Lock on a computer screen held to edges by chains

What Is Happening in Children’s Online Privacy?

Privacy Law , , , , ,

Children’s online privacy has always been an important topic, but a number of recent developments around the world have many businesses taking it more seriously. In September, Google agreed to pay a record $170 million fine to the U.S. Federal Trade Commission for violating the Children’s Online Privacy Protection Act (COPPA) by illegally collecting personal information from children without parental consent and using it to profit through targeted ads. A few weeks later, China’s own version of COPPA called the “Measures on Online Protection of Children’s Personal Data,” came into force, providing further clarity on protecting children’s personal data online under China’s Cyber Security Law. On October 7, the FTC hosted a public workshop to explore whether to update COPPA, which is over 20 years old and in need of a refresh due to the emergence of new technologies. (Just think of all those smart devices, social media platforms and educational apps and technologies that were not around in 1998). Finally, the California Attorney General recently released proposed regulations to the California Consumer Protection Act, which goes into effect in January 2020, that would require a business that knowingly collects the personal information of children under the age of 13 to establish, document and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child.

Many children start using the Internet at an early age, raising privacy issues distinct from those for adults. First, children may not understand what data is being collected about them and how it is used. Second, children can easily fall victim to criminal behavior online by providing seemingly innocuous information to web users who can appropriate such information for malicious purposes. Third, children cannot give the same meaningful consent to data collection and use activities as an adult. 

In the U.S., Congress passed COPPA in 1998 to protect children’s use of the Internet—particularly websites and services targeted toward children. COPPA requires website operators to provide clear and conspicuous notice of the data collection methods employed by the website, including functioning hyperlinks to the website privacy policy on every web page where personal information is collected. It also requires affirmative consent by parents prior to collection of personal information for children under the age of 13. Recognizing that teenagers between the ages of 13 and 18 are not protected under COPPA, many individual states have made efforts to address privacy issues for this age group.

Recognizing the need to update COPPA to keep up with the times, the FTC considered the following topics at the October workshop, among others:

  • How the development of new technologies, the evolving nature of privacy harms, and changes in the way parents and children use websites and online services, affect children’s privacy today;
  • Whether COPPA should permit general audience platforms to rebut the presumption that all users of child-directed content are children, and if so, under what circumstances;
  • Whether COPPA should be amended to better address websites and online services that do not include traditionally child-oriented activities, but that have large numbers of child users.

It remains unclear how these issues and others will be resolved. Eager to tap into the new revenue streams that children represent, many tech companies will try to carve out exceptions to COPPA—openly or not. On the other side, child advocates and politicians such as Senator Edward Markey, one of the original authors of COPPA, are pushing back and even trying to tighten restrictions related to children’s online privacy. 

Sometimes the issues are not so black and white. For instance, many well-intentioned companies—tech and otherwise—that have no interest in marketing to children might still be unable to verify the age of users that visit their websites, resulting in inadvertent marketing to minors. Even those that attempt to verify the age of users may face challenges, given the thousands of websites dedicated to helping users bypass age gates and parental controls. Finally, some age verification techniques may run counter to data minimization and privacy concerns – e.g. the collection of credit card data to verify age, when it is not necessary for the provision of the service. Regardless of what happens with COPPA at the FTC and with new privacy laws that are springing up across the world, companies will need to be extra-cautious about how they approach children’s online privacy—continually reviewing their practices and policies to ensure that they are not running afoul of the multitude of laws and regulations out there. Those that do not run the risk of becoming subject to both regulatory and legal action.