“It’s time to strengthen privacy protections, ban targeted advertising to children, [and] demand tech companies stop collecting personal data on our children.” – President Joe Biden, State of the Union, March 1, 2022
On May 19, 2022, the Federal Trade Commission publicly renewed its focus on children’s privacy . In a policy statement issued unanimously by all five commissioners, the FTC warned that it will begin to “crack down on companies that illegally surveil children online.” Recently, there has been increased legislative activity in the United States regarding children’s data, and President Joe Biden in his State of the Union address spent considerable time calling for increased accountability regarding children’s data. We’ve summarized below some of the legislative activity in this space around existing children’s privacy laws and proposed new laws. This list is not meant to be exhaustive, but rather highlight the most recent activity in children’s privacy, a policy area that is constantly changing. There is little indication if or when the ballot measures may become law, but it is clear that children’s data protection is at the forefront of the current legislative landscape at the state and federal level.
INCREASED ENFORCEMENT OF COPPA:
The Children’s Online Privacy and Protection Act of 1998 is the preeminent US law protecting children’s privacy. It applies to all commercial websites or online services that direct their products or services to children under the age of 13, as well as to companies that have actual knowledge that they are collecting personal information from children under the age of 13.
COPPA imposes a number of requirements in order to collect the personal information of children, including:
- Posting an online privacy notice describing an operator’s information practices for personal information collected from children.
- Providing direct notice to parents and obtaining verifiable parental consent prior to collecting personal information from children.
- Providing parents with the choice of consenting to the operator’s disclosure of children’s data to third parties.
- Providing parents with access to their children’s personal information.
- Providing parents with the right to delete their children’s personal information.
- Providing parents with the right to opt out of future collection or use of their children’s personal information.
- Taking steps to protect the confidentiality, security and integrity children’s data.
As mentioned above, the FTC announced in May that it will prioritize the enforcement of COPPA, especially as it applies to the use of education technology, and will increase scrutiny of compliance “with the full breadth of the substantive prohibitions and requirements of the COPPA Rule and statutory language.”
PROPOSED STATE LEGISLATION:
California Age-Appropriate Design Code Act
The California Assembly unanimously passed the California Age-Appropriate Design Code Act on May 26, 2022, and the bill was presented in a state Senate hearing on June 28, 2022. If it passes the state Senate, the law will go into effect on July 1, 2024. The bill is modeled after similar legislation in the UK. It would protect children under the age of 18 and will require companies to “consider the best interest of children,” and “maintain the highest level of privacy possible for children by default” in every element of designing products and services. As part of this process, companies must:
- Undertake a Data Protection Impact Assessment for any good, service or product feature likely to be accessed by a child.
- Provide an obvious signal to the child when they are being monitored or tracked.
- Provide prominent tools to help children exercise their privacy rights and report concerns.
- Disable profiling by default.
- Prohibit disclosure of the personal information of any child by default.
- Prohibit the collection of any precise geolocation information by default.
- Prohibit the collection of any sensitive personal information by default.
Additionally, the law would create the California Children’s Data Protection Taskforce to enforce and implement the law.
PROPOSED FEDERAL LEGISLATION:
PROTECT Kids Act
Republican Rep. Tim Walberg of Michigan has introduced the Preventing Real Online Threats Endangering Children Today Act (PROTECT Kids Act) in the House of Representatives. The PROTECT Kids Act would amend COPPA to:
- Change the definition of a “child,” increasing the applicable age from under 13 to under 16.
- Capture geolocation information and biometric information in the definition of “personal information.”
- Extend COPPA’s requirements to the operators of mobile applications.
- Prohibit operators from terminating access to their services if a parent chooses to opt out of the further collection of their child’s personal information.
Additionally, the bill will require the FTC to conduct studies and prepare a report regarding COPPA’s “actual knowledge” standard.
Kids PRIVCY Act
Democratic Rep. Kathy Castor of Florida has introduced the Protecting the Information of our Vulnerable Children and Youth Act (PRIVCY Act) in the House of Representatives. The PRIVCY Act would amend COPPA to:
- Expand the scope of COPPA by having the law apply to a new category of “young consumers” over the age of 12 and under the age of 18, as well as to children under the age of 13.
- Expand the definition of “personal information” to include physical characteristics, biometric information, health information, education information, information collected in messages and chats, geolocation information, and audio or visual recordings.
- Prohibit targeted marketing to young consumers and children based on collected personal information.
- Repeal COPPA’s safe harbor provision permitting operators to rely on a safe harbor if an FTC-approved organization approves their privacy practices.
- Allow the FTC to apply 50% higher civil penalties (from $43,792 to $63,795 per violation).
- Provide a private right of action.
- Limit the disclosure of children’s personal information to third parties without a written agreement with the third party establishing scope, security and privacy protections.
Similar to the California Consumer Privacy Act, parental consent would need to be obtained prior to the collection of personal information from children under the age of 13, and opt-in consent would need to be obtained from young consumers over the age of 12 and under the age of 18.
Kids Online Safety Act
Democratic Sen. Richard Blumenthal of Connecticut and Republican Sen. Marsha Blackburn of Tennessee have introduced the bipartisan Kids Online Safety Act in the Senate. The act contains additional safeguards to protect children’s online experience, including:
- Requiring platforms to “enable the strongest settings by default.”
- Requiring platforms to create a dedicated channel to report harm to children.
- Creating a duty to prevent and mitigate harm to children (such as preventing content promoting self-harm, suicide, eating disorders, substance abuse and sexual exploitation).
- Requiring social media platforms to conduct annual independent audits assessing risks to children.
- Allowing academic researchers and nonprofit organizations to access data sets from social media platforms in order to research harms to the safety and well-being of minors.
Children and Teens’ Online Privacy Protection Act
Democratic Sen. Edward Markey of Massachusetts and Republican Sen. Bill Cassidy of Louisiana introduced the bipartisan Children and Teens’ Online Privacy Protection Act to the Senate. The bill would amend COPPA to:
- Prohibit companies from collecting the personal information from minors ages 13 to 15 without opt-in consent.
- Amend the “constructive knowledge” standard to “reasonably know.”
- Prohibit targeted advertising directed at children.
- Establish cybersecurity requirements for internet-connected products targeted toward children and minors.
- Create an “eraser button” for parents and children and minors to enhance the right to delete personal information.
- Establish a Youth Marketing and Privacy Division at the FTC.
As the novel use of technology and social media continues to increase for children and teens, so, it seems, will the conversation surrounding the privacy protections that should be afforded to them. While the above bills have been introduced in various legislatures, self-regulatory organizations such as the Better Business Bureau are calling for companies to take proactive steps to protect the personal information of vulnerable users as well. There is bipartisan agreement at the international level that more needs to be done to create a safe online environment for children and teens – and clients who direct their products or services at young people should be prepared to implement stronger privacy and security frameworks in the near future.