Regulatory interest in the United States regarding children’s privacy and related online harms is increasing. In his State of the Union address on March 7, 2024, President Biden called on Congress to pass “bipartisan privacy legislation to protect our children online.”[1] The FTC proposed to amend the Children’s Online Privacy Protection Rule (“COPPA”) to place new restrictions on the use and disclosure of children’s personal information and additional limits on the ability of companies to condition access to services on monetizing children’s data. [2] California passed the California Age-Appropriate Design Code Act in 2022, which (if it goes into effect), would be the first state law to address children’s privacy specifically.[3] Several states, such as Minnesota, Nevada and New Mexico, are following suit in proposing similar legislation.[4] This article takes a look at the current state of play on this topic in the United States and how this may change moving forward.
Current state of play
Federal
COPPA is the main federal privacy law regulating children’s online privacy.[5] It originally came into force on April 21, 2000, and an amendment to COPPA took effect on July 1, 2013. COPPA applies to children under the age of 13 and imposes obligations on:
- operators of commercial websites and online services directed at children under 13 that collect, use, or disclose personal information from children;
- operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13; and
- websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
The FTC states that the primary goal of COPPA is to “place parents in control over what information is collected from their young children online.”[6] COPPA aims to achieve this by requiring the operators listed above to take a number of actions including the following with respect to children under 13:
- post a clear and comprehensive online privacy policy detailing their information practices for personal information collected online from children;
- give direct notice to parents and obtain verifiable parental consent (with limited exceptions) prior to collecting personal information online from children;
- provide parents the choice of consenting to the operator’s collection and internal use of a child’s personal information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, which must then be made clear to parents);
- give parents the option to access and / or delete their child’s personal information;
- provide parents the option to stop future use or online collection of a child’s personal information;
- protect the confidentiality, security, and integrity of personal information collected from children, including by taking reasonable measures to share this information only with parties able to preserve its confidentiality, security, and integrity;
- store personal information collected online from a child only for as long as reasonably necessary to achieve the purpose for which it was collected and to delete such information using reasonable measures to protect against its unauthorized access or use in connection with its deletion; and
- not condition a child’s participation in an online activity (such as a game or the offering of a prize) on their provision of more personal information than is reasonably necessary to participate in said activity.
States
At the state level, there are a number of state laws that apply to children’s privacy. We discuss below examples that showcase the range of approaches.
California
California Consumer Privacy Act
The California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, “CCPA”), is the first state law to address privacy generally[7]. With respect to children’s privacy specifically, under the CCPA, a business cannot sell or share the personal information of a child under the age of 13 without the affirmative prior consent of the child’s parent or guardian, and cannot do the same with respect to a child aged 13 to 15 without the child’s affirmative authorization.
California-Age Appropriate Design Code Act
The California Age-Appropriate Design Code (“CAADC”) would also be the first state law to address children’s privacy specifically. CAADC is preceded and inspired by a similar code in the United Kingdom[8]. CAADC’s underlying principles are that:
- businesses that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that online service, product, or feature; and
- where a conflict arises between commercial interests and the best interests of children, businesses should prioritize the privacy, safety, and well-being of children over commercial interests.
As such, the CAADC goes beyond COPPA. For example, it:
- expands the definition of children from children under 13 to all minors under the age of 18;
- applies to businesses with online services, products or features that are “likely to be accessed by children,” not just the more limited set of operators and online service providers listed in the “Federal” section above;
- requires such businesses to conduct a data protection impact assessment before any new online service, product or feature is offered to the public, to analyze whether their service, product or feature will likely be accessed by children and whether it will harm children;
- requires such businesses to estimate the age of children accessing their service, product or feature with a reasonable level of certainty appropriate to, and a level of assurance proportionate to, the risks posed by its data management practices;
- requires such business to configure default privacy settings to a high level;
- prohibits the use of any child’s personal information in a manner that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or wellbeing of a child;
- prohibits the collection, sharing or selling of a child’s precise geolocation information unless it is “strictly necessary” for the business to provide the service, product or feature and, even then, it is permissible only for the limited time that the collection of precise geolocation information is necessary to provide the service, product or feature; and
- prohibits the use of “dark patterns” (which the FTC has described as “design practices that trick or manipulate users into making choices they would not otherwise have made and that may cause harm,” which is similar to the concept of “nudge techniques” in the United Kingdom)[9] to lead or encourage children to: (i) provide personal information beyond what is reasonably expected to provide that online service, product or feature; (ii) forego privacy protections; or (iii) take any action that the business knows, or has reason to know, is materially detrimental to the child’s physical health, mental health or wellbeing.
