There’s not enough awareness that compliance can’t be a cut-and-paste job when it comes to kids.
Just because you’re compliant with Children’s Online Privacy Protection Act (COPPA), doesn’t mean you’re compliant with the California Consumer Privacy Act (CCPA), or the EU’s General Data Protection Regulation (GDPR).
Plus, US states are coming out with their own privacy bills, many of which address child data collection.
Although there is some overlap between these laws and proposals, there’s enough nuance to make your head spin.
“The fact is, there are a lot of variations to deal with,” said David Keating, a partner at Alston & Bird and a co-leader of the firm’s privacy and data security team.
Besides the current variations, the situation is incredibly volatile.
The Federal Trade Commission, which held a day-long workshop on potential COPPA rule changes in October 2019, is now in the midst of sifting through the more than 175,000 comments it received in response to a call for feedback on possible updates to the law.
The industry is also waiting for the California attorney general’s office to finalize implementation regs for the CCPA, which should happen sometime before the enforcement date on July 1. The AG’s draft regs include expansions of the child-specific sections of the CCPA.
Here’s a cheat sheet to help you get a handle on the state of play for child data protection laws.
COPPA doesn’t prohibit targeting children 13 and under with advertising, but it does establish parameters for how to collect and handle the personal information of children.
The law requires the operators of sites or online services directed at children under 13 to obtain “verifiable parental consent” before collecting data, with exceptions for activities that support “internal operations,” such as frequency capping, contextual advertising, site analysis and network communications.
Under COPPA, general audience sites that aren’t primarily aimed at kids only have liability if they gain “actual knowledge” that kids are using their service, said Kate O’Loughlin, COO for North America at kid tech company SuperAwesome.
This creates a perverse incentive for companies to engage in a version of “don’t ask, don’t tell,” aka, to willfully disregard whether they’ve got kids on their platform.
YouTube was fined $170 million late last year for violating COPPA, in large part because the FTC found that Google was well aware that a significant percentage of its users were children under 13.
The CCPA is actually more stringent than COPPA on the kids front.
“Effectively, marketers’ and publishers’ strategies for COPPA compliance now need to be extended to their engagement with under-16s,” O’Loughlin said.
For one, CCPA raises the age of consent to 16 for California residents, said Dimitri Sirota, CEO of BigID, a startup that helps companies with their data governance. The CCPA, which applies to online and offline data collection, is generally an opt-out law. But in the case of kids, businesses are required to get an opt-in from consumers between 13 and 16, and verifiable parental consent for the under-13 set in order to collect or sell their data.
The CCPA defines “sell” broadly, and likely includes the work that companies do with third parties, such as ad networks.
“This means that behavioral advertising can’t be the auto-default in content attractive to tweens and teens,” O’Loughlin said.
The CCPA standard is also higher when it comes to actual knowledge. If a company willfully disregards the age of its users, it’s liable under the law. “It’s an important forcing function for companies to embrace their kid, tween and teen users, instead of hiding them,” O’Loughlin said.
Also, the attorney general’s implementation regs, although not finalized, would require businesses to certify that the person giving consent on behalf of a child under 13 is actually the child’s parent or legal guardian. Once a business receives affirmative authorization for data collection, it’s then required to inform the parent or guardian that they have the right to opt out at a later date and at any point.
GDPR pour les enfants (or kinder … or niños)
The General Data Protection Regulation sets the age of consent at 16, although individual member states in the EU are able to lower the age to a minimum of 13 when they implement the law in their respective region.
For example, the age of consent is 16 in Germany, 15 in France, 14 in Spain and 13 in Norway.
Businesses are required to obtain consent from a parent or legal guardian in order to process a child’s data. Collecting the data of children under 13 is prohibited.