Earlier this year, the popular TikTok app deleted the lip synch videos of thousands — perhaps hundreds of thousands — of tweens after the FTC found TikTok had violated various provisions of the Children’s Online Privacy Protection Act (COPPA).[1] COPPA, originally enacted in 1998, was updated in 2013; yet, since then, technological advances and a shift in marketing practices have called into question the practicality of, and compliance with, COPPA’s parental consent and personal information collection requirements, particularly in the wake of such massive violations by companies such as TikTok and YouTube/Google[2]. Can websites or apps that provide an engaging online experience for children do so without running up against COPPA requirements—requirements that may be impossible to meet without losing an important audience (such as tweens and TikTok)? And can COPPA’s privacy protections keep pace with the massive technological advancements that are now part of children’s everyday online experiences? These questions aren’t limited to major social media platform providers like TikTok and YouTube. Any business that collects children’s personal information or provides child-directed online services should be aware that there is increased scrutiny on protecting the privacy rights of children, and should stay attuned to regulatory developments and guidance.
To answer these questions, the Federal Trade Commission (FTC) has begun its mandated 10-year regulatory review process for COPPA almost four years ahead of schedule.[3] The FTC is not yet considering specific changes to COPPA, but as part of its rulemaking process it is soliciting opinion and commentary about the current state of the law — its successes and challenges — which may result in further amendments to the law. The public comment period for the FTC’s regulatory review ends October 23, 2019. This accelerated review is also occurring against the backdrop of legislation proposed in March 2019 by Senators Edward Markey (D-Mass.) and Josh Hawley (R-MO) to expand COPPA’s scope and protections.
As part of this review process, the FTC brought key stakeholders together on October 7, 2019 for a public workshop, The Future of the COPPA Rule (the “Workshop”) to address the Rule’s application to Internet of Things devices, social media, the EdTech sector and general audience platforms, like YouTube (and TikTok), that host third-party child-directed content.[4] The following article discusses the requirements of the COPPA Rule and key takeaways from the Workshop.
Background and State of the World in Children’s Privacy
COPPA’s purpose is to limit the collection of personal information from children without their parents’ consent; it requires certain websites to post a complete privacy policy, provide direct notice of their information collection practices to parents, and obtain verifiable parental consent before collecting personal information from children. COPPA was amended in 2013 to address the increased use of mobile devices and social networking, and the expansion of data collected to track user’s online activity.
Recent legislation and regulatory guidance in the United Kingdom, European Union, and California has expanded children’s privacy protections, and Workshop panelists urged the FTC to consider aspects of these new laws in its rulemaking process. Of note was the UK’s Information Commissioner’s Office “Age-Appropriate Design,” a draft code of practice that will regulate online services “likely to be accessed” by children in the UK, even if the service is aimed at adults. The code emphasizes that the best interests of the child should be a primary consideration in the design of online services; for example, children’s personal data may not be collected and disclosed unless unless there is a compelling reason “in the best interest of the child” to collect and share their information
Once enacted, the “Age-Appropriate Design” regulations as implemented by the UK’s Data Protection Act 2018, will ensure compliance with the EU’s General Data Protection Regulation (GDPR). Similarly, the GDPR itself limits data collection with its “purpose limitation” — data collected must be for a specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with these purposes. This global standard is similar to the existing COPPA provision that an online service cannot condition a child’s participation in an activity with granting access to personal information beyond what is reasonably necessary to provide the service. The panelists recommended that, going forward, the FTC maintain its focus on this data minimization principle, analogous to the GDPR.
The downside to so many separate, international regulations, of course, is that companies that have an international user base struggle to meet what are often conflicting regulations. For example, a representative for the popular mobile game Angry Birds noted that the game is now available in more than 100 countries; while the app collects virtually no data on its users, compliance with certain jurisdiction-specific laws actually requires it to collect data from children. For example, the California Consumer Privacy Act (CPPA), which will offer broad online privacy rights for California residents and goes into effect on January 1, 2020, may require services to ask users whether they are 16 years of age or older. This problem isn’t limited to high-revenue companies with a clearly global footprint; the nature of the internet is such that even small companies can find themselves subject to a complex framework of multiple laws and regulations from countries around the world.
What Should Fall Within the Scope of the COPPA?
Under the law, services fall under the purview of COPPA if they are either (i) “directed to children,” or (ii) the entity has “actual knowledge” that it is collecting information from a child — even if the service is not "directed at" children.
