The Federal Trade Commission (“FTC”) is currently accepting public comments on the Children’s Online Privacy Protection Act (“COPPA”) as part of their review process for a pending proactive legislative update.[1] COPPA is not due for review until 2023 but because of the “rapid technological changes that impact the online children’s marketplace” the FTC believes it is imperative to reevaluate COPPA’s protections now.[2] Although decades old, COPPA has increasingly made headlines, most recently as part of the FTC’s settlement with YouTube and their parent company, Google, for a $170 million fine—the largest COPPA fine ever levied—for alleged violations of the legislation.[3] Online children’s content creators, app developers, and marketers are nervous that enhancing protections under the law will negatively impact their business, particularly an advertising impact.[4] The collection and sale of personal information can affect advertising revenue because contextual advertising that is not unique to a user earns 60% to 90% less than behavioral advertising that requires the collection and generally a transaction of personal information.[5] However, COPPA is no longer the only privacy legislation concerning the collection of children’s personal information online. The first provisions of the California Consumer Privacy Act (“CCPA”) go into effect January 1, 2020 as the first US privacy law to meet the modern international trend of increasing privacy protections.[6] The CCPA was passed in 2018 and has already served as model to Nevada’s updated privacy law that went into effect October 1, 2019.[7] But as a state law, how will CCPA interact with existing federal legislation concerning children? The CCPA applies to out-of-state merchants who do business with Californians or have a website available in the state.[8] Since California is the world’s fifth largest economy, “rather than create separate systems…companies will just apply the CCPA nationwide—especially in light of larger societal trends in favor of privacy,” so consumers on a national level may be exposed to tighter privacy practices online.[9]
The bulk of the CCPA focuses on the majority consumer with only one provision tailored to minors.[10] Even with limited dedicated legislative text, California children are afforded added measures of an opt-in requirement for the sale of personal information, extending the age of protected children from under thirteen to children under sixteen, and stripping away the actual knowledge requirement set forth in COPPA as it pertains to the sale of a child’s personal information.[11]
Section 1798.129(d) of the CCPA acts as an extension of COPPA.[12] COPPA prohibits the release of personal information, including the “sharing, selling, renting, or transfer of personal information to any third party” for children under the age of thirteen.[13] Under the CCPA, businesses shall not sell personal information for children ages thirteen to sixteen, in addition to children under thirteen.[14] COPPA and CCPA both provide a parent or guardian’s consent may authorize the sale of personal information for children under thirteen.[15] However, the CCPA allows the children ages thirteen to sixteen to provide their own consent, not requiring permission of their parent or guardian, for the sale of their personal information.[16] COPPA does not require any form of consent for the sale of personal information of children ages thirteen to sixteen.
COPPA establishes requirements for consent where the CCPA is vague. The CCPA just says for California consumers under thirteen, a parent or guardian, or a thirteen- to sixteen-year-old must “affirmatively authorize[ ] the sale of the consumer’s personal information.”[17] This is why the children’s provision of the CCPA is referred to as an opt-in law, because the appropriate person must opt in to approve the sale of a child’s personal information.[18] There is no definition of “affirmatively authorized” in the CCPA.[19] COPPA, on the other hand, requires “verifiable parental consent” before any personal information can be collected for a child under 13.[20] COPPA provides several acceptable methods for obtaining such consent including having the parent mail in a consent form, requiring the parent to use a credit card in connection with a monetary transaction, having the parent call a toll-free telephone number staffed by trained personnel, or checking a government-issued identification card.[21] A failed CCPA amendment provided similar requirements for parental consent for children under 13 on online social media platforms but did not get enough votes for the governor’s signature.[22] California Attorney General Xavier Becerra proposed methods included in COPPA and additional mechanisms to verify parental consent in the CCPA draft regulations pending approval.[23] The proposed CCPA regulations also include a definition of “affirmative authorization.”[24] Even if the regulations pass as proposed, the earliest effective date would be April. 1, 2020, three months after the CCPA becomes effective.[25] Failing to adopt standardized methods of procedure and providing a definition of affirmative authorization could set a low bar for CCPA consent concerning the sale of children’s personal information. The lack of clarity could result in an additional checkbox tacked onto the existing COPPA consent without need to verify the party checking the box is the proper consenting party which could forfeit the intended protections of the legislation.
It should be noted that affirmative authorization and verifiable parental consent are not necessarily the same because the latter is required before any personal information can be collected, and the former is required before any personal information can be sold. Additionally, the CCPA does not indicate whether a parent or guardian Californian consumer can give their affirmative authorization for sale of a child’s personal information simultaneously with the verifiable parental consent required under COPPA or whether such consent must be a separate transaction.
One of the biggest differences between COPPA and the CCPA is whether the intended target of a business is a child. Per the CCPA, “[a] business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age [emphasis added].”[26] In other words, the CCPA imputes liability onto businesses that intentionally avoid gaining actual knowledge of a consumer’s age. This means under the CCPA, it doesn’t matter if a business intended to target children, the business just needs to have actual knowledge of a consumer’s age to be prohibited from selling the child’s personal information. COPPA, however, requires a website or online service to target children, or the site will be deemed to target children if the operator has actual knowledge they are collecting personal information of a user under 13.[27] This could make a difference for future claims of the unlawful sale of a child’s personal information. Where, under federal law, a business may not target their website at children nor have actual knowledge that they are collecting personal information of a child under 13, if they were acting in willful disregard of the consumer’s age, under California law, the business would be deemed to have actual knowledge of the child’s age. COPPA would not provide protection where CCPA would. In such a circumstance, a claim could proceed under CCPA but would fail under COPPA.
