United States: Children's Privacy Law Updates: Tricks Or Treats?

It's finally here! Halloween, the day every kid dreams of for months. It's a scary time in the world of children's privacy law – what with the California Consumer Privacy Act (CCPA) lurking around the corner and the specter of FTC enforcement still lingering in the air. But this year, you've planned. You know exactly which houses offer full-size candy bars and where to go to avoid neighborhood bullies.

You approach the first house: old man COPPA. Many of the other kids are afraid of Mr. COPPA, but you know better. With updates on the horizon, there's never been a better time to visit.

The FTC's Workshop on the Future of COPPA

On October 7, the Federal Trade Commission (FTC) hosted a workshop to discuss updates to the regulations promulgated under the Children's Online Privacy Protection Act (COPPA). Broadly speaking, the FTC's COPPA Rule requires that web services, including mobile apps, provide notice and obtain parental consent to collect, use, or disclose personal information from children under age 13.

Trick: Complying with COPPA is More Challenging than Ever

Panelists spent the day debating a number of issues, including methods for obtaining parental consent, how to determine whether a service is "directed towards children", and what level of knowledge of a user's age is necessary to bring a service within COPPA's scope. App developers voiced frustration over the cost of building COPPA-compliant apps, indicating that this difficulty creates financial incentives to build general-audience apps rather than apps that might be useful to children. Website operators voiced opposition to the idea of mandatory audience assessments to determine whether a general audience website might in fact be considered a child-directed website, while children's privacy advocates balked at the idea that service providers could be in the dark about the fact that their website users are children.

Treat: We All Agree Children's Privacy is Important, and Playing Nice Goes Far

If you focus only on the above takeaways from the workshop, it is easy to miss a clear consensus: every party involved recognizes the importance of children's privacy. Complying with COPPA may not be easy, but the FTC knows that and is soliciting comments on the future of COPPA. With three years before a revised COPPA Rule is due, the FTC has the time to get it right. In the interim, it is never too late to analyze your website or app for COPPA issues and begin implementing changes to become compliant.

Especially considering that the second house on your trick-or-treat itinerary is even scarier than the first: the home of FTC enforcement actions. Ever since YouTube settled for $175 million in September, the neighborhood kids have kept their distance. But you understand the rules and know the fear is unwarranted.

Recent FTC COPPA Enforcement Actions

In September, the FTC announced a $175 million settlement with YouTube for allegedly collecting personal information from children under 13 without parental consent. This was the FTC's largest COPPA settlement to date; the previous record ($5.7 million) was set back in February.

Trick: COPPA Enforcement Seems to be Heating Up

With two record-breaking settlements in the same year, and FTC Commissioner Rebecca Kelly Slaughter reminding everyone that "states' attorneys general remain empowered by COPPA to take action," it's easy to get spooked. YouTube caters to users of all ages – it's certainly not just a kids' website. If it happened to YouTube, what will stop it from happening to you?

Treat: Enforcement Against Major Players Yields Guidance for All

FTC enforcement actions may appear scary, but they offer lessons to everyone on the block. Each settlement provides additional insight into the FTC's enforcement priorities. For example:

• The FTC alleged that YouTube offered countless channels that were in fact directed to children, thereby subjecting the service to COPPA compliance requirements. Accordingly, if your website appeals to all ages, arguably including children under age 13, it may be time to reconsider whether the FTC might find your website (or part of it) to be child-directed.

• Even if your website or service is not deemed to be directed to children, you may still have obligations under the COPPA Rule if you are determined to have "actual knowledge" that you are collecting, using, or disclosing personal information from children under 13. The FTC pays attention to more than just website marketing; it also takes into consideration what companies say directly to clients about their children's personal information practices, and what they know about others' perceptions of their practices.

If you are debating whether parental consent is worth the cost, consider that the final stop on your route may impose parental consent requirements on virtually everyone. Your new neighbor, the CCPA, may be a tad unpredictable, but a careful approach and well-executed costume should keep you in the clear.

CCPA Consent Requirement for Marketing to Minors

The CCPA, which officially takes effect January 1, 2020, will offer several new EU-style data protection rights to California consumers. One of the rights created by the CCPA is the right to stop a business from selling your personal information. It is important to note that the CCPA defines "sell" very broadly, such that "making available" personal information to a third party could be considered a "sale" in many contexts.

Trick: The CCPA Requires Burdensome Consent Mechanisms for Minors

Although this "do not sell" right will function as an opt-out for Californians who are at least 16 years old, for those under 16 the CCPA creates an opt-in regime. Under the CCPA, businesses can only sell children's personal information if the business obtains the child's affirmative consent to such sale (for 13-15 year-olds), or if a parent or guardian opts in to the sale for those under 13.

Complying with this opt-in right may be quite a burden for certain companies, particularly in the online advertising context. Businesses may need to screen users for age and establish official policies and mechanisms for processing and recording compliant opt-ins.

Treat: Existing Laws Offer a Roadmap for Compliance

Fortunately, requiring an opt-in for certain data uses is not a brand new concept. For example, the Telephone Consumer Protection Act (TCPA) obligates companies to obtain express written consent to send marketing text messages, and a few state laws require consent prior to collecting biometric identifiers. And abroad, opt-in consent often is the norm. If your business is compliant with the EU's General Data Protection Regulation (GDPR), the TCPA, COPPA, or even the Canadian Anti-Spam Law, it may simply be a matter of extending processes you already have in place to cover a different set of consumers. COPPA has required verifiable parental consent for years, so this is not entirely new ground. The CCPA may be haunting lawyers across the country, but becoming compliant with the children's privacy provisions may not be as scary as it seems.

Bucket full of treats in hand, you head home – in-house, one might say. This Halloween haul may be even more bountiful than last year's, but if you're still spooked by the CCPA or COPPA compliance issues, contact BakerHostetler today for assistance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.