0

Overview of New York’s Child Data Protection Act

Children, Cybersecurity, New York, State Privacy Laws, United States , , , , ,
In June 2024, New York Governor Kathy Hochul signed the New York Child Data Protection Act (Act) into law, which will go into effect on June 20, 2025. Per the Act’s justification, “[c]hildren now live much of their lives online,” including learning, socializing, shopping. They also “make mistakes online, and they discover who they are online,” and, accordingly, they should be able to do so without the “concern of omnipresent monitoring and recording.” The Act enables this through two major provisions:
  1. if a digital service knows a user is a minor (or if the service is primarily directed to minors), it will “default to only being able to use that child’s data in a way that is strictly necessary to provide the service;” and
  2. digital services using third-party service providers must “contractually restrict those third parties from using the personal data of minors except for specified purposes” and include additional safeguards to help ensure compliance.
The Office of the New York State Attorney General has also released Implementation Guidance to clarify key questions raised in the rulemaking process.

Scope & Applicability

This Act applies only to conduct occurring in the state of New York. This means that commercial conduct that takes place outside of New York is not covered by the Act if: 1)  the user was outside of the state or 2) no data collected while the user was in the state was used.
  • Covered Users. The Act imposes restrictions on processing information of “covered users.” This includes users of websites, online services, or connected devices (the “Websites”) who are: 1) actually known by the operator to be a minor (under 18), or 2) who are using Websites primarily directed to minors.
  • Operator. An operator is defined as any person who offers Websites, who alone – or jointly with others – controls the purposes and means of processing personal data. Notably, one who acts as both a controller and processor shall comply with obligations for both roles, depending on the purposes and means of processing personal data.
  • Personal data. This definition includes any data that identifies or could be reasonably linked, directly or indirectly, with a specific natural person or device.

Substantive Provisions

Processing Restrictions. The Act provides that, among other things, an operator shall not process the personal data of a covered user collected through the Sites, unless one of the following applies:
  1. the user is 12 or younger, and processing is permitted under COPPA;
  2. the user is 13 or older and the processing is “strictly necessary”; or
  3. the user is 13 or older and the processor has received informed consent.
Strictly Necessary Processing. The term “strictly necessary” includes, among other things, processing that is required to:
  • Provide or maintain a specific product or service requested by the covered user;
  • Conduct the operator’s internal business operations (excluding those that relate to marketing, advertising, research and development, providing products or services to third parties, pr prompting covers users to use the Site when it is not in use); and
  • Identify and repair technical errors that impair functionality.
According to the Implementation Guidance, processing that is “strictly necessary” to provide a process or service required by a covered user depends on the “expectations of a reasonable covered user,” similar to the guidance provided under the CCPA regulations. The Guidance also clarifies that business operations “shall not include any activities relating to marketing, advertising, research and development, [or] providing products or services to third parties.” Informed Consent. If the information being processed is not “strictly necessary,” the operator will need informed consent, through either: 1) a device communication or signal, or 2) an informed consent request. A request for informed consent should, among other things:
  1. be made separately from any part of the transaction.
  2. clearly and conspicuously state that the processing is not strictly necessary, and consent is not mandatory to continue using the Websites.
  3. clearly present an option to refuse to provide consent as the most prominent option.
Additionally, the user should be able to revoke consent at any time as easily as they provided it.

Enforcement

The New York Attorney General may bring an action or special proceeding to enjoin any violation of this Act, and to obtain civil penalties of up to $5,000 per violation. Further, the Act gives the New York Attorney General authority to issue rules and regulations ad necessary, and according to the Implementation Guidance, the Office of the Attorney General intends to issue these rules. The Implementation Guidance also states that, until such rules are finalized, the Office of the Attorney General will exercise discretion in pursuing enforcement actions, taking good-faith compliance efforts of covered businesses into account.

Effective Date

The Act goes into effect on June 20, 2025.
0

FTC finalizes changes to COPPA Rule, expands online protections for children

Children, United States , ,
On January 16, 2025, the Federal Trade Commission (FTC) announced that it had finalized changes to the Children’s Online Privacy Protection Act (COPPA) Rule to strengthen key protections for children’s online privacy and impose new requirements around the collection, use, and disclosure of children’s personal information.

What led to this update?

