R Street Institute
Regulatory Comments

Comments of the R Street Institute on the FTC’s Proposal to Amend Children’s Online Privacy Protection Rule

by Steven Ward
March 11, 2024
Print
issues: Cyber Threats, Cybersecurity Policy, Data Security and Data Privacy, Federal Government Affairs, Online Content Policy, Technology and Innovation

March 11, 2024

Federal Trade Commission
600 Pennsylvania Ave NW
Washington D.C. 20580

Re: COPPA Rule Review, Project No. P195404

The R Street Institute (R Street) respectfully submits these comments in response to the advance notice of proposed rulemaking (ANPR) regarding the Federal Trade Commission’s (FTC) proposal to amend the Children’s Online Privacy Protection Rule (COPPA).

R Street believes that portions of COPPA should be updated and evolved with the digital landscape. However, we caution against the FTC making broad sweeping changes that are unduly burdensome and impact compliance. Effective data privacy and security rules are important for young consumers, industry, and national security.

We appreciate the FTC’s interest in this area. We also believe Congress should act on a comprehensive federal data privacy and security bill while giving the FTC clear guardrails, which would benefit all Americans, including children. Nonetheless, there are current actions the FTC can take to update COPPA.

I. We oppose expanding the definition of biometrics as personal information when used to provide a service without identifying the user.

The proliferation of emerging biometric-aided technology devices has the FTC looking into biometric abuse involving consumers.[1] This is for good reason. When bad actors have access to biometric data, the consequences can be severe.[2] However, many children use biometric-aided devices as a service. For example, some devices use a voice-activated digital assistant like Amazon’s Alexa, Apple’s Siri, or similar. Users can use their voice to ask for current time and weather updates, create tasks, or control other smart devices. With adequate parental controls, recent research indicates that these biometric-aided devices allow children to enhance cognitive development, help with homework, and facilitate children’s understanding of artificial intelligence concepts.[3] Further, children with motor and cognitive impairments can benefit from remotely controlling home appliances and personal devices.[4] For example, a physically impaired child could use voice digital assistance to call for help, close a home’s window blinds, turn off lights, or set the home’s temperature to a desired setting.

Any COPPA rulemaking around voice print biometrics should account for these use cases, guarantee that companies can continue to innovate these devices, and ensure they are accessible to children.

II. Leave contextual and targeted advertising as it currently stands.

We believe the FTC’s 2013 COPPA amendments struck the correct balance by allowing companies to collect persistent identifiers for contextual advertising purposes without a parent’s consent if they do not also collect other personal information.[5] With proper safeguards in place, this allows businesses to continue to innovate and provide beneficial services to young consumers.

Importantly, online advertising has driven the internet’s growth, shaping how businesses connect with their consumers and providing youth with free information, content, and services.

The current digital advertising ecosystem allows more participants into the marketplace. Studies reveal online advertising positively impacts small and medium-sized businesses by increasing visibility, fostering relationships, and enabling data-driven strategies.[6] However, in a post-General Data Protection Regulation (GDPR) European Union (EU), a study revealed the limitations placed on data use in the EU significantly impacted the EU’s total e-commerce business.[7] This regulatory approach has companies doing business in the EU implementing ad-free subscription models to access services normally subsidized by ad revenue.[8] Undoubtedly, a debate on the ethics surrounding a “pay for privacy” framework will emerge.  

III. COPPA’s data security requirement is an area where greater clarity and focus would be beneficial.

Given our Cybersecurity and Emerging Threats team’s deep focus on data security and privacy, we would also like to provide high-level information applicable to rulemaking in this domain.[9] It is critical to adequately account for data security, especially among sensitive populations like children.

From 2019 to 2021, 150 percent more personal information became available online.[10] The amount of data is constantly expanding, and security and privacy threats are increasing. There were a record number of data breaches in 2021—a 68 percent increase from 2020.[11] These numbers alone are concerning, but the scope and visibility of recent incidents highlight the problem.  

Additionally, data continues to be in jeopardy by foreign threats, such as China, who do not hesitate to collect data for nefarious and strategic purposes—leaving Americans with a vague understanding of where their data is and how protected it is against malicious actors.[12] In a practical sense, this means ingraining data security standards into data processes to ensure security and privacy. However, it is difficult to understand what data security standards entail and how they are or should be defined.

The COPPA rulemaking could aid the industry by outlining a standard of reasonableness for data security, which would also benefit consumers and national security. We agree with the FTC that the “reasonable procedures” should be fleshed out to provide better compliance guidance. Also, the FTC should compile best practices and carefully examine existing data security rules at the state, federal, and international levels—including those targeting specific industries—to help avoid conflicting provisions and unnecessary duplication.

Further, the FTC should streamline COPPA’s data security rules rather than solely on a case-by-case approach that can lead to uncertainty on what is needed to comply. This would serve as a way to put the public and industry on notice for what acts are needed and are reasonable, which could result in broader security compliance, more efficient enforcement for violations, and enhanced data protection overall. This would especially be true if a comprehensive federal data privacy and security law were passed.

