COPPA Rewrite Released
A bipartisan pair of Senators propose to update and expand the United States (U.S.) privacy law that protects the privacy of children.
A refresh of U.S. privacy laws for children is floated.
A Democrat and Republican look to change perhaps one of the few areas of U.S. privacy law many Members can agree upon: privacy for children and teens. Republicans on the House Energy and Commerce recently substituted the mental well-being of children as their focus for issues related to the online world instead of their insistence that tech companies are biased against conservatives. Whether this new focus reflects the view of other Republicans is uncertain, and it is also unclear whether Republicans think legislative and regulatory changes are the answer.
Senators Ed Markey (D-MA) and Bill Cassidy (R-LA) have reintroduced a rewrite of the federal privacy law for children. Even if this bill is not enacted or folded into broader privacy legislation, the primary enforcer of the existing privacy law may rewrite its regulations. Two years ago, Federal Trade Commission (FTC) asked for comments “on the effectiveness of the amendments the agency made to the Children’s Online Privacy Protection Rule (COPPA Rule) in 2013 and whether additional changes are needed.”
Markey and Cassidy have introduced their rewrite of the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. 6501 et. seq.) that would revamp and expand the statute that currently provides higher privacy protection for those aged 12 and under. They would change the mindset needed for a violation (i.e. the mens rea) from actual knowledge to constructive knowledge. Hence, the operator of a website or app could be liable for COPPA violations if they knew or should have known children and teens are using the service or product.
Markey and Cassidy also broaden COPPA by establishing a new protected class. Currently COPPA’s protections cover children 12 and under. They are proposing to add a new definition “minor” that covers teens who are 13, 14, and 15. Interestingly, Markey and Cassidy did not raise the age for children to include teems those age.
Of course, this bill is offered at a time when Members of each chamber of Congress are trying to agree on an overarching federal privacy regime. Conceivably, if a deal were reached, Markey and Cassidy’s bill could be added, especially since it does not have a private right of action, does not preempt state laws, and it rewrites an existing piece of federal law. However, there are provisions that would drive better security and privacy practices for devices that companies like Apple, Microsoft, Google, and others will likely oppose.
Markey and Senator Josh Hawley (R-MO) introduced a similar bill (S.748) two years ago, but it was never acted upon. Their press release describe a bill very similar to the one Markey and Cassidy have unveiled. Last year, Markey and Senator Richard Blumenthal (D-CT) introduced the “Kids Internet Design and Safety (KIDS) Act” (S.3411).
It also bears mention that the Federal Trade Commission, the primary agency that enforces COPPA, is in the midst of revisiting COPPA regulations for the first time since Barack Obama was President. In its July 2019 request for comments, the FTC explained it is posing “its standard regulatory review questions to determine whether the Rule should be retained, eliminated, or modified” and is asking “whether the 2013 revisions to the Rule have resulted in stronger protections for children and more meaningful parental control over the collection of personal information from children, and whether the revisions have had any negative consequences.” The FTC also wanted information related to “specific questions about the existing sections of the Rule, including:
- Requirement that operators post notices of their privacy practices,
- Methods of obtaining verifiable parental consent before collecting children’s information,
- Security requirements,
- Parental right to review or delete children’s information, and
- Safe harbor provisions.”
The FTC held an October 2019 FTC workshop on its possible COPPA rewrite.
It is unlawful for an operator of a website, online service, online application, or mobile application directed to a child or minor, or an operator having constructive knowledge that personal information being collected is from a child or minor, to collect personal information from a child or minor in a manner that violates the regulations” the FTC must promulgate.
The bill would provide a new definition of disclosure that excludes targeted advertising from the carveout allowed if an operator gives the personal information of a child or minor to an entity that provides support for the service or website.
As mentioned, Markey and Cassidy’s bill would lower the level of knowledge necessary for a violation from actual knowledge to constructive knowledge. Moreover, as defined in the bill, most entities that are active in the personal data and data brokering worlds would be imputed to have constructive knowledge of a child or minor’s age, subjecting the entity to COPPA’s requirements and potential punishment for violations.
What is considered “personal information” under COPPA would be expanded. The new definition would include:
- geolocation information;
- information used for biometric identification, as defined in section 70123 of title 46, United States Code, of an individual;
- information reasonably associated with or attributed to an individual;
- information (including an internet protocol address) that permits the identification of—
- an individual; or
- any device used by an individual to directly or indirectly access the internet or an online service, online application, or mobile application; or
- information concerning a child or minor or the parents of that child or minor (including any unique or substantially unique identifier, such as a customer number) that an operator collects online from the child or minor and combines with an identifier described in this paragraph (i.e. all the categories of information that are considered personal information under COPPA.)
