Children and Teens’ Online Privacy Protection Act

The bill widens who is covered by COPPA to include “teens,” defined as ages 13 to 16, not just children under 13. It updates the definition of “operator” so that most commercial websites, online services, online apps, and mobile apps that collect young users’ data are covered, but it excludes tax‑exempt charities. It also broadens the list of what counts as personal information, adding things like precise location data, biometric data (such as fingerprints or face templates), photos, videos, audio with a child’s or teen’s voice, and data that can be linked back to a child, teen, or their parent. Operators may not collect, use, disclose, or keep children’s or teens’ personal information for the purpose of individual-specific (targeted) advertising to minors. They also may not collect personal information from a child or teen unless it fits the context of the service, is needed to complete a transaction or provide a requested service, or is required or allowed by law. Operators must delete personal information when it is no longer reasonably needed for the requested service, unless law requires them to keep it. If an operator stores, transfers, or gives access to children’s or teens’ data in certain foreign “covered nations,” it must give notice to the parent or teen. The bill replaces “parental consent” with a broader “verifiable consent” standard that can come from a parent (for children) or from the teen. Operators must give clear and easy‑to‑find privacy notices and obtain verifiable consent before collecting personal information in many cases, and again before any material change in how they use or share that information. Parents of children and teens themselves gain rights to see what information has been collected, delete it, refuse further use or collection, and challenge and correct inaccurate data. Operators must have reasonable security practices to protect children’s and teens’ data against unauthorized access. For services used in schools, the bill allows operators to rely on agreements with educational agencies or schools instead of direct consent from each parent or teen, as long as data are used only for educational purposes and certain notice, access, and deletion rights are provided through the school. The bill directs the FTC to write or update regulations to carry out these requirements, including rules on when operators can end service if consent is refused and when they must continue service even if data are deleted. It also requires the FTC to study and, if feasible, allow a “common verifiable consent mechanism” that could cover multiple related services, and it gives the FTC ongoing reporting duties to Congress about enforcement and about how large social media companies comply. Finally, the bill changes preemption so that states cannot enforce or create laws that conflict with this federal act in the same subject area. It clarifies that state attorneys general can bring actions to enforce violations of the core requirements. It also requires that any FTC rulemaking under this law include an analysis of the impact on small businesses and provides that if one part of the act is struck down, the rest can stay in effect.