In 1998, Congress enacted the COPPA statute, which directed the FTC to promulgate regulations implementing COPPA’s requirements. In 1999, the FTC issued the COPPA Rule, a set of implementing regulations that became effective in 2000 and set a new standard for children’s online privacy. The COPPA statute requires the FTC to initiate a review of the COPPA Rule no later than five years after the initial Rule’s effective date, so in 2005, the FTC initiated this review and determined that no changes were necessary. In 2010, the FTC once again undertook a review of the COPPA Rule and, in 2013, issued the first amendments to the Rule. These amendments revised the COPPA Rule to address changes in the way children used and accessed the Internet, including through the increased use of mobile devices and social media. In 2019, the FTC again announced that it was undertaking a review of the COPPA Rule, and the FTC held a public workshop in October of 2019 to discuss specific areas of concern. In response to the proposed review and associated workshop, the FTC received over 175,000 public comments. Five years later, in 2024, the FTC finally announced its proposed changes to the COPPA Rule, which it declared would clarify the scope of the Rule and increase protections for children’s privacy. Now, a year after announcing the proposed changes, the FTC released the final rule, which was, prior to the Trump administration’s regulatory freeze, expected to go into effect 60 days after publication in the Federal Register.

What does the updated COPPA Rule change?

The final rule amends the COPPA Rule by changing several key definitions, including the definition of personal information, and adding new obligations for how children’s data can be handled, used, and retained. The final rule also modifies the requirements that must be satisfied to participate in the COPPA Safe Harbor program. These changes include, but are not limited to:
  • Expanded definition of “personal information”
The updated COPPA Rule expands the existing definition of “personal information” to include government-issued identifiers (e.g., Social Security, state IDs, birth certificates, and passports) and biometric identifiers that can be used for the automated or semi-automated recognition of an individual (e.g., fingerprints, handprints, retina patterns, iris patterns, genetic data, voiceprints, gait patterns, facial templates, faceprints).
  • New definition for “mixed audience website or online service”
The updated COPPA Rule adds a new definition for a “mixed audience website or online service,” which is a website or online service directed to children but does not target children as its primary audience, and, other than for a few limited exceptions, does not collect personal information from any visitor prior to either collecting age information or using another means to reasonably calculate whether the visitor is a child. The law imposes certain obligations on these mixed audience websites or online services.
  • Clarifying data minimization and retention requirements
The updated COPPA Rule requires covered entities to develop and maintain a written document retention policy and post the policy in an online privacy notice. In addition, the updated Rule requires covered entities to only collect and retain personal information for “specific” purposes—meaning, covered entities should not retain personal information indefinitely and should delete the information when it is no longer required.
  • Requiring a written information security program
Under the updated COPPA Rule, the FTC modified the existing security requirements for covered entities to include creating and implementing a written information security program. The program should be appropriate for the entity’s size, complexity, and nature and scope of activities, and take into account the sensitivity of the personal information collected by the entity.
  • Modifying COPPA’s Safe Harbor programs
To enhance the oversight and transparency of COPPA-approved Safe Harbor programs, the updated COPPA Rule requires the Safe Harbor programs to conduct an annual assessment of their members’ compliance and, among other requirements, maintain and submit to the FTC records of complaints about, and disciplinary actions against, Safe Harbor program members.

Does the Trump administration’s regulatory freeze affect the updated COPPA Rule?

Yes, the Trump administration’s regulatory freeze issued on January 20, 2025, casts some uncertainty on the future of the updated COPPA Rule. Under the regulatory freeze, regulations not yet published in the Federal Register as of President Trump taking office—which includes the updated COPPA Rule—must be reviewed and approved before taking effect. Andrew Ferguson, who is now the FTC Chair, had voted to approve the updated COPPA Rule while the FTC was still under Chair Lina Khan, during the Biden administration. However, while Ferguson voted approvingly of the updated Rule, he wrote a concurring statement indicating that he nonetheless believed the COPPA Rule could be improved in various ways. Given his concurring statement, Chair Ferguson may delay publication of the updated COPPA Rule to address these proposed improvements.
0

Hoyoverse, developer of Genshin Impact, to pay $20 million to settle FTC complaint