The FTC currently uses various factors to determine whether a service is “directed to children,” and Workshop panelists discussed whether the definitions of these factors should be changed. For example, one factor the FTC may use is audience composition: regardless of the app or website’s stated intended audience, if a large portion of the users are children, could anyone actually claim that the service is not “directed to children”? Similarly, when considering the “characteristics” of the service, should the FTC look beyond demographics and focus on the engagement of TikTok users who actively upload video? Finally, the FTC may examine whether advertising on the service is directed toward children, and this analysis would include a holistic view of franchise/brand identity. (For example, can Angry Birds claim it is a mobile game not directed towards children yet market movies featuring the same characters to preschoolers?)
How does the FTC show that entities have “actual knowledge” of children using the service to determine whether COPPA applies? For example, an entity has “actual knowledge” of a user's age when it asks for that information as part of the registration process. The Workshop panel considered whether “constructive knowledge” is a more appropriate standard — in other words, whether the entity knew or reasonably should have known that children were using the site and providing their personal information. “Constructive knowledge” is favored by watchdog groups and is also the standard in the proposed Markey-Hawley legislation, but industry representatives have expressed concerns with how this standard would be applied.
Definitions and Exception
Some of the key provisions of COPPA include the definitions of “personal information” and obtaining “verifiable parental consent.” Currently, the “personal information” COPPA protects includes names, physical addresses, online contact information, user names, phone numbers, Social Security numbers, persistent identifiers, photographs, videos or audio files containing a child’s image or voice, geolocation information, and information concerning a child or parents collected online in combination with the one of these identifiers. Workshop panelists discussed whether this definition should also include biometric data. This is an expected addition as biometric data is encompassed in recent major privacy laws, including the CCPA and GDPR.
COPPA defines “verifiable parental consent” as making a reasonable effort to ensure that a parent receives notice of the operator’s collection, use and disclosure practices, and authorizes the collection, use, and/or disclosure of their child’s personal information. But this requirement poses challenges, particularly in the education technology, or EdTech, industry sector. For example, as reported by the chief information officer of the Cambridge, Massachusetts public schools, districts may use between 100 and 1,000 educational apps in the core curriculum — educators are turning to these apps to provide instructional benefits for children, but the COPPA requirement to obtain verifiable parental consent for every app imposes a significant administrative burden on teachers and school districts. The panel recommended the FTC create an exception to the verifiable parental consent requirement similar to the “school official exception” in the Family Educational Rights and Privacy Act (FERPA), which allows school officials to access personal information in education records without prior parental consent provided the school has determined they have a legitimate educational interest in the information. A similar exception under COPPA could allow a school official at the school district level to consent on behalf of parents after thoroughly vetting the apps.
Persistent Identifiers
The 2013 COPPA amendments widened the definition of children’s personal information to include “persistent identifiers,” such as cookies that track a child’s online activity, as well as geolocation information, photos, videos, and audio recordings.[5] (Prior to 2013, persistent identifiers like cookies were only considered personal information if they were combined with other identifying information.) There is, however, an exception to the parental consent: if the identifier is only used to support the internal operations of the site, such as delivery of advertising, consent is not needed.
For some services, preserving this exception may be crucial to delivering targeted advertising. Industry watchdogs and children’s privacy advocates participating in the Workshop, however, argued that businesses should instead think about ways to monetize their online advertising towards children without collecting any data — because the risk that the persistent identifiers violate children’s privacy is greater than the business benefits. Whether or not the FTC makes changes to its regulations concerning persistent identifiers may have a significant effect on services’ ability to target advertising towards children.
Conclusion
The FTC’s early jump on its regulatory review process underscores the evolving importance of the issue of children’s online privacy. Public comments on the state of COPPA may be submitted up to October 23, 2019 here. Likely next steps would include a public hearing and a proposed rule amendment before any final changes are made. Nevertheless, all companies and nonprofits with external-facing web presences should be aware of these developments.
1. https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online
2. https://www.ftc.gov/news-events/events-calendar/future-coppa-rule-ftc-workshop
3. https://www.ftc.gov/news-events/blogs/business-blog/2019/02/largest-ftc-coppa-settlement-requires-musically-change-its
4. https://www.ftc.gov/news-events/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations
5. https://www.ftc.gov/news-events/press-releases/2013/07/revised-childrens-online-privacy-protection-rule-goes-effect