Ultimately, the CCPA is just the first raindrop in a thunderstorm of privacy legislation brewing in the United States. Twenty seven other states including Massachusetts, New York, New Jersey, Hawaii, and Washington have major privacy laws pending, some of which are broader than CCPA.[28] National legislation has also been introduced which could preempt all state laws but create uniformity for compliance in online data collection making it easier for consumers and businesses to understand what is permitted and prohibited use of personal information.[29] In the meantime, COPPA will likely see a facelift before a comprehensive national privacy legislation is passed, and come January 1, 2020 it will co-exist with CCPA as a companion legislation that in part also seeks to enhance the online privacy protection of children.[30]
Katie
Riley is a Second Year Law Student at the Benjamin N. Cardozo School of Law and
a Staff Editor at the Cardozo Arts & Entertainment Law Journal. Katie also
serves as a Senator on the Student Bar Association.
[1] Fed. Trade Comm’n, FTC Extends Deadline for Comments on COPPA Rule Until December 9, Fed. Trade Comm’n (Oct. 17, 2019) https://www.ftc.gov/news-events/press-releases/2019/10/ftc-extends-deadline-comments-coppa-rule-until-december-9.
[2] Id.
[3] Natasha Singer & Kate Conger, Google Is Fined $170 Million for Violating Children’s Privacy on YouTube, New York Times (Sept. 4, 2019) https://www.nytimes.com/2019/09/04/technology/google-youtube-fine-ftc.html.
[4] Julia Alexander, YouTubers say kids’ content changes could ruin careers, The Verge (Sept. 5, 2019, 10:58 AM) https://www.theverge.com/2019/9/5/20849752/youtube-creators-ftc-fine-settlement-family-friendly-content-gaming-minecraft-roblox.
[5] Jonathan Katz & Victoria Fener, Is a YouTube COPPAcalypse Coming? FTC Rules Could Start Demonetizing Creators In 2020, tubefilter (Nov. 5, 2019) https://www.tubefilter.com/2019/11/05/youtube-coppa-adpocalypse-ftc-rules-demonetizing-child-directed/.
[6] Jeff John Roberts, America’s First Privacy Law: What it Means for Businesses and Consumers, Fortune (Sept. 13, 2019) https://fortune.com/2019/09/13/what-is-ccpa-compliance-california-data-privacy-law/.
[7] Ropes & Gray LLP, New State Bills Inspired by the California Consumer Privacy Act May Re-appear Next Year, JD Supra (Nov. 7, 2019) https://www.jdsupra.com/legalnews/new-state-bills-inspired-by-the-70300/.
[8] See Roberts, supra note 6.
[9] See Roberts, supra note 6.
[10] See Cal. Civ. Code § 1789.120(d).
[11] See Cal. Civ. Code § 1789.120(d).
[12] Elana Safner, Analysis of Attorney General Regulations to CCPA Part 4: Special Rules Regarding Minors, The National Law Review (Oct. 21, 2019) https://www.natlawreview.com/article/analysis-attorney-general-regulations-to-ccpa-part-4-special-rules-regarding-minors.
[13] 16 C.F.R. §312.2.
[14] See Cal. Civ. Code § 1789.120(d).
[15] See 16 CFR § 312.5; Cal. Civ. Code § 1789.120(d).
[16] See Cal. Civ. Code § 1789.120(d).
[17] Cal. Civ. Code § 1789.120(d).
[18] Allison Schiff, Everything You Need to Know About CCPA—For Now, ad exchanger (Sept. 16, 2019) https://adexchanger.com/privacy/everything-you-need-to-know-about-ccpa-for-now/#close-olyticsmodal.
[19] See Cal Civ. Code § 1789.140 (providing definitions of terms for the purpose of the bill).
[20] 16 C.F.R. § 312.5.
[21] 16 C.F.R. § 312.5(b).
[22] Cal. AB-1138 Social Media: The Parent’s Accountability and Child Protection Act (2019-2010).
[23] See Schiff, supra note 18.
[24] Attorney General Xavier Becerra, California Consumer Privacy Act Regulations Proposed Text of Regulations, Office of the Att’y Gen. of Cal. (Oct. 10, 2019) https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf (“Affirmative authorization” means an action that demonstrates the intentional decision by the consumer to opt-in to the sale of personal information. Within the context of a parent or guardian acting on behalf of a child under 13, it means that the parent or guardian has provided consent to the sale of the child’s personal information in accordance with the methods set forth in section 999.330. For consumers 13 years and older, it is demonstrated through a two-step process whereby the consumer shall first, clearly request to opt-in and then second, separately confirm their choice to opt-in.).
[25] Alysa Zeltzer Hutnik et al, CCPA Draft Regulations: What to Know About Timing and Process, Ad Law Access (Oct. 23, 2019) https://www.adlawaccess.com/2019/10/articles/ccpa-draft-regulations-what-to-know-about-timing-and-process/.
[26] Cal. Civ. Code § 1789.120(d).
[27] 16 C.F.R. § 312.3.
[28] George. P. Slefo, Bracing for Sweeping New Data Privacy Law, AdAge (Oct. 14, 2019) https://adage.com/article/news/how-brands-are-preparing-californias-privacy-act-becomes-reality-2020/2205586.
[29] Makena Kelly, Democrats propose new federal agency to fight back against tech privacy scandals, The Verge (Nov. 5, 2019) https://www.theverge.com/2019/11/5/20950171/democrat-privacy-bill-data-agency-dpa-eshoo-lofgren.
[30] See Safner, supra note 12.