Children, Gaming , , ,
On January 17, the Federal Trade Commission (FTC) announced a proposed settlement with Cognosphere Pte. Ltd and its subsidiary Cognosphere, LLC, doing business as Hoyoverse, developer of gacha video games such as Genshin Impact and Zenless Zone Zero, over allegations that Hoyoverse’s loot boxes and children’s data collection practices violated various federal laws. What is a gacha video game? Generally, a “gacha” video game is one that can be downloaded and played for free but is monetized by selling in-game currency that can be spent on chance-based rewards, which the FTC refers to as “loot boxes.” The loot box rewards range from playable characters to cosmetics to equipment for specific characters, but the reward a player receives is based on chance (e.g., one percent chance to receive X reward) and which reward a player received is revealed only after the player has paid to open the loot box. In games such as Genshin Impact, certain rewards are often featured and available for limited periods of time. For example, if a new character is introduced into the game, the character is typically only available as a rare loot box reward for, say, three weeks. The character is not available for direct purchase, and if the player misses the character as a reward, a rerun of the character as a loot box reward may not happen for months or even years. According to the FTC, this causes players to “purchase dozens of loot boxes, at the cost of hundreds of dollars,” to obtain the featured characters within the limited availability time frame. What did Hoyoverse allegedly do? According to the FTC’s complaint, Hoyoverse violated the FTC Act by misrepresenting the odds and cost of their loot boxes and violated the Children’s Online Privacy Protection Act (COPPA) by failing to provide notice to and collect sufficient consent for children younger than 13 years old.
  • The FTC Act
The FTC claims that Hoyoverse violated the FTC act by making false or misleading representations in advertisements, marketing, and promotions about the odds of obtaining a particular reward in a loot box. For example, Hoyoverse’s social media ads claimed that certain rewards would have a “huge drop-rate boost,” when in reality, the purported “boost” in odds was referring to a featured prize being available to obtain “at all” during the limited availability period, “while the underlying odds of obtaining the featured prize remain[ed] the same.” So, the odds for the reward essentially went from zero percent to the standard percent for the given reward tier (e.g., 5-star rewards may be one percent). The FTC further claims that Hoyoverse’s loot box system constitutes an unfair act or practice, because purchasing a loot box requires the player to navigate a “complex and confusing multi-tier virtual currency exchange system” to purchase a loot box. This system typically requires the player – including children and teenagers, according to the FTC – to purchase in-game currency with actual money and transform that in-game currency into other in-game currency, sometimes multiple times, before being able to purchase a loot box. This multi-tier virtual currency system poses an increased risk for children and teenagers, “whose executive function skills are not yet fully developed” and therefore are “particularly susceptible” to the system’s monetization and pressure to spend money on virtual currency. As such, because children and teenagers can purchase virtual currency in the multi-tier system without first obtaining parental consent to such purchases, the FTC alleged that the system, in the context of children and teenagers, violated the FTC Act as an unfair act or practice.
  • COPPA
According to the FTC, Hoyoverse’s Genshin Impact is covered by COPPA because it is an online service directed to children, and Hoyoverse had actual knowledge that it collected personal information from children under the age of 13. The FTC alleged that Genshin Impact is directed to children under 13 because, in part, the game features matter, visual content, animated characters, and activities that are directed to children. For example, the gameplay and subject matter revolve around exploring, role-playing and collecting a team of heroes, and “engaging in fantasy combat with no blood or gore,” which the FTC claimed are all mechanics like those in other games “popular with children.” And Genshin Impact’s use of anime-style cartoon graphics and colorful animation, according to the FTC, further emphasizes the game’s appeal to children. In particular, Hoyoverse’s use of child-like characters such as Paimon and Klee in promotional materials (e.g., the game’s icon in app stores) serves as evidence of the game’s appeal to children. Despite the applicability of COPPA to Genshin Impact, Hoyoverse failed to satisfy COPPA’s requirements. Specifically, the FTC alleged that Hoyoverse violated COPPA by:
  1. Failing to provide notice on their website or in Genshin Impact of the information collected from children, how they used that information, and to whom they disclosed the information;
  2. Failing to provide the above information directly to parents; and,
  3. Failing to obtain consent from parents before collecting personal information from children.
In addition, because violations of COPPA can constitute an unfair or deceptive act or practice under the FTC Act, the FTC also included such a violation amongst their COPPA-related allegations. What does the $20 million settlement obligate Hoyoverse to do? To settle the FTC’s claims against Hoyoverse, Hoyoverse entered into a proposed settlement order, which will require Hoyoverse to pay a $20 million fine and make changes to address the allegations in the complaint. Hoyoverse will be:
  • Prohibited from allowing children under 16 to purchase loot boxes in Genshin Impact or other Hoyoverse video games without a parent’s affirmative express consent;
  • Prohibited from selling loot boxes using virtual currency without providing an option for consumers to purchase loot boxes directly with real money;
  • Prohibited from misrepresenting loot box odds, prices, and features;
  • Required to disclose loot box odds and exchange rates for multi-tiered virtual currency;
  • Required to delete any personal data previously collected from children under 13 unless they obtain parental consent to retain such data; and,
  • Required to comply with COPPA, including its notice and consent requirements.
Key takeaways? While much of the FTC’s complaint and proposed settlement order references loot boxes in the alleged violations, the FTC’s allegations are more focused on how Hoyoverse promoted and operated its loot box system and to whom they were selling loot boxes. First, if a video game company seeks to monetize their game using loot boxes, the company should consider whether their advertising and promotional material obscures or otherwise inaccurately details the odds of winning a particular reward. For example, there is greater risk in saying a particular reward is “boosted” or its odds are “increased,” when the odds are going from zero percent to the usual percentage rate for a given reward rarity. Second, if a video game uses anime-style graphics, child-like characters, and no blood or gore, the video game should consider satisfying COPPA’s obligations, which may include informing children and parents about the game’s information practices and collecting consent from parents to collect such information. Lastly, if the game sells loot boxes to children under 13 and teenagers under 16, the game may need to satisfy a parental consent requirement before allowing either the children or teenagers to purchase virtual currency or loot boxes.
Lock on a computer screen held to edges by chains

What Is Happening in Children’s Online Privacy?