The new definition would update COPPA and encompass a greater range of personal; information companies collect and process.
The definition for verifiable consent is revised to require free and unambiguous authorization before an operator can collect the personal information of a child or minor. Under current law, this is not required. The current definition merely requires authorization, but it need not be free and unambiguous.
The FTC would need to write and issue new COPPA regulations under the normal route most agencies use (i.e. notice and comment rulemaking under the Administrative Procedure Act) instead of the more cumbersome Moss-Magnuson rulemaking procedure the FTC must normally use. Notably, the FTC would need to craft regulations to guide operators in providing “clear and conspicuous notice in clear and plain language of—
- the types of personal information the operator collects;
- how the operator uses the information;
- whether and why the operator discloses the information; and
- the procedures or mechanisms the operator uses to ensure that personal information is not collected from children or minors except in accordance with the regulations promulgated under this paragraph.”
The FTC’s regulations would also need to detail how operators may
- obtain verifiable consent for the collection, use, or disclosure of personal information of a child or minor;
- provide to a parent whose child has provided personal information to the operator, upon request by and proper identification of the parent—
- a description of the specific types of personal information collected from the child by the operator;
- the opportunity at any time to delete personal information collected from the child; and
- a means that is reasonable under the circumstances for the parent to obtain any personal information collected from the child, if such information is available to the operator at the time the parent makes the request;
The new FTC COPPA regulations must also govern how operators
- provide to a minor who has provided personal information to the operator, upon request by and proper identification of the minor—
- a description of the specific types of personal information collected from the minor by the operator;
- the opportunity at any time to delete personal information collected from the minor; and
- a means that is reasonable under the circumstances for the minor to obtain any personal information collected from the minor, if such in- formation is available to the operator at the time the minor makes the request;
The FTC would also need to write regulations barring operators from “condition[ing] participation in a game, or use of a website, service, or application, by a child or minor on the provision by the child or minor of more personal information than is reasonably required to participate in the game or use the website, service, or application.” Additionally, the FTC’s regulations must require operators “to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children and minors.”
The FTC would have to update the new COPPA regulations every four years, but given how quickly things change online, the agency might always be chasing the new trends and failing to implement regulations to address current risks to the privacy of children and teens.
The FTC must include language in its regulations barring operators from ending service for children or teens whose parents exercise the right to have their personal data deleted so long as doing so does not interfere with the app or service. This seems like a provision that will give rise to competing interpretations with the YouTubes and TikToks of the world reading it as expansively as possible to prevent children and teens from deleting their personal data.
The bill would expand the FTC’s authority to enforce the new COPPA regime to telecommunications companies otherwise regulated by the Federal Communications Commission (FCC). However, the FTC would not gain jurisdiction over the data collection and processing practices of non-profits with respect to children and teens.
Section 4 of the “Children and Teens’ Online Privacy Protection Act” articulates new Fair Information Practices Principles (FIPP):
- Collection Limitation Principle. Companies should collect the personal information of children or minors if appropriate to the service, product, or relationship, or if required or authorized by law.
- Data Quality Principle. “The personal information of a child or minor should be accurate, complete, and kept up-to-date to the extent necessary to fulfill” some of the purposes in the Purpose Specification Principle.
- Purpose Specification Principle. Companies must disclose the purposes of data collection to parents and minors before the personal information is collected. Moreover, any use or disclosure thereafter should only be:
- To fulfill a transaction requested by the minor or parent of the child
- In “support for the internal operations of the website, service, or application, as described in section 312.2 of title 16, Code of Federal Regulations” except for targeted advertising
- To comply with legal processes
- For those purposes the company disclosed before a parent of a child or a minor consented to
- Retention Limitation Principle. Personal data should not be held any longer than necessary to complete the purpose for which it was collected and should be disposed of.
- Security Safeguards Principle. “The personal information of a child or minor should be protected by reasonable and appropriate security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure.”
- Openness Principle. A company should be open about “about developments, practices, and policies with respect to the personal information of a child or minor.” Companies should also allow parents of children and minors to contact the company, determine whether it has personal information, obtain the personal information, and challenge the accuracy of personal information and if such challenge prevails to have the information deleted, completed, or corrected.
- Individual Participation Principle. A company must get consent from a minor or a parent of a child before it can use or disclose information in ways aside and apart from the Purpose Specification Principle.
- Racial And Socioeconomic Profiling. The personal information of a child or minor shall not be used to direct content to the child or minor, or a group of individuals similar to the child or minor, on the basis of race, socioeconomic factors, or any proxy thereof.
