So, what do they really think?
Reading between the lines of submissions to the FTC's COPPA consultation by the organisations that matter
Last week was the deadline for public comments on the FTC’s proposed changes to the Children’s Online Privacy Protection Act (COPPA). I reviewed the Commission’s proposals earlier here.
There were plenty of public comments (279). But as usual, the substantive submissions — from stakeholders with a material interest or expertise — came in the last few days of the commenting period. I’ve spent the weekend reading these so you don’t have to ;-), and have tried to tease out their positions on the key questions1. I looked at platforms (Google, Microsoft, Epic Games), technology vendors (SuperAwesome, Yoti, k-ID), Safe Harbor certifiers (ESRB, CARU, KidSAFE), trade associations (ESA, IAB, etc) think tanks (CIPL, FPF) and advocacy groups (FOSI, ACLU, EPIC, Common Sense Media).
For the most part, they all played to type. The platforms paid lip service to the FTC’s desire to strengthen privacy protections for kids, while trying to minimise the scope of any new protections that might constrain their existing business. Google stood out as the only one opposing further exploration of a platform-based common consent mechanism, an idea that is gathering momentum since the FTC forced Xbox to signal to video game publishers if an account is held by a minor, and Zuck pushed the concept of app store-level age verification at the recent Senate grilling.
Only SuperAwesome and Common Sense Media supported the FTC closing a loophole in the definition of actual knowledge by removing the word “directly” (which would make publishers responsible for learning indirectly from third-party partners if a user is a child). There was universal support for allowing text messages in addition to email as a way of contacting parents for consent.
Perhaps the FTC’s most controversial proposal is to restrict the use of persistent identifiers (like IP addresses) to power features designed to extend engagement like push notifications — an attempt by the FTC to stretch its privacy mandate into the field of age-appropriate design. This was mostly opposed, as the current proposal is vague on how to define such techniques and how to differentiate them from normal user-driven or operator-driven ways to make the service a better experience. CARU called on the FTC to get into the detail, and in my own submission to the FTC I’ve proposed a list of specific methods that might be included in such a ban.2
There was plenty of support for adding biometric data to the scope of personal information, and (perhaps surprising) consensus on applying a narrow definition of such data (that is used to identify a person as opposed to just usable) in order to avoid losing the potential benefits of biometrics that are in fact privacy-preserving, such as facial age estimation.
PRIVO, who is both a Safe Harbor certifier and a technology provider, were the only one brave enough to oppose dropping the requirement for a monetary transaction when a parent verifies their adulthood by providing payment card details. They rightly point out that debit card ownership is no longer a reliable indicator of adulthood, given the prevalence of kids’ payment cards, and that the payment card method (which was historically the most popular VPC method) is in need of a rethink.
Most interesting (to me) were the absences — there were no comments submitted (at the original consultation in 2019 or on the proposed amendments in 2023) by Apple, Sony Interactive Entertainment (ie, Playstation), Nintendo, or Roblox. Also, the LEGO Group was absent this time around, even though they did submit recommendations when the original consultation opened in 2019.
Below are two ways to consume the summary: first, a table3 listing some of the FTC’s proposed changes I find interesting, with a tally of which organisations support or oppose them. Further below is more detail of their positions in each category, sorted by type of organisation, with links to their submissions.
Happy referencing. Any errors or omissions are entirely my fault (and please message me so I can correct). :-)
Platforms
Microsoft
Definitions: Supports broadening "child-directed" to include intention indicators like marketing plans but opposes including user reviews or ages on similar sites.
Consent: Supports a separate parental consent for sharing kids’ PI with third parties, unless the parent has affirmatively directed such disclosure (this is to enable Xbox to honour parents’ settings without requiring an additional consent).
Advertising: does not support changes to the treatment of contextual advertising.
Engagement techniques: no comment.
Concerns: Not explicitly stated, but implications suggest concern over operational flexibility and parental consent process simplicity.
Definitions: Endorses adding biometric data to PI, if limited to data used for identification. Recommends exempting data used in age-estimation or screening efforts (including selfies if promptly deleted), as date of birth already is. Opposes adding to the multi-factor test of child-directed new factors such as the user reviews or age of users on similar websites.
Consent: Opposes separate parental consent for third-party PI disclosure due to the burden on parents. Also opposes idea of platform-based common consent mechanisms, as this could potentially shift liability from developers to platforms.