Privacy Law , , , , ,

Children’s online privacy has always been an important topic, but a number of recent developments around the world have many businesses taking it more seriously. In September, Google agreed to pay a record $170 million fine to the U.S. Federal Trade Commission for violating the Children’s Online Privacy Protection Act (COPPA) by illegally collecting personal information from children without parental consent and using it to profit through targeted ads. A few weeks later, China’s own version of COPPA called the “Measures on Online Protection of Children’s Personal Data,” came into force, providing further clarity on protecting children’s personal data online under China’s Cyber Security Law. On October 7, the FTC hosted a public workshop to explore whether to update COPPA, which is over 20 years old and in need of a refresh due to the emergence of new technologies. (Just think of all those smart devices, social media platforms and educational apps and technologies that were not around in 1998). Finally, the California Attorney General recently released proposed regulations to the California Consumer Protection Act, which goes into effect in January 2020, that would require a business that knowingly collects the personal information of children under the age of 13 to establish, document and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child.

Many children start using the Internet at an early age, raising privacy issues distinct from those for adults. First, children may not understand what data is being collected about them and how it is used. Second, children can easily fall victim to criminal behavior online by providing seemingly innocuous information to web users who can appropriate such information for malicious purposes. Third, children cannot give the same meaningful consent to data collection and use activities as an adult. 

In the U.S., Congress passed COPPA in 1998 to protect children’s use of the Internet—particularly websites and services targeted toward children. COPPA requires website operators to provide clear and conspicuous notice of the data collection methods employed by the website, including functioning hyperlinks to the website privacy policy on every web page where personal information is collected. It also requires affirmative consent by parents prior to collection of personal information for children under the age of 13. Recognizing that teenagers between the ages of 13 and 18 are not protected under COPPA, many individual states have made efforts to address privacy issues for this age group.

Recognizing the need to update COPPA to keep up with the times, the FTC considered the following topics at the October workshop, among others:

Read More
Federal Trade Commission logo

The FTC Ramps Up Privacy Enforcement

Federal Trade Commission, FTC Privacy Enforcement - Antitrust, Privacy Law , , , ,

Following increased congressional scrutiny over its data privacy enforcement practices in 2018, the FTC has ramped up its enforcement actions in recent months, giving some real bite to current federal privacy laws:

  • On February 27, 2019 the FTC filed a complaint against the operators of lip-syncing app Musical.ly—now known as TikTok – for failing to seek parental consent before collecting the personal information of users under the age of 13. In response to the FTC’s complaint, TikTok agreed to pay a $5.7 million settlement to the agency, marking the largest-ever COPPA fine in US history.
  • Throughout March, the FTC obtained settlements against 4 separate robocall operations: NetDotSolutions, Higher Goals Marketing, Veterans of America, and Pointbreak Media. These cases charged these separate entities for violations of the FTC Act (unfair and deceptive trade practices) and the agency’s Telemarketing Sales Rule (TSR) – including its Do Not Call (DNC) provisions.
  • On March 26, 2019 the FTC announced a broad inquiry into the data collection practices of broadband companies under Section (b) of the FTC Act. The agency issued orders to AT&T Inc., AT&T Mobility LLC, Comcast Cable Communications doing business as Xfinity, Google Fiber Inc., T-Mobile US Inc., Verizon Communications Inc., and Cellco Partnership doing business as Verizon Wireless, seeking information about the collection, retention, and sharing of personal information. The FTC investigation highlights recent consumer concerns about data privacy and tracking by ISPs, following high-level acquisitions of content providers like AOL, Yahoo, and DirectTV. We are watching closely, as this may be the start of one of the first joint privacy-antitrust enforcement actions by the FTC.

These enforcement actions highlight the FTC’s role as the de facto data protection authority for the United States. Yet, the FTC’s mandate extends far beyond data privacy, and includes regulatory authority over false advertising claims, anticompetitive behavior, and merger review. While Congress continues to debate the passage of a federal bipartisan privacy bill, it behooves them to keep in mind the current staff and funding limitations of the FTC in any proposed drafts.