Developments in child and teen privacy legislation have continued at a rapid pace in 2024, with laws poised to impact ever more companies. Chief among these is the federal Children's Online Privacy Protection Act (COPPA), which regulates the online collection, use, and disclosure of personal information from children under 13. Recent enforcement and proposed regulations may bring additional business activities within the purview of COPPA. At the same time, a growing number of states are imposing new requirements related to processing of child and teen data, thereby expanding the age range that may trigger special obligations. These developments mean that businesses that historically were not subject to children's privacy obligations now need to determine whether they are impacted by recent regulatory shifts.

It's easier than ever to trigger COPPA

Continued vigorous enforcement demonstrates that many common business activities can trigger child privacy obligations. For instance, each of the following activities have been cited in Federal Trade Commission (FTC) enforcement actions involving COPPA:

• A business receives age information. A business may directly collect this information during the sign-up process, when a user changes their birthdate or profile age after sign-up, or through its customer service interactions. Alternatively, a business may receive age information through automated data transmissions or third-party flags.
• A company offers products with features that appeal to children or younger teens. Companies should consider the list of "child-directed" factors outlined in COPPA to inform audience determinations. Companies should also periodically revisit designations of properties that include features that may appeal to children, even if the business did not intend to direct that property to children. Regulators have claimed that children model their interests on younger teens, so having a fan base or features for this age group could give rise to an enforcement action.
• It is an "open secret" that children use a property. In a few cases, the FTC has alleged that a business was aware children were part of their user base, despite using an age gate to exclude users. Activities such as selling children's merchandise, marketing statements to business customers, collecting surveys showing a large volume of child users, or communicating internally about child users may be used to support claims that a business is aware that children are using the property.
• A business manually reviews third-party properties where it collects data. Although COPPA does not require review of properties where data is collected, companies that engage in such reviews for other reasons, such as for "know your customer" purposes, should also review for children's privacy purposes. Businesses that deploy manual reviews could be held liable if they do not identify and comply with COPPA for child-directed properties where they collect data.

Comprehensive state privacy laws apply additional restrictions on child and teen data

Many state privacy laws now require parental consent for the collection of data from known children and for sales and/or targeted advertising involving children's data. While such laws generally track COPPA obligations, they apply to both offline and online practices and can therefore be an additional source of liability. States have also begun to require data protection impact assessments for processing activities involving information about known children.

Several states have also passed laws that require consent from teens before businesses engage in targeted advertising or sales involving data about those teens. Most states with such requirements apply to teens aged 13-15, but certain states also extend the requirements to older teens.

Companies that collect age information should take steps to ensure that they are getting appropriate consent for the processing of child and teen data or ceasing the processing activities that would require consent.

New child safety laws create additional obligations for certain online products

Maryland and Vermont recently passed new legislation to regulate the design of online products "likely to be accessed" by children, a standard that may reach products not currently subject to COPPA. Colorado similarly passed legislation that would amend its existing comprehensive privacy law to add significant obligations for controllers offering products to known children and teens. Although some of the requirements were modeled on portions of California's Age-Appropriate Design Code, these laws eliminate content-focused provisions to avoid the ongoing constitutional challenges that have blocked enforcement of the California law.

These new state laws govern how businesses interact with children and teens online through a combination of assessment requirements, default privacy settings, and minimum duties of care intended to prevent reasonably foreseeable harms to children and teens. The laws signal that regulators are interested in promoting minors' online safety across a product's life cycle and that they expect child privacy and safety to be considered proactively during product development and deployment.

More changes are on the horizon

Federal and state legislators continue to propose bills that would expand the applicability of child and teen privacy laws to more businesses, either by altering the knowledge standard or by raising the age of protected users. Changes to COPPA are also likely. The FTC recently proposed changes to the COPPA Rule that could, among other updates, introduce new notice and consent requirements and impact third-party sharing practices. This proposal, if adopted, could also greatly expand COPPA's reach by extending the law to any "downstream" data recipient that knows personal information was originally collected from a child or child-directed property, even if that recipient is not collecting data directly from the property. The FTC's detailed commentary on its proposed COPPA Rule amendments provides valuable insights as well, including the clarification that ad attribution and other practices are allowed without parental consent in certain cases. After the FTC receives public comments on its proposal, it may issue a final rule or a revised proposal for further comment.

Take stock of existing practices and prepare to pivot

Child and teen privacy is a space to watch for the foreseeable future. As more businesses and activities are swept under child and teen privacy regulations, businesses need to reassess the applicability of these laws to their operations. Such assessments should include updating product inventories, flagging products that collect age information from child and teen users, and revisiting audience analyses or previous COPPA reviews to account for recent enforcement trends. Child and teen privacy should remain top of mind during product design and development, so that businesses can adapt to future privacy obligations.