The CAADC was set to come into force on July 1, 2024. However, on September 18, 2023, a California federal court granted a motion for preliminary injunction enjoining the enforcement of CAADC.[10] The court found that, inter alia, even though the stated goal of CAADC (“protecting children when they are online”), was important, the plaintiff was likely to succeed on merits of its claim that provisions of CAADC did not satisfy commercial speech scrutiny under the First Amendment. On October 18, 2023, the Attorney General of the State of California filed an appeal to the preliminary injunction decision.[11] Oral arguments are scheduled to be heard on July 17, 2024.
Virginia, Connecticut and Utah
The Virginia Consumer Data Protection Act (“VCDPA”) went into effect on January 1, 2023.[12] The Connecticut Data Privacy Act (“CDPA”) went into effect on July 1, 2023.[13] The Utah Consumer Privacy Act (“UCPA”) went into effect on December 31, 2023. [14] These laws are generally aligned with COPPA in that all three laws state businesses that comply with the verifiable parental consent requirements of COPPA are deemed compliant with any obligation to obtain parental consent under each act.
Colorado
The Colorado Privacy Act (“CPA”) went into effect on July 1, 2023.[15] Like VCDPA, UCPA and CDPA, it does not amend COPPA’s definition of a “child” as an individual under 13 years of age. However, CPA goes further than those acts in that it excludes from its scope any personal information covered by COPPA.
Proposals
FTC
The FTC is focused on using several tools to crack down on platforms and service providers that use children’s data, including taking aggressive enforcement action and exploring the possibility of creating new regulations under COPPA. The FTC stated that they are “really worried that the recent proliferation of data-hungry AI models will turbocharge all of these risks [associated with manipulating users’ data].”[16]
On December 20, 2023, the FTC proposed changes [17] to COPPA that would place new restrictions on the use and disclosure of children’s personal data and further limit the ability of companies to condition access to services on monetizing children’s data. Some of the proposed changes include:
- Requiring separate opt-in for targeted advertising. Building off the existing consent requirement in Section 312.5 of COPPA, website and online service operators covered by COPPA would be required to obtain separate verifiable parental consent to disclose information to third parties (including third-party advertisers), unless the disclosure is integral to the nature of the website or online services.
- Prohibition against conditioning a child’s participation on the collection of personal information. This proposal will reinforce the current rule that prohibits conditioning participation in an activity on the collection of personal data. Specifically, the collection of personal data must be limited to what is necessary for the child to participate in the game, activity, or receive a prize. The FTC is also considering adding new language to clarify what constitutes an “activity” with regards to children’s data and privacy.
- Limits on the support for internal operations exception. The current rule allows operators to collect persistent identifiers without first obtaining verifiable parental consent if the operator does not collect any other personal information and uses the persistent identifier only to provide “support for the internal operations of the website or online service.” Under the proposed rule changes, operators that would like to use this exception must state in their online notice the specific internal operations for which the operator has collected a persistent identifier and how they will ensure that such identifier is not used or disclosed to contact a specific individual, including through targeted advertising.
- Limits on encouraging kids to go online and stay online. Operators would be prohibited from using online contact information and persistent identifiers to send push notifications to children to prompt them or encourage them to use the service more. If operators engage in any such practice, they would also be required to flag such usage in their COPPA-required direct and online notices.
- Changes related to educational technology. The FTC has proposed codifying its current guidance on educational technology to prohibit the commercial use of children’s information and implement additional safeguards. The proposed rule would allow schools and school districts to authorize educational technology providers to collect, use, and disclose students’ personal information only for a school-authorized educational purpose but not for any commercial purpose.
- Increased accountability for Safe Harbor programs. The proposed rules would increase the transparency and accountability of COPPA Safe Harbor programs, including requiring each program to publicly disclose its membership list and report additional information to the FTC.
- Strengthening data security requirements. The FTC has proposed strengthening COPPA’s data security requirements by mandating that operators establish, implement, and maintain a written children’s personal information security program that contains safeguards that align with the sensitivity of personal information collected from children.
