IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

A Decade Later, Will Children’s Privacy Rules Get an Update?

Experts in student privacy, with years of experience in the Federal Trade Commission and the U.S. Department of Education, say that the Children’s Online Privacy Protection Act is long overdue for a regulatory update.

Kids working on laptops in a classroom with their cellphones sitting on their desks next to them, with cloud icons hovering over the phones and blue lines connecting them.
Students’ digital privacy is protected under federal law. But the Children’s Online Privacy Protection Act (COPPA) has gone nearly a decade without an update — and according to experts in the field, it’s in need of another.

While ed-tech tools have been in classrooms since at least the 1980s, a lot has evolved over the years. The Federal Trade Commission (FTC) has privileges given by Congress to update rules and regulations within the COPPA legislation. It last did so back in 2013, and the FTC announced in 2019 it was embarking on another update to the bill, which has not yet been finalized. In the spring, the FTC put out a policy statement saying it would “crack down” on companies who aren’t compliant with COPPA and that it will be “closely monitoring this market,” ensuring families that the agency isn’t giving in to companies with regard to their kids’ tech accounts.

Phyllis H. Marcus is a partner at Hunton Andrews Kurth LLP in Washington, D.C., where she advises ed-tech companies on designs of apps, IoT devices and online services for user friendliness as well as legal compliance. She previously spent 17 years at the FTC, seven of which focused on children’s online privacy. She ran the team that reviewed COPPA and updated it in 2013.

She said the last update was announced in 2010 and completed in about two and a half years. It’s been more than three years since the FTC announced its plans for another update, and she said she doesn’t think the COVID-19 pandemic has anything to do with when the update will be finalized.

“I don’t think it’s happening anytime soon,” Marcus told Government Technology. “There’s been a tremendous amount of [ed-tech] development ... you’ve seen it at the state level. And then you’ve seen multiple and thus far unsuccessful attempts at the federal level to introduce updated privacy regulations specifically for kids. But nothing’s really moved, and in the middle of this whole thing nothing has moved at the FTC either.”

She said that U.S. Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., as well as Reps. Kathy Castor, D-Fla., and Lori Trahan, D-Mass., recently wrote a letter to the FTC asking about the status of the COPPA rule review. The FTC, she said, insinuated it was doing its part, but legislation needed to be part of that picture. Meanwhile at a recent conference, FTC Commissioner Alvaro Bedoya said the FTC was in no rush to get out the update; instead, they are more interested in legislative initiatives, according to Marcus.

“So you’ve got a little bit of a circular thing happening here,” she said.

Marcus said that state legislatures are trying to do their part, like in California, where they passed the Age-Appropriate Design Code Act (CAADCA), to go into effect in July 2024. The law aims to protect the well-being, data and privacy of children using online platforms.

“Federal legislation presumably would pre-empt what’s happening at the state level. It’s possible it can be complementary to COPPA,” Marcus said. “The FTC has a decent amount of power to make revisions to the regulation without needing to wait for a change to the statute … which affects families and children across the country, but when [CAADCA] goes into effect, it’s very likely going to affect children across the country and not just kids in California.”

She said that it would change the game nationally as it would be infeasible for companies to design products for different jurisdictions. What Marcus stressed is that, regardless of what’s going on at the state level, COPPA needs an update to account for ed-tech tools that just weren’t part of the process back in 2013.

“That was a specific call-out when they made the announcement in 2019, that they were going to look at the rule, and that’s before COVID,” she said. “And boy, it’s more necessary after COVID. But even then, they knew that they needed a refresh.”

Sara Kloek, vice president of education and children’s policy at the Software and Information Industry Association (SIIA), said that while her organization applauds the FTC for focusing on student privacy with COPPA, there is more to fall back on beyond that law.

“[The policy statement is] just reiterating what has long been in the staff guidance in the FAQs,” said Kloek, who has also worked with the U.S. Department of Education on student data privacy. “There is a floor for federal protection, which is the Family Educational Rights and Privacy Act (FERPA), and then states can add protections on top of that.”

Kloek cited laws passed in multiple states, including in California, Minnesota and several others.

“Those ... primary laws like FERPA and state student privacy laws should be looked at as important pillars in student privacy protection,” Kloek said. “COPPA is also important, but those that are directly written for how to protect student data [are just as vital].”

FTC representatives did not respond to requests for comment.
Giovanni Albanese Jr. is a staff writer for the Center for Digital Education. He has covered business, politics, breaking news and professional soccer over his more than 15-year reporting career. He has a bachelor’s degree in journalism from Salem State University in Massachusetts.