With newly proposed legislation, the House has joined the Senate in introducing bipartisan legislation making changes to the Children’s Online Privacy Protection Act (COPPA). This pending legislation, when combined with the Federal Trade Commission’s (FTC) ongoing COPPA review and workshop, foreshadows expanded COPPA protections, especially for teenagers between 13 and 15 years of age.
In the Senate: In March 2019, Senators Edward Markey (D-Mass.) and Joshua Hawley (R- Mo.) introduced a new bill, COPPA 2.0. COPPA 2.0’s core changes include banning the use of targeted advertising to users under 13, requiring personal (but not parental) consent before the collection of personal information from users aged 13 to 15 (“minors”), requiring connected devices and toys directed toward children to meet certain cybersecurity standards and include privacy policy disclosure on their packaging, and requiring services to offer an “eraser button” to permit minors to eliminate their personal information submitted online. COPPA 2.0 also creates a “Digital Marketing Bill of Rights for Minors” and a Youth Privacy and Marketing Division at the FTC.
In the House: In January 2020, Representatives Bobby Rush (D-Ill.) and Timothy Walberg (R-Mich.) introduced the PROTECT Kids Act. That proposal extends existing COPPA consent requirements to all users under age 16, specifically adds definitions for “precise geolocation information” and “biometric information” as types of regulated personal information, strengthens a nondiscrimination provision applicable when parents delete personal information about their child, and directs the FTC to conduct a study on the actual knowledge standard found in COPPA and develop recommendations on whether changes need to be made to the that standard (when determining whether a website is directed at children).
At the FTC: In addition to the new bills in the House and Senate, the FTC is also undertaking a review of COPPA and has sought comment on a wide array of issues, such as:
- Potential additional categories of information to include in the definition of personal information, such as biometric information, voice data and inferences;
- The appropriate factors for determining whether a website or online service is directed toward children;
- Exceptions to parental consent; and
- The relationship between advertising and support for a website or online service’s internal operations.
COPPA currently requires the FTC to issue regulations concerning children’s online privacy; the last COPPA rule revisions took place in 2013.
Analysis
There is significant overlap in the draft legislation. In addition to expanding protections to 13-15 year-olds, both legislative proposals attempt to clarify COPPA by including specific references to mobile applications and biometric data. Both bills attempt to clarify the procedures and rights relating to the deletion of personal information by minors, in COPPA 2.0, and/or their parents, in the PROTECT Kids Act. Both bills also continue to be enforced by the FTC and state attorneys general, with no private right of action.
Of course, some differences still exist: COPPA 2.0 allows minors between the ages of 13 and 15 to make decisions and take action regarding their own online personal information and the PROTECT Kids Act allows parents to control the personal information of their children under age 16. While COPPA 2.0 makes sweeping changes to the protection of minors under age 13, the PROTECT Kids Act more fundamentally upholds the current requirements and expands them by raising the age of consent.
Comment
This rare bipartisan agreement on this topic and the scope of the FTC rulemaking process indicate that change is coming, but questions remain regarding how and when updated COPPA legislation could pass. Murmurings that an update should be part of a comprehensive federal privacy bill could sideline this update for years as bipartisan divides over preemption and a private right of action continue. In the interim, other countries such as the UK are also taking steps to protect children’s data. For these reasons, businesses should be increasingly cognizant of their data collection and sharing practices, intended audiences, and vendor relationships in the online and digital advertising space to be ready when the changes arrive.