Advertising: recommends no change to the definition of contextual advertising.
Engagement techniques: Opposes any effort to use COPPA to restrict techniques that extend engagement, as outside the scope of the law.
Epic Games
Definitions: Supports including mobile numbers in online contact information and biometric data in PI, conditional on excluding derived data and exempting biometric data that is promptly deleted. Opposes expanding the multi-factor test to include user or third-party reviews or the ages of users on similar site. Opposes treating screen/user names or avatars as PI, even if not used (or usable) outside the operator’s domain, as this goes beyond the FTC’s authority, is impractical, and may reduce scope for anonymising children’s identity (especially when user names are auto-generated by the operator).
Consent: Supports the proposal to eliminate a monetary charge requirement for parent verification via payment card. Supports allowing use of text messages to trigger the parental consent flow. Favours proposed requirement for separate parental consent for PI disclosures, so long as it can be presented sequentially in the same flow. Supports the concept of platform-level consent mechanisms, but encourages the FTC to outline basic requirements, to address concerns that such a mechanism may stifle competition or enable gatekeeper self-preferencing.
Engagement techniques: no comment.
Technology Vendors
SuperAwesome
Definitions: Advocates for removing “directly” from definition of website, closing a loophole whereby operators may pretend now to know if it is collecting PI from children because it does so via a third-party operator.
Advertising: Supports retaining contextual advertising as one of the specified purposes in the internal operations exemption, subject to clarifying the definition of contextual advertising (to ensure broad targeting, such as geographic or content-based, can continue whilst affirming that no persistent identifiers ought to be used).
Consent: Opposes the requirement for additional disclosures on the collection and use of persistent identifiers for internal operations, as these are likely to confuse parents and be duplicative of information already in the operator’s privacy notice.
Concerns: Suggests that restricting screen/user names and avatars is a complex topic that requires further discussion, as many of their uses benefit anonymisation.
Yoti
Definitions: Supports exempting biometric data that is used for analysis and characterisation (rather than identification) and is promptly deleted from any changes to the definition of personal information. Supports offering an exemption to operators who can evidence via an analysis of their user base that they are below a certain threshold of child users, so long as this is not at the expense of the overall multi-factor test.
Consent: Supports the development of platform-level common consent mechanisms, and encourages the FTC to approve new VPC methods including the Yoti/SuperAwesome/ESRB-proposed facial age estimation method.
Concerns: Any decision to add avatars to the definition requires significantly more research and clarification to ensure this is limited to avatars that provide identifying information.
Unique points: Recommends age assurance approaches beyond self-declaration, suggesting digital ID apps and facial age estimation.
k-ID
Definitions: Opposes including avatars not reflecting real-world likeness as PI without clear criteria.
Consent: Is encouraged by the FTC’s stated support for platform-based common consent solutions, but requests the FTC to distinguish clearly between consent mechanisms offered by a distribution platform (app store, console) vs a standalone trusted third party. Supports the proposal to require a separate parental consent for disclosure of PI to third parties (except where such disclosures are integral to the service).
The States
National Association of Attorneys General4
Definitions: Proposes expanding PI to include biometrics, genetic data, and healthcare information without exceptions for promptly deleted data. Supports adding avatars to the definition, if they are created on the child’s image and likeness.
Consent: Advocates for separate parental consent for child’s PI disclosure. Supports the development of platform-based common consent mechanisms. Supports the requirement for a separate parental consent for disclosure of a child’s information, to be offered a different time and place than the original consent.
Advertising: Supports making changes to the definition of contextual advertising to limit the collection of PI through AI for targeting purposes; and to prohibit collection of browser histories, IP addresses, and location data.
Engagement techniques: Supports modifying the internal operations exemption to limit personalisation to user-driven actions and exclude operator methods to extent engagement.
Unique points: Proposes that the FTC itself partner with a developer to create a government-approved ID and age verification application (?).
Safe Harbors
CARU - Children’s Advertising Review Unit (BBB National Programs)
Definitions: Requests clarification on proposals affecting biometric data and persistent identifiers, advocating for clarity in restrictions. Supports exemption based on numerical analysis of audience.