There are a vast number of considerations when it comes to data security that warrant individual attention. These include what specific measures are necessary; incentives to implement security measures; how entities can be assisted in their security journey; the role of other federal agencies like the Cybersecurity and Infrastructure Security Agency; how privacy programs interact with security programs; how existing security frameworks are impacted or can serve as a resource like those of the National Institute of Standards and Technology; additional components in privacy notices pertaining to security like transfers to select foreign nations; and how the measures can be assessed and/or monitored. After all, administrative, technical, and physical safeguards are all important security aspects, but what is covered can range widely. For example, implementing multi-factor authentication alone, a great first step is far from an advanced zero trust architecture. We recommend a more granular data security analysis, including targeted questions and feedback from various industries and security experts. To its credit, the FTC has focused on security in the past.

Also, while security baselines are helpful, there should be flexibility. An entity’s size and type, cost and resources, and feasibility of implementation are key. For example, a small, local business generally does not need the same security measures as a massive company engaged in data collection. Similarly, not all companies will have the capability to enact the same security measures. This might require the exemption of certain entities and/or relaxed rules.

IV. Data retention and deletion requirements increase data security, but broad data use restrictions can chill innovation.

We support data minimization concepts, including data retention and deletion requirements. However, we caution against broad data use restrictions that limit future innovation. An organization can decrease a data breach’s impact if unnecessary data is deleted rather than stored indefinitely. However, there are instances where indefinite data retention is needed that should be adequately explored to see where exceptions might be needed. This can include, but is not limited to, financial record-keeping, legal requirements, and fraud prevention.  

Conclusion

We are happy to be a resource on specific issues that arise during this process, especially relating to data security. After all, children’s data privacy and security are important for consumers, industry, and national security.

                                                Respectfully submitted,

The R Street Cybersecurity Team

Point of Contact: Steven Ward, Fellow, Data Privacy and Security, [email protected]

R Street Institute
1411 K Street NW, Suite 900
Washington, D.C. 20005

[1] “FTC Warns About Misuses of Biometric Information and Harm to Consumers” Federal Trade Commission, May 18, 2023. https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-warns-about-misuses-biometric-information-harm-consumers.

[2] “Leaked Today, Exploited for Life,” TrendMicro, Oct. 18, 2022. https://www.trendmicro.com/vinfo/be/security/news/internet-of-things/leaked-today-exploited-for-life-how-social-media-biometric-patterns-affect-your-future.

[3] Ting-Chia Hsu et al., “Effects of voice assistant creation using different learning approaches on performance of computational thinking,” Computers & Education 192 (January 2023). https://www.sciencedirect.com/science/article/abs/pii/S0360131522002287.

[4]Fabio Masina et al., “Investigating the Accessibility of Voice Assistants With Impaired Users: Mixed Methods Study,” Journal of Medical Internet Research 22:9 (Sept. 25, 2020). https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7547392.

[5] 16 CFR 312.5(c)(7), Children’s Online Privacy Protection Act. https://www.ecfr.gov/current/title-16/part-312#p-312.5(c)(7)

[6] “Maximum Impact: How Digital Ads Level the Playing Field for U.S. Small Businesses,” Data Catalyst Institute, March 2023. https://datacatalyst.org/reports/maximum-impact-how-digital-ads-level-the-playing-field-for-u-s-small-businesses.

[7] Samuel G. Goldberg et al., “Regulating Privacy Online: An Economic Evaluation of the GDPR,” Federal Trade Commission, June 23, 2021. https://www.ftc.gov/system/files/documents/public_events/1588356/johnsongoldbergshriver.pdf.

[8] Adam Satariano and Christine Hauser, “In Europe, Meta Offers Ad-Free Versions of Facebook and Instagram for First Time,” The New York Times, Oct. 30, 2023. https://www.nytimes.com/2023/10/30/technology/facebook-meta-subscription-europe.html.

[9] “What does the newest U.S. privacy bill mean for cybersecurity?” International Association of Privacy Professionals, June 17, 2022. https://iapp.org/news/a/what-does-the-newest-u-s-privacy-bill-mean-for-cybersecurity; Tatyana Bolton et al., “Congress Needs to Start Caring About Our Privacy as Much as China Does,” R Street Policy Study No. 232 (June 14, 2021). https://www.rstreet.org/2021/06/14/congress-needs-to-start-caring-about-our-privacy-as-much-as-china-does.  

[10] Will Simonds, “More Data, Less Privacy: DeleteMe’s 2021 Personal Identifiable Information (PII) Report,” Jan. 7, 2022, p. 3. https://joindeleteme.com/blog/2021-personal-identifiable-information-pii-report.    

[11] “Identity Theft Resource Center’s 2021 Annual Data Breach Report Sets New Record for Number of Compromises,” Identity Theft Resource Center, Jan. 24, 2022. https://www.idtheftcenter.org/post/identity-theft-resource-center-2021-annual-data-breach-report-sets-new-record-for-number-of-compromises.

[12] Brandon J. Pugh, “Lessons for America from China’s Massive Data Breach,” RealClearPolicy, July 19, 2022. https://www.realclearpolicy.com/articles/2022/07/19/lessons_for_america_from_chinas_massive_data_breach_843154.html.