On March 7, 2024, a bipartisan coalition of 43 state attorneys general sent to the Federal Trade Commission (“FTC”) a letter urging the FTC to update the regulations (“COPPA Rules”) implementing the Children’s Online Privacy Protection Act (“COPPA”).

Through regulations known as the “COPPA Rule,” state attorneys general are authorized to bring actions as parens patriae in order to protect their citizens from harm.  In the March 7 letter, the AGs noted that it has been more than ten years since the COPPA Rule was amended, and the digital landscape is much different now than in 2013.  The AGs specifically point to the use of mobile devices and social networking.

Unsurprisingly, the AGs recommend that the COPPA Rule container stronger protections.  For example, the AGs recommend that the definition of “personal information” be updated to include avatars generated from a child’s image even if no photograph is uploaded to the site or service; biometric identifiers and data derived from voice, gait, and facial data; and government-issued identifiers such as student ID numbers. 

Additionally, the AGs suggest that the phrase “concerning the child or parents of that child”, which is contained in the definition of “personal information” should be clarified.  Specifically, the AGs state that if companies are linking profiles of both parent and child, then the aggregated information of both profiles can indirectly expose the child’s personal information such as their home address even when it was not originally submitted by the child.  To “clos[e] this gap,” the AGs suggest amending the definition of personal information to include the phrase “which may otherwise be linked or reasonably linkable to personal information of the child.”

In addition to broadening the definition of personal information, the AGs also suggest two revisions that could materially impact how businesses use data.  First, the AGs suggest that the exception for uses to support “internal operations of the website or online services” to limit personalization to user-driven actions and prohibit the use of personal information to maximize user engagement.  Second, the AGs suggest that the FTC limit businesses’ ability to use persistent identifiers for contextual advertising.  While the focus in general privacy laws is on cross-contextual advertising – i.e., advertising that is based on activity across businesses – the AGs argue that advancements in technology allow operators to serve sophisticated and precise contextual ads, often leveraging AI.

While it still remains to be seen how the FTC amends the COPPA Rule, it is safe to say that the bipartisan AG letter should be interpreted as a signal that AGs across the country are increasingly focused on how businesses process children’s data.  Especially in states where comprehensive privacy laws are in effect (or going into effect soon), we should expect aggressive enforcement on the issue.