Consent: Supports adding text message as a method for requesting parental consent, as a more accessible, just-in time approach that outweighs any additional security risks. Opposes requiring an additional parental consent for disclosure of PI to third parties, as this would be confusing to parents.
Notice to parents: Proposes limiting any additional notice requirement to advertising third parties, not other third party service providers.
Engagement techniques: In principle supports the proposal to restrict the use of persistent identifiers to extend engagement, provided more effort is made to identify and enumerate techniques that solely extend engagement, such as countdown timers, engagement trackers, rewards for remaining on a game, etc.
Omissions: no comment on biometrics?
kidSAFE Seal Program
Definitions: Supports the exception of biometric data that is used for a limited purpose and promptly deleted. Does not support treatment of screen/user names as personal information. Supports adding new factors (marketing plans, user reviews, etc) to the multi-factor test criteria. Supports providing an exemption based on an operator’s numerical analysis of their audience, as this would enable them to demonstrate extra care and encourage them to be good actors.
Consent: Supports eliminating the requirement for a monetary transaction for payment card verification. Seeks clarification whether parents can also respond with their consent by text message for something equivalent to ‘email plus’ consent.
Advertising: does not support changes to the treatment of contextual advertising.
Engagement techniques: Strongly opposes requiring VPC for engagement techniques that maximise user engagement, because the definition is far too broad and would restrict reasonable ways to engage users, and would damage child-directed services leading more kids into 13+ platforms. Opposes making a distinction between user-driven vs operator-driven personalisation.
Safe Harbors: Not opposed to additional reporting requirements for Safe Harbors, and supports a proposed requirement by Safe Harbors to publish their list of members.
Concerns: Cautions against adding avatars to the personal information definition without material guidance on what level of resemblance would trigger such inclusion.
ESRB - Entertainment Software Review Board (Privacy Certified)
Definitions: Supports expanding child-directed definitions with intention evidence but opposes adding user reviews or ages on similar sites. Supports the addition of telephone number to the definition of online contact information, but requests clarification that this means operators can obtain VPC via text as well as email. Opposes treating screen names as online contact information when they can’t be used to contact other users. Does not believe that further modifications to the definition of personal information are required to address avatars created from a child’s image - if they are photorealistic then they are PI, if they are abstract they are not.
Consent: Supports eliminating the requirement for a monetary transaction for payment card verification. Supports expanding the types of VPC methods available and requests the FTC provide an expedited authorisation process for VPC applications filed by Safe Harbors and/or provide an exemption from liability for operators who use a method approved in good faith by a Safe Harbor.
Engagement techniques: not addressed.
Safe Harbors: Opposes the requirement to publicly post a list of operators who are members of the program, as it may mislead consumers who assume companies are certified, rather than individual products (or platform versions of products). Supports additional reporting requirements.
Other: Generally supports additional data security requirements but cautions against overwhelming smaller operators with additional costly oversight and reporting burdens.
PRIVO
Definitions: cautiously supports the addition of mobile telephone number to the definition of online contact information, with concern whether a child can consent to a parent receiving a text message, whether a mobile number can expose additional PI, and whether an unsolicited text message from an unknown number may fail as an effective contact channel. Supports the expansion of definition of personal information to include biometric data.
Consent: Supports the requirement for a separate parental consent for disclosure of kids’ PI, so long as this can be provided in the same flow as the consent for integral services. Opposes eliminating the monetary transaction requirement when parental consent is verified via a payment card, and recommends the FTC amend the payment card definition to exclude debit cards, because it believes both make it easier for children to consent themselves.
Safe Harbors: Supports additional reporting requirements for Safe Harbors, including the proposed requirement that Safe Harbors publish their list of certified products.
Think tanks
CIPL - Centre for Information Policy Leadership
Definitions: Supports the addition of biometric data to the personal information definition, subject to alignment with international and U.S. state laws, and provided that “biometric data is only personal information when it is intended to be used for identification.” Supports adding mobile phone number to the definition of online contact information. Opposes allowing operators to use a numerical audience threshold to disprove their child-directed status. Does not support removing the word “directly” from the actual knowledge definition as it would be difficult for operators to implement.
Consent: Supports the expansion of methods to secure parental consent, including via text message, subject to further guidance on how this would work in practice. Opposes requiring a separate parental consent for disclosure to third parties, as this would be unduly burdensome and degrade the user experience. Supports eliminating the monetary transaction requirement for payment card verification, and the use of text message to obtain consent.
