Federal and state regulators have previously prioritized minors’ online privacy regulation, and this trend is poised to continue in 2024.Chief among these laws is the federal Children’s Online Privacy Protection Act (COPPA), which regulates the collection, use, and disclosure of personal information online from children under 13. Recent enforcement and proposed regulations would bring additional business activities within the purview of COPPA. At the same time, a growing number of states are imposing requirements related to processing of teen data, expanding the age range that may trigger special obligations. Even businesses that have not historically been subject to children’s privacy obligations should assess whether existing operations are implicated by recent regulatory shifts.

It's easier than ever to trigger COPPA.

Many common business activities can trigger child and teen privacy laws. For example, the following activities have been cited in Federal Trade Commission (FTC) enforcement actions involving COPPA:

• A business receives age information. A business may directly collect this information during the sign-up process, when a user changes their birthdate or profile age after sign-up, or through its customer service interactions. Alternatively, a business may receive age information through automated data transmissions or third-party flags.
• A company offers products with features that appeal to children or younger teens. Companies should consider the list of “child-directed” factors outlined in COPPA to inform audience determinations. Companies should revisit designations of properties that include features that may appeal to children, even if the business did not intend to direct that property to children. Regulators have claimed that children model their interests on younger teens, so having a fan base or features for this age group creates a risk of COPPA applying.
• It is an “open secret” that children use a property. In a few cases, the FTC has alleged that a business was aware children were part of the user base, even though it used an age gate to exclude users. Activities such as selling children’s merchandise, marketing statements to business customers, collecting surveys showing a large volume of child users, or communicating internally about child users may be used to support claims that a business is aware that children use the property.
• A business manually reviews third-party properties where it collects data. Recent enforcement raises concerns for businesses that collect personal information directly from users of properties operated by others. Although COPPA does not require review of properties where data is collected, companies that engage in such reviews for other reasons, such as for “know your customer” purposes, should also review for children’s privacy purposes. Existing reviews are likely to involve the same features that are relevant to the child-directed determination under COPPA, and businesses that deploy manual reviews could therefore be held liable if they do not identify and comply with COPPA for child-directed properties where they collect data.

State laws apply additional restrictions on child and teen data.

Many state privacy laws now require parental consent for sales and/or targeted advertising involving children’s data. While such laws track COPPA obligations, they can be an additional source of liability. States have also begun to require data protection impact assessments for processing activities involving information about known children. 

Several states have also passed laws that require consent from teens before businesses engage in targeted advertising or sales involving data about those teens. Most states with such requirements apply to teens aged 13-15, but certain states extend the requirements to data from older teens. 

Companies that collect age information should take steps to ensure that they are getting appropriate consent for the processing of teen data or ceasing the processing activities that would require consent.

More changes are on the horizon.

In addition to enforcement trends, companies should remain up to date on changing regulations and laws. The FTC recently proposed changes to the COPPA Rule that could, among other updates, introduce new notice and consent requirements and impact third-party sharing practices. This proposal, if adopted, could also greatly expand COPPA’s reach by extending the law to any “downstream” data recipient that knows personal information was originally collected from a child or child-directed property, even if that recipient is not collecting data directly from the property.  The FTC’s detailed commentary on its proposed COPPA Rule amendments provides valuable insights as well, including the clarification that ad attribution and other practices are allowed without parental consent in certain cases. After the FTC receives public comments on its proposal, it may issue a final rule or may issue a revised proposal for further comment.

Moreover, federal and state legislators continue to propose bills that would expand the applicability of child and teen privacy laws to more businesses, either by lowering the knowledge standard or by raising the age of protected users.   

Take stock of existing practices and prepare to pivot.

As more businesses and activities are swept under child and teen privacy regulations, businesses should reassess the applicability of these laws to their operations. Such assessments should include updating product inventories, flagging products that collect age information from child and teen users, and revisiting audience analyses or previous COPPA reviews to account for recent enforcement trends. Child and teen privacy should remain top of mind during product design and development, so that businesses can adapt to future privacy obligations.