Businesses that collect, use and disclose children’s personal information are already subject to strict legal requirements. The U.S. Children’s Online Privacy Protection Act of 1998 establishes detailed rules for operators of websites and online services that collect information from children under the age of 13. And comprehensive privacy regimes in other jurisdictions impose stringent requirements on online and offline processing of children’s information. Businesses are also acutely aware of the reputational harm that can result from compromising children’s privacy or generally failing to shield children from unsafe content and situations. Two recent legal developments in the U.S. are set to add further restrictions around processing children’s and minors’ personal information.
California's new law: Opt-in consent for sharing children's personal data
The California Consumer Privacy Act of 2018, which comes into effect Jan. 1, 2020, will govern the “selling” of Californian residents’ personal information. “Selling” is defined broadly under the CCPA to include any sharing of personal information for valuable consideration, which covers information sharing arrangements that might not conventionally be thought of as selling personal information. For example, since the CCPA defines personal information to include IP addresses, cookies, beacons, pixel tags, mobile ad identifiers and similar identifiers that can be used to track a unique consumer, family or device over time and across different services, disclosing a unique identifier to an advertising network so that it can target ads for other network members would likely constitute the selling of personal information under the CCPA.
If a company wishes to sell the personal information of a Californian minor under the age of 16, the CCPA requires it to first obtain their opt-in consent. And if a company wishes to sell the personal information of a Californian child under the age of 13, it must first obtain opt-in consent from their parent or guardian. A business that willfully disregards the age of a California resident will be deemed to have had actual knowledge of their age, and an intentional violation of CCPA, which typically requires actual knowledge of noncompliance, can result in penalties of up to $7,500 per violation.
Unlike COPPA, the CCPA’s youth-specific requirements apply even if the personal information was not collected from the children or minors themselves. This has implications for businesses that incidentally collect youths’ personal information, such as where a parent uploads a photo of their child to an online platform and the operator receives some consideration for disclosing uploaded photos wholesale to a facial-recognition software developer. Businesses subject to the CCPA should therefore carefully consider whether they potentially collect and sell any personal information from Californian youths and, unless the answer is demonstrably no, implement processes to:
- Determine the age of Californian residents to avoid charges that they willfully disregard their age.
- Obtain affirmative parental or guardian consent for children under 13 years and affirmative consent from minors between 13 and 16 years to sell their personal information, such as by using consent forms that include some means of verifying the identity of the individual providing their consent and their relationship to the data subject, if different.
- Document such consents in a secure manner.
The COPPA regime describes various acceptable methods for obtaining verifiable consent, and these could be useful for CCPA compliance, too. See here for more information about how to comply with the CCPA.
Bipartisan Senate bill would significantly expand scope and requirements of COPPA
In March 2019, Sens. Edward Markey, D-Mass., who authored COPPA, and Josh Hawley, R-Mo., introduced a bill to amend COPPA that would establish strict new rules regarding how operators of online services and manufacturers of internet-connected devices may process children and minors’ personal information. Some key proposed amendments include:
- Codifying fair information practices principles with respect to minors’ information: Regulated operators would be required to abide by eight principles regarding the collection, use and disclosure of personal information of minors between the ages of 13 to 15. These include to only collect information consistent with the context of a particular service, transaction or relationship; use information for purposes that have been specified to the data subject and obtain consent for new purposes; and retain information for as long as necessary to fulfill such purposes. The Federal Trade Commission has long recommended that these types of fair information practices principles be incorporated into consumer privacy laws, so the proposed bill marks a significant codification of such principles under U.S. federal law.
- Governing operators with constructive knowledge that they collect children’s or minors’ information: COPPA currently applies to operators of online services that are directed at children or who have actual knowledge that they collect children’s personal information. The bill would change this “actual knowledge” standard to a “constructive knowledge” standard, meaning that the amended law would apply to operators that should, as opposed to must, have known that they were collecting personal information from children and minors. This is consistent with the CCPA clause providing that willfully disregarding an individual’s age will not provide a means of avoiding responsibility and would increase the impetus for operators of online services to determine the age of all users in case some might be children or minors.
- Prohibiting the use of children’s personal information for targeted marketing: Regulated operators would not be permitted to collect, use or disclose a child’s personal information for the purposes of targeted marketing, which is defined to include directing advertisements at an individual or device based on the personal information of that individual, a unique identifier of that device, or psychological profiling. Regulated operators would only be permitted to process a minor’s personal information for targeted marketing purposes with their consent. These rules would effectively require regulated operators to deactivate all targeted marketing activities on webpages and services directed at children and only activate such functionality on services not directed at children where the user is demonstrably 16 years of age or older or a minor who provided their affirmative consent.
- Regulating the design, security and packaging of connected devices for children and minors: The bill defines “connected device” to mean any device capable of connecting to the internet or to another connected device and would include internet-connected game consoles, baby monitors and children’s GPS trackers, as well as phones, tablets and computers. If the bill is passed, manufacturers of connected devices directed to children or minors must prominently display on the device’s packaging a standardized and accessible privacy dashboard containing prescribed details, such as whether, what and how children and minors’ personal information is collected, used and disclosed; the extent to which the device meets the "highest cybersecurity and data security standards"; and how parents and minors can control the manner in which the device processes personal information.
These developments illustrate that rules around the processing of children’s and minors’ information are becoming increasingly stringent. Businesses and intermediaries that may receive personal information from children and minors should update their compliance programs to focus on limiting the processing of such information, providing clear and complete legal notices, obtaining parental and guardian consent as required, reacting promptly to the inadvertent processing of sensitive personal information, and, in the case of services focused on building communities, moderating content shared within such communities to protect children and minors from harm.
If you want to comment on this post, you need to login.