- Limits on data retention. The FTC would also strengthen COPPA’s data retention limits by allowing personal information to be retained only for as long as necessary to fulfill the specific purpose for which it was collected. It would prohibit operators from using retained information for any secondary purpose and explicitly prohibits operators from retaining the information indefinitely. The proposed changes would require operators to establish, and make public, a written data retention policy for children’s personal data.
- Changes in definitions. The FTC has also proposed changes in the definitions relating to COPPA, including expanding the definition of “personal information” to include biometric identifiers, and stating that the FTC will consider marketing materials, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites and services to determine whether a website or service is directed towards children.
These proposed changes aim to shift the burden from parents to operators of these websites that target children to ensure that digital services are safe and secure for them.
The FTC is increasingly focused on preventing companies from monetizing data collected from users under 18 years of age, preventing companies from collecting unauthorized children’s data, and ensuring that children’s privacy is top of mind for companies.
Other federal bodies
Certain bills in Congress have been focused on expanding data privacy and safety protections for children online. On February 15, 2024, a bipartisan group of 62 senators [18] announced their support for an updated version of the Kids Online Safety Act (“KOSA”). The new changes introduced focus on a “duty of care” provision to prevent harm to minors, especially regarding design features (such as personalized recommendation systems, nudges, and appearance altering filters). This bill also bans targeted advertising to children and teens and extends existing privacy protections to cover 13- and 16-year-olds.
The FTC would be tasked with enforcing KOSA, and this proposed bill would preempt state laws that conflict with it while maintaining state laws that provide more protection for children. Groups and companies such as X, Microsoft, Snap, Nintendo of America, National Association for the Advancement of Colored People, Christian Camp and Conference Association, The Foundation United, and Parents for Safe Online Spaces and Street Grace have backed this bill.
States
As states grapple with how to deal with children’s privacy, they are focused on addressing several key issues, including the mental and emotional effects of collecting children’s data, the regulation of personal information such as precise geolocation information and biometric information, expanding the definition of “children” to include individuals up to 18 years old, and focusing on a wider range of websites that collect information from children.
Although there is no singular approach to children’s privacy, many states impose a duty of care on businesses to avoid a heightened risk of harm to the minors, require verifiable consent, and are focused on improving the minors’ mental health and wellbeing.
Conclusion
Overall, the pervasive use of technology by children has sparked calls for increased regulation and scrutiny on companies’ practices regarding children’s data and safety. Companies and businesses should focus on strengthening their privacy protections, consider their targeted advertising practices towards children in light of increasing regulation and scrutiny, and consider implementing stronger protections around verifiable parental consent and appropriate notice of collection around children’s data.
Footnotes
[1] The White House: Remarks by President Biden in State of the Union Address
[2] Federal Trade Commission: FTC Proposes Strengthening Children’s Privacy Rule to Further Limit Companies’ Ability to Monetize Children’s Data
[3] California: California Age-Appropriate Design Code Act
[4] Minnesota: Age-Appropriate Design Code Bill; Neveda: Age Appropriate Design Code Bill; New Mexico: Age Appropriate Design Code Bill
[5] Federal Trade Commission: Children’s Online Privacy Protection Rule
[6] Federal Trade Commission: Complying with COPPA: Frequently Asked Questions
[7] California: California Consumer Privacy Act 2018, as amended by the California Privacy Rights Act 2020
[8] Information Commissioner’s Office: Children’s Code
[9] Federal Trade Commission: Bringing Dark Patterns to Light; Information Commissioner’s Office: Children’s Code – Nudge techniques
[10] Netchoice, LLC v. Bonta, -- F.Supp.3d---, 2023 WL 6135551
[11] NetChoice, LLC v. Bonta, Docket No. 5:22-cv-08861 (N.D. Cal. Dec 14, 2022)(“Notice of Preliminary Injunction Appeal” filed Oct. 23, 2023, ECF No. 74.)
[12] Virginia: Consumer Data Protection Act
[13] Connecticut: Connecticut Data Privacy Act
[14] Utah: Utah Consumer Privacy Act
[15] Colorado: Colorado Privacy Act
[16] Law 360: FTC Not Backing Down In Kids' Privacy Arena, Chair Says
[17] Federal Trade Commission: FTC Proposed Strengthening Children’s Privacy Rule to Further Limit Companies’ Ability to Monetize Children’s Data
[18] Law 360: 62 Senators Support Updated Kids Online Safety Act