A New Focus on Children’s Privacy & COPPA
- The expansion of protected data
- Upcoming children’s privacy regulations to watch
- 5 tips to maintain compliance
Read more below.
New Regulation Seeks to Raise Age of Consent for Minors and Launch “Youth Marketing and Privacy Division” at the FTC
Children’s privacy issues are making headlines right now. Remote schooling, canceled social activities, and social distancing during COVID left many children spending a lot more time on the internet. Parents working from home had the chance to see what their children were exposed to online, and parents working outside the home had to worry about what their children were experiencing in their absence. Then Facebook raised the alarm among parents, privacy experts, and state attorneys general when it announced its intention to launch an Instagram network for young children.
As children’s privacy issues come to the fore, lawmakers and AG’s are responding with new regulations and new enforcement priorities. The rules are changing, so it’s a good time for privacy teams to take stock of their organizations’ practices and policies regarding children’s PII.
New Regulations, New Enforcement for Child Privacy
The U.S. Children’s Online Privacy Protection Act (COPPA), which defines how websites and applications can collect data from users under the age of 13, has been revised by the FTC only once since its passage in 1998. The revised rules expanded the types of information that required consent before collection, and it extended COPPA-covered entities to include third parties.
However, with the growth of social media, online tracking, and behavioral advertising, children’s privacy advocates are concerned that the current version of COPPA doesn’t offer adequate protection. For many, even the FTCs $170 million settlement with Google isn’t enough of a deterrent to keep big tech companies from gathering and using children’s data.
In response, U.S. Senators Edward J. Markey of Massachusetts and Bill Cassidy of Louisiana have introduced a new Children and Teens’ Online Privacy Protection Act. If passed, this act would amend COPPA to include minors up to 15 years old.
The law would also expand the organizations covered by COPPA from websites and applications specifically aimed at children (an oft-exploited loophole under COPPA) to any organization that should reasonably know that minors are using their services.
Additionally, the proposed regulation would expand the definition of children’s personal information to include geolocation, biometrics, and other data, consistent with the expansion of protected information in other privacy regulations.
The other major U.S. regulation governing children’s privacy, the Family Educational Rights and Privacy Act (FERPA), is also under review. A new report by the U.S. Congressional Research Service recommends that Congress amend the law to give parents and students a private right of action if educational institutions fail to protect the privacy of students’ educational records and PII.
New state laws in the U.S. are also strengthening child privacy protection. For example, the California Consumer Protection Act imposes new opt-in consent requirements for children 13 to 16 years old (with parental consent required for children under 13) and California’s Attorney General has said he will make enforcing child privacy rules a top priority. Litigation risk is also increasing as CCPA and other laws are expanding the private right of action for privacy violations.
Internationally, child privacy is also taking center stage. The GDPR sets the age of consent for data collection at 16, forbids automated processing or profiling of minors’ data, and requires kid-friendly privacy policies. Despite COVID-related delays, regulations in Australia, Brazil, India, and South Korea are quickly following suit.
Helping Your Organization Maintain Child Privacy Compliance
With regulatory and enforcement changes on deck, it’s a good time for privacy teams to educate their organizations and review policies and practices around child privacy. Here’s a quick checklist:
- Together with IT, review data maps to identify whether and where personal information of minors is being collected, how it is being managed, and how it could be minimized.
- Review risk analysis and incident response processes to ensure new child privacy requirements are reflected. (Ideally, you’re using an intelligent breach response platform that will instantly and automatically apply new regulations to help determine notification requirements.)
- Review and update privacy policies, consent mechanisms, and data deletion procedures to meet new child privacy requirements.
- Review partner agreements to make sure your partners are also in compliance.
- Update business managers on child privacy issues and engage with business planning teams to proactively protect children’s PII.
Reading the Crayon on the Wall
The renewed focus on children’s privacy is a sign of the times: privacy is top of mind for consumers. As evidence, witness the fact that just 15% of iPhone users worldwide have opted in to allow tracking after Apple rolled out its new iOS.
And if parents are concerned about their own privacy, how much more protective will they be if their children’s privacy is violated? What reputational damage, regulatory consequences, or legal actions could result?
Short answer: your business doesn’t want to find out. If you keep your organization ahead of the child privacy issue, with any luck, they won’t have to.
Radar incident response software simplifies compliance with automated multi-factor risk assessment that gives you clear and consistent breach notification obligations amid new laws and changing definitions of PII.
You might also be interested in:
Topics: Industry Trends