The US is currently very active in updating and enhancing its privacy protection framework. We already examined the US proposal for a comprehensive federal data protection act. But additionally, US law on the protection of children’s privacy will likely undergo revision. So far, children’s online privacy is regulated under the Children’s Online Privacy Protection Act (COPPA). In this blog, we firstly look at what obligations COPPA imposes on businesses processing children’s personal information. We then outline the most important proposed revisions to COPPA (COPPA 2.0) and the proposed Kids Online Safety Act (KOSA) and highlight what you should know if your business comes within the laws’ scope.
COPPA applies to websites which collect, use or disclose children’s personal information. Even if you are not running a traditional ‘website’ but any kind of online service, such as online games, online sale of goods or services, social network apps etc., your business is covered by COPPA. Importantly, the rules only apply if your service targets children. If you direct your services solely to children, such as kids’ games or toys connected to the internet of things, you must always adhere to COPPA. Conversely, if you target a general audience, COPPA only applies if either specific parts of your service are directly targeted to children or you have actual knowledge of children using your service (even if you mostly provide the service to adults). In case of doubt, it is always safer to adhere to COPPA’s rules! Importantly, if you are a non-US business but collect the information of US children, you must also respect COPPA’s rules.
Most importantly, when collecting or using personal information of a child under 13 years, you must request the parent’s prior consent. Before, you can only collect a minor’s age information. COPPA leaves it to each business to decide how it wishes to obtain parental consent. However, you need to provide clear information to the parents regarding the personal information you wish to collect, how you collect and use them and whether you intend to share them with third parties. Businesses must further take all reasonable steps to verify that the person providing consent is indeed the parent. You can for instance request consent via email, fax or electronic scan or you submit a questionnaire with questions which would generally be very hard to answer for people other than the child’s parent. Requesting a copy of the parent’s driver’s license or passport might be necessary. You must further allow parents to revoke consent at any time and have their child’s information deleted.
In limited instances, you may collect a child’s personal information without prior parental consent: Next to the information necessary to identify the child’s age, you may collect a child’s data necessary to respond to a one-time request of the child. For instance, if the child contacts you to ask a question. Once you have fulfilled the request, any data must be deleted. If the child requests a repetitive service, such as signing up for a monthly newsletter, you may collect the child’s information but must then inform the parents that you provided the service to their child (e.g. send out your newsletter) and allow them to block their child’s use of your service at any time. Other situations in which the collection of personal information is permissible without prior consent includes where this is necessary to protect the child’s safety, to protect the security of your service or respond to legal proceedings. You may also always collect cookies, IP addresses or other persistent identifiers as long as necessary to run your website, e.g. to allow user authentication.
In all cases, you need to draft a comprehensive online privacy policy explaining how you collect personal information from children, provide parents access to their child’s data, limit the collection of personal information to what is necessary to provide your service and adopt strong confidentiality and security measures.
It is important that you are aware of your obligations under COPPA and comply with these. Otherwise, you may face high fines. COPPA is enforced by the Federal Trade commission (FTC) which treats violations of the Act as deceptive trade practices and can impose civil penalties. Violations of the Act can cost you up to 43.000 $. At the state level, COPPA violations can be brought before federal courts by the state attorneys.
In July 2022, the US Senate Committee on commerce, science and transportation passed 2 federal bills strengthening children’s privacy online: COPPA 2.0 and the Kids Online Safety Act (KOSA).
COPPA 2.0 would amend the current rules of COPPA to increase its protection. Its most important change would be the increase of its age of application. It extends its scope to children under 16 years of age. Hence, you must then comply with all aforementioned parent consent obligations when collecting personal information of children up to an age of 15 years. Additionally, if you provide a general audience service, you no longer escape COPPA’s rules until you have actual knowledge of children using your service, but COPPA applies then if you should reasonably know that children use your website, e.g. if you provide social network services reasonably used by teens and adults. Moreover, you must implement an online eraser button permitting users (parents) to immediately delete their child’s personal information. Targeted advertising directed at children would be entirely banned. If you offer connected devices targeted to minors, such as toys connected to the internet of things, increased cyber security standards and information obligations apply.
The Kids Online Safety Act would apply to online platforms. Its scope is narrower than the one of COPPA. Covered platforms would include for instance social media platforms, streaming services or video game platforms. The Act obligates platforms to act in the best interest of minors, also defined as under the age of 16, and mitigate harm. As such, the Act exceeds mere data privacy rules but contains a range of different obligations to protect children online. If you come within the Act’s scope, you must amongst others disable additive product features, allow the opting out of algorithmic recommendations and underly duties to prevent and mitigate harm to minors such as taking meaningful steps to ban content promoting self-harm, suicide or eating disorders. KOSA would be subject to similar enforcement as COPPA.
Children also enjoy a special status under European privacy law, the GDPR. If you provide an ‘information society service’, essentially the same range of services that are covered by COPPA, which is offered ‘directly to a child’, Art. 8 GDPR imposes a specific obligation upon you: If you chose consent as a lawful basis to process children’s data, consent can only be obtained from the parental consent holder. Importantly, this does not mean that you necessarily have to collect consent for every processing. If your processing operation can be based on another of the GDPR’s lawful grounds for processing, parental consent is not needed.
A complicating factor under EU data protection law is the lack of harmonisation regarding the child’s age to provide valid consent. The GDPR imposes the obligation to obtain parental consent in relation to processing of personal data of children under the age of 16. However, Member States can provide for lower age limits not lower than 13 years. Therefore, be aware if you collect consent from minors in different EU Member States. Varying age limits can apply!
Accordingly, both the US and the EU attempt to increasingly protect minors from undue processing of their personal information online. Therefore, carefully consider whether you fall within the scope of the applicable laws and adapt your personal data processing operations accordingly. Until their final adoption, it remains to be seen whether COPPA 2.0 and KOSA will be signed into law.