Section 5 introduces a “Digital Marketing Bill Of Rights For Minors” that provides a safe harbor for operators to collect the personal information of minors (but not children) if they use the new FIPP. The FTC would need to write regulations to implement these new provisions, notably “regulations further defining the FIPP.”
Section 6 makes it “unlawful for an operator of a website, online service, online application, or mobile application to use, disclose to third parties, or compile personal information of a child for purposes of targeted marketing” if a child is using a site, app or service, such company has constructive knowledge that personal information is being collected from children, or the site, app, or service is directed to children. The same is true for minors except a company can lawfully engage in targeted advertising to minors if it obtains verifiable consent. The FTC would also be tasked with promulgating regulations for this section.
It shall also be illegal “for an operator to make publicly available through a website, online service, online application, or mobile application content or information that contains or displays personal information of children or minors in a manner that violates” specified requirements, including having a mechanism that eliminates or erases personal information.
Section 8 borrows conceptually from the “Cyber Shield Act” (H.R.4792/S.2664) in establishing Privacy Dashboards. Markey has introduced the Cyber Shield Act over the last few Congresses that would require the labeling of Internet of Things (IOT) devices to inform people of how secure (or not), IOT devices are as a way to drive better security. The same principle is used for Privacy Dashboards. This section provides:
- A manufacturer of a connected device directed to a child or minor shall prominently display on the packaging for the connected device a standardized and easy-to-understand privacy dashboard, detailing whether, what, and how personal information of a child or minor is—
- collected from the connected device;
- transmitted from the connected device;
- retained on the connected device;
- retained by the manufacturer or affiliated person;
- used by the manufacturer or affiliated person; and
Consequently, parents and minors could determine which devices (smartphones, laptops, and tablets) offer the best privacy protecting features, including cybersecurity, control over personal information, the type of information collected, and others. The FTC would also promulgate regulations to implement this portion of the bill.
As if this were not enough for electronics manufacturers to hate, the bill would also bar anyone from selling “a connected device unless the connected device meets appropriate cybersecurity and data security standards established by the” FTC. The agency would establish such standards through regulation that will:
- create cybersecurity and data security standards for different subsets of connected devices based on the varying degrees of—
- cybersecurity and data security risk associated with each subset of connected device;
- sensitivity of information collected, stored, or transmitted by each subset of connected device; and
- functionality of each subset of connected device;
- consider incorporating, to the extent practicable, existing cybersecurity and data security standards; and
- ensure that the cybersecurity and data security standards—
- are consistent with Fair Information Practice Principles….and
- promote data minimization.
Moreover, the operators of sites, apps, and services directed to children must treat all users as children pending FTC regulations.
Two years after passage, the FTC must submit to Congress “a report on the processes of platforms that offer mobile and online applications for ensuring that, of those applications that are directed to children or minors, the applications operate in accordance with” the act, regulations., and other statutes designed to protect the privacy of children and minors.
The bill establishes inside the FTC “a division to be known as the Youth Privacy and Marketing Division” headed by a Director to be appointed by the FTC Chair. This new division “shall be responsible for addressing, as it relates to this Act and the amendments made by this Act—
- the privacy of children and minors; and
- marketing directed at children and minors.”
Violations of the COPPA rewrite would be treated as violations of rules barring an unfair or deceptive practice, allowing the agency to seek more than $43,000 per violation even for first time offenses. Moreover, courts would be allowed to exceed tis per violation cap if it is found “appropriate to deter violations of this Act and regulations prescribed under this Act.”
The FTC may approve “self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons” after a notice and comment proceeding if the agency determines such guidelines meet the requirements of these sections of the bill:
- Section 5. Digital Marketing Bill of Rights for Minors.
- Section 6. Targeted marketing to children or minors.
- Section 7. Removal of content.
- Section 8. Privacy dashboard for connected devices for children and minors.
- Section 9. Prohibition on sale of connected devices for children and minors that fail to meet appropriate cybersecurity and data security standards.
Compliance with guidelines approved by the FTC would create safe harbors for operators against violations.
Additionally, the FTC would need to draft regulations to “provide incentives for self-regulation by covered operators to implement the protections afforded children and minors, as applicable, under the regulatory requirements described” in the above listed sections. In doing so, the agency must
- establish criteria for the approval of guidelines that will ensure that a covered operator provides substantially the same or greater protections for children and minors, as applicable, as those contained in the regulations issued under the applicable section; and
- require that any report or documentation required to be submitted to the Commission by a covered operator or requesting entity will be published on the internet website of the Commission.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.