The Federal Trade Commission (FTC) issued a notice of proposed rulemaking to strengthen data security requirements and modernize certain aspects of the Children’s Online Privacy Protection Act (COPPA) Rule.

The FTC announced its proposal Wednesday, after four years of reviews, workshops, and soliciting public feedback regarding whether the rule needed to be updated. The last time the agency changed COPPA was in 2013.

The aim of the latest round of potential changes to the rule is to “shift the burden from parents to providers to ensure that digital services are safe and secure for children,” the agency said. Requirements being proposed include:

  • Having online service operators covered by COPPA obtain separate verifiable parental consent to disclose information to third parties;
  • Prohibiting conditioning a child’s access to an activity on collection of personal information;
  • Implementing additional safeguards regarding use of education technology;
  • Mandating operators establish, implement, and maintain a written children’s personal information security program that contains appropriate safeguards; and
  • Strengthening the rule’s data retention limits to allow personal information to be retained only for as long as necessary.

“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” said FTC Chair Lina Khan in the agency’s press release. “The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children.”

The proposal also seeks to expand the definition of “personal information” to include biometric identifiers.

The public will have 60 days to comment on the proposal, following its publication in the Federal Register.

The FTC earlier this year fined Microsoft and Amazon in cases alleging COPPA violations.