Notices to parents: Supports additional transparency in direct notices but recommends requiring operators to disclose the purpose for which data will be used, rather than “how the operators intends to use” such information, to align with international privacy laws. Opposes a requirement to identify all the third parties, but instead proposes that the categories of third parties be disclosed.
Safe Harbors: Supports the proposed modifications to the Safe Harbor program, including additional reporting requirements.
Unique points: Supports authorising two new methods of VPC, including knowledge-based authentication and the use of facial age estimation.
FPF - The Future of Privacy Forum
Definitions: Supports adding mobile telephone number to the definition of online contact information, and the use of text message to seek parental consent, subject to clarification on how this process would work.
Consent: Opposes requiring a separate parental consent for third party disclosures, as burdensome for operators, confusing for parents, and potentially dissuading children from using child-directed services.
Engagement techniques: Opposes the proposed restrictions on the use of persistent identifiers for features that extend engagement, unless the language is modified to be more specific on the types of techniques that should be restricted.
Trade Associations
ESA - Entertainment Software Association
Definitions: Cautions against adding ‘user reviews and age of users on similar services’ to the multi-factor test for determining if a site is child-directed. Opposes revisions to the scope of personal information, such as adding screen/user names (not necessarily contact information), biometrics (outside the FTC’s legal remit), and avatars (does not meet the definition of PI).
Consent: Supports the FTC’s continued consideration of new consent mechanisms, including encouraging development of platform-based approaches.
Engagement techniques: Requests clarification on proposed restrictions on operators to use persistent identifiers for features that promote engagement or extend use, and suggests this proposal goes well beyond the scope of COPPA.
Concerns: Cautions against broadening the child-directed criteria and opposes narrowing internal operations exemptions, emphasizing impacts on service quality.
IAB - Interactive Advertising Bureau
Definitions: Opposes expanding PI to include biometrics and avatars, highlighting concerns over scope and practical burdens. Opposes adding user reviews and age of users of other services to the multi-factor test for determining whether a site is child-directed. Opposes the implementation of a threshold-based exemption for sites that believe are not child-directed, as this would lead to further, privacy-invasive age estimation.
Consent: Supports including text message as a valid method of obtaining consent from parents. Opposes narrowing the internal operations exemption, as this would impede the ‘smooth functioning of the internet' and degrade the quality of services.
Notices to parents: Opposes the proposed requirement for additional disclosure on how persistent identifiers are used, as this would be unduly burdensome (and difficult in practice) for operators.
Advertising: Opposes any modification to the treatment of contextual advertising.
Engagement techniques: Opposes any restrictions on operators to use persistent identifiers to extend engagement, as these are unduly ambiguous and go beyond COPPA’s scope.
Concerns: Concerned that the proposed data retention requirement would lead to excessive paperwork for operators.
ACT - The App Association
Definitions: Opposes including non-identifiable biometric data in PI. Opposes adding user reviews and age of users of other services to the multi-factor test for determining whether a site is child-directed, as these would effectively shift from an actual knowledge to a constructive knowledge standard.
Consent: Supports innovation in VPC methods including text messages and facial age estimation, and the elimination of the monetary transaction requirement for payment card verification.
Notices to parents: Opposes the proposed requirement for operators to explain how persistent identifiers are used within the internal operations exemption.
Engagement techniques: Opposes changes to the internal operations exemption that would limit the use of persistent identifiers to extend engagement (as overly broad).
The Toy Association
Definitions: Supports adding mobile telephone number to the definition of online contact information, and to initiate the parental consent flow. Supports adding biometrics to the definition of personal information, so long as this is limited to biometric data that is actually used to identify a person, and exempting biometric data that is promptly deleted. Opposes adding screen/user names and avatars to the definition, as this would be unduly burdensome and undermines the anonymisation benefits. Opposes adding a numerical audience threshold to the determination of child-directed.
Consent: Supports expanding the methods of parental consent, including no longer requiring a monetary transaction for payment card verification, and urges the FTC to establish a more efficient procedure for approving new VPC methods. Opposes the proposed requirements that operators obtain a separate consent for disclosure of PI to third parties.
Advertising: Does not support changes to the treatment of contextual advertising.
