for 60 days after posting notice in the Federal Register.

“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” FTC Chair Lina Khan said in the official announcement. According to Khan, the proposed changes would prevent companies “from outsourcing their responsibilities to parents” when it comes to managing children’s data.

Companies would also have to justify why they want to keep persistent identifiers on hand and would be forbidden from using them in push notifications to encourage kids to return to their apps when they aren’t actively using them.

The revised COPPA rulemaking is less extreme than these bills, which is unsurprising because agency regulation is made within the limits of what Congress has already greenlit. Where many of these legislative bills go after users’ behavior and can directly impact personal privacy, the FTC’s proposed rules instead target the collection of data — specifically, the data of users ages 13 and under. Companies wouldn’t be able to opt kids into targeted ads by default and they would need to seperate parental consent for disclosure of data to third parties unless it’s necessary for the service or website Neither would companies be allowed to withhold services if those children withhold consent to targeted advertising.

According to the FTC, the agency received more than 175,000 public comments in 2019 when it began its most recent review of its regulations under COPPA. That same year, the regulator issued hundreds of millions of dollars in combined fines to YouTube and TikTok — the vast majority from YouTube — for mishandling data from users ages 13 and under.

The Federal Trade Commission didn’t know what to do. In 2011 Google reached a 20-year legal settlement dubbed a consent decree with the agency for allegedly misleading users with its policies and settings. The decree establishes a privacy standard for just one company, and requires it to have a comprehensive privacy program through 2031. The next year, the FTC signed Facebook onto a near-identical consent decree, settling allegations that the company now known as Meta had broken its own privacy promises to users.

Many of the tech companies that are subject to consent decrees are not bound by any rules at all and are free to collect and retain the data of their users, including TikTok, which has over a billion users. Amazon has an agreement with it this year which covers only its virtual assistant, even though it was accused of violating children’s privacy.