The U.K. Information Commissioner's Office's Age Appropriate Design Code, or Children’s Code, is the new kid on the privacy block, with enforcement beginning September 2021. The Children’s Online Privacy Protection Act represents the closest U.S. counterpart, with the U.S. Federal Trade Commission rules last revised in 2013. While both aim to protect children’s privacy, the rules have different philosophical underpinnings and motivational concerns. This leads to different protections and different compliance risks, as well as questions for companies with international footprints. 

COPPA was designed to put parents in control, the Children’s Code to put children’s interests first

COPPA broadly requires that online services get verifiable parental consent before collecting personal information from young children. While it has (largely unappreciated) additional requirements beyond parental consent, it is firmly rooted in a notice and consent framework. The Children’s Code, in contrast, sets forth standards for services to consider during design and explains how services can build in privacy by default. 

But the Children’s Code is not just a more modern approach to data protection; it is also animated by different concerns about children’s digital rights that have been missing from U.S. policy discussions. 

COPPA’s authors were worried parents were losing their traditional role as gatekeepers and the internet was exposing children to physical predators and predatory marketing. The FTC had recommended “Congress develop legislation placing parents in control of the online collection and use of personal information from their children.” “Enhancing parental involvement” in kids’ online activity was a legislative goal

The Children’s Code stems from the EU General Data Protection Regulation and the U.K. Data Protection Act. It is grounded in the United Nations Convention on the Rights of the Child, which recognizes children’s rights to expression, thought, privacy, and play and the special safeguards children need as they grow. The code’s goal is not to return parents to some traditional gatekeeping role but rather that companies put “the best interests of the child first.”

Different audiences and obligations

These different philosophies are reflected in the laws’ coverage. First and foremost is who is a protected “child.” Due to political concerns over inserting parents into teens’ lives, COPPA defines children as under 13. The Children’s Code, in contrast, defines child per global conventions and so includes everyone under 18.

This affects who must comply. Children under 13 are on fewer sites than children under 18. COPPA further limits coverage by only applying to services “directed to” children based on various factors, and those with “actual knowledge” are collecting personal information from kids. “Actual knowledge” is undefined but has been strictly interpreted by the FTC. The Children’s Code casts a much broader net. It applies to almost all services “likely to be accessed” by children under 18.

The differing goals of “reinserting parents as gatekeepers” versus “prioritizing best interests of the child” are also reflected in different obligations. While it has other provisions, COPPA seeks to inform and involve parents — services cannot collect, use or disclose a child’s personal information without verifiable parental consent. Additional rights, such as access and deletion, lie with parents. The Children’s Code seeks to empower children, and given that a child could be 5 or 17, appropriate protections vary. It includes 15 flexible standards that encompass traditional data protection topics, like transparency and newer concerns, such as manipulative design and profiling. (Helpfully, if consent is sought, the U.K. also requires parental consent for those under 13.)

Code standards require services to consider audience age ranges and different processing risks. Transparency is needed, and detrimental uses are prohibited, but what those concepts mean for a toddler are different than for a teen. All children need (age-appropriate) access and deletion rights. Data minimization is by default, and choices must meet a child where they are located. Even parental controls must be paired with child-appropriate information. 

Many COPPA enforcement debates center around whether COPPA applies in the first place (e.g., Musical.ly/TikTok and YouTube). And, indeed, many companies “comply” with COPPA by seeking to avoid its application entirely. When COPPA does apply, compliance typically involves satisfying agreed-upon rules and using an approved method for obtaining parental consent. 

Debates about the Children’s Code should center less on whether it applies — if there is a question, it probably does. Instead, enforcement is likely to consider whether a service lives up to the risk-based standards. Sites cannot get consent — from a parent or a child — and then proceed as normal. 

Complying with both

While additional steps will be needed to follow the Children’s Code, it is possible to empower children and ensure that — for young children — parents are involved and informed. For sites and services directed to children under 13 or with actual knowledge of children under 13, what additional steps are needed? 

Certain Children’s Code provisions already echo basic principles found in the FTC Act and U.S. common law. Specifically, do what you promise, and don’t break the law. 

Other provisions may already be satisfied by virtue of complying with COPPA or can be used to interpret and inform compliance. The notion of risk-based age assessments exists under COPPA, which permits a lower level of verifiable parental consent (“email plus”) for lower risk uses and permits services to avoid age gating if they collect no information. Similarly, the code’s provisions around “data minimisation,” “nudges” and “privacy by default” are entirely consistent with COPPA’s prohibition on conditioning participation on “the child disclosing more personal information than is reasonably necessary to participate in such activity” and not collecting information from children without consent. 

There are additional requirements, however. The Children’s Code requires implementing a data protection impact assessment. Additional — but still compatible — efforts will need to be taken concerning “transparency,” “parental controls” and giving children online tools. COPPA already requires different types of notices to parents; the Children’s Code will mean services also have to provide information to children. This can begin for audiences 10 and above where the code instructs information should be in formats suitable for parents and children. For younger children, the primary audience for privacy notices remains parents.

Similarly, services offering parental controls must explain to children what this means, with more explanation required as children grow older. And instead of enabling only parents to access or delete information, services should provide opportunities for children to ask for help or exercise their rights alone or with help. COPPA-covered services will need to ensure they have parental consent for these types of interactions with children to the extent additional information is collected or processed. So, services would be advised to structure them in a way that limits further information collected from children. 

More complicated questions arise when faced with questions of data sharing, tracking geolocation and profiling — under the Children’s Code these cannot be done without a compelling reason. Under COPPA, these cannot be done without parental consent (with the debatable exception of profiling for internal uses, but this should exclude commercial profiling). Parental consent is not likely to be in and of itself a compelling reason, so compliance with the Children’s Code here will likely require additional steps, and to the extent that service under COPPA is supported by behavioral ads, a rethinking of the business model. (Note: This is entirely in line with congressional proposals to update COPPA, multiple of which would prohibit behavioral advertising to children under 13 entirely, regardless of consent or a compelling reason.)

A service that falls under both may get parental consent at the outset to comply with COPPA, but such consent is likely to only be to allow for the future turning on of geolocation, profiling or data sharing if a separate compelling reason is demonstrated. And, as under the GDPR in general, consent is disfavored as a lawful basis, so services should consider other ways to justify core processing.

What’s next?

Keeping parents involved can be consistent with putting children’s best interests first. And as other countries develop their own models (shout out to Ireland), companies should take some comfort in the fact that many of the changes necessitated by the Children’s Code are likely to be required elsewhere and will put them in good stead to comply with the proposed U.S. updates. 

Photo by Ben Wicks on Unsplash