Notices to parents: Opposes adding a direct notice obligation to explain the operator’s use of persistent identifiers for internal operations to parents.
Engagement techniques: Opposes changes to the internal operations exemption that would limit the use of persistent identifiers to extend engagement (as overly broad and vague).
Safe Harbors: Does not support additional reporting requirements for Safe Harbors as this would undermine the program.
Advocacy Groups
FOSI - Family Online Safety Institute
Engagement techniques: supports efforts to restrict the use of persistent identifiers to extend engagement, and encourages more action by the FTC to limit nudge techniques, perhaps following the guidance of the UK Age Appropriate Design Code.
Unique points: Recommends a more nuanced approach to age assurance, and suggests the FTC consider a clearer definition of age verification, age estimation and age gating (as per the FPF’s helpful infographic), emulating adopting the UK ICO’s risk-based approach.
ACLU - American Civil Liberties Union
Definitions: Opposes any expansion to the definition of child-directed. Supports the inclusion of biometrics in the definition of personal information (and the scope of “can be used”, urging the FTC to reject limitations to biometric data that “are used” for identification), but opposes exempting biometric data that is promptly deleted. Supports treating screen/user names and avatars as PI.
Engagement techniques: Opposes restricting the use of persistent identifiers for features that extend engagement (like push notifications) on the basis that these restrict online speech.
Other: Emphasises the importance of not (directly or indirectly) mandating age verification, as this would burden “children’s and adults’ access to constitutionally protected speech”.
EPIC - Electronic Privacy Information Center
Definitions: Supports amendments to personal information definition and suggests also adding government-issued identifiers, and avatars generated from a child’s image.
Consent: Recommends tightening the internal operations exemption, by removing ‘personalising content’ and ‘serving contextual advertising’.
Notice: Supports requiring operators to explain the use of persistent identifiers for internal operations to parents.
Concerns: Any new requirements for collecting the age of users in a mixed audience service should use privacy protective methods that do not collect additional PI.
Unique points: Somewhat contradicting itself, EPIC also suggests requiring VPC for collecting persistent identifiers, even if used for internal operations — e.g. effectively eliminating the exception altogether.
Common Sense Media
Definitions: Supports expanding the definition of personal information in relation to biometrics, screen/user names and avatars if they would permit contacting a child. Supports adding new factors to determine whether a site is child-directed, including marketing materials and plans, user reviews, and age of users on similar services. Supports removing the word “directly” from the actual knowledge definition. Believes the FTC should go further with the definition of ‘actual knowledge’ by including what is effectively constructive knowledge (though the FTC has made clear it won’t go that far).
Consent: Supports additional limitations on sharing kids’ PI with third parties, including a distinct consent requirement.
Engagement techniques: Endorses the proposed restrictions on operators’ use of persistent identifiers to extend user engagement, including push notifications.
Other: Would like to see more support for the development of new parental consent mechanisms, including setting up a regulatory ‘sandbox’ for testing, and evaluating AI impacts on children’s data.
Unique points: Would like the FTC to be stricter about its data minimisation requirements and crack down on operators collecting more PI than strictly necessary.
This is clearly a selective analysis based on what interests me. I have, for example, not covered the proposed changes to how COPPA operates in schools and how it interacts with FERPA — that is a big topic, perhaps for another time.
See page 7, where I propose specifying the following examples to start: clocks and countdown timers; timed appointments to play or participate; rewards for ‘streaks’ (e.g., driving daily or continuous use)badges, leaderboards and other gamification elements that are solely tied to engagement; arbitrary progress bars, levels or task lists; challenges, missions designed to drive engagement without true benefit to the user; push notifications that prompt immediate action or return; variable rewards, unlockable content, easter eggs, loot boxes – that create repetitive, addictive behaviour; excessive reliance on social proof (highlighting other users’ activities or endorsements).
It’s a pasted image since there is no obvious better way to add a table in Substack, but if you would like the Google sheet version, message me directly.
Representing the Attorneys General of Oregon, Illinois, Mississippi, Tennessee, Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Indiana, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, South Dakota, Utah, Vermont, Virgin Islands, Virginia, Washington and Wisconsin.
Super useful summary Max thanks so much. I have no idea how long that reading took but you deserve a medal. Really interesting "omissions" e.g. Apple, Sony, Roblox etc... Thanks for highlighting