As we (remotely) head back to school, we thought it timely to post our “annual” reminder that collecting, using and/or disclosing children’s personal information comes with some restrictions (see last year’s post here). With this unprecedented back-to-school season, nearly all children’s activities, products and services are moving online for the foreseeable future. As such, now more than ever organizations should really take the time to determine whether they collect any data from children (or have actual knowledge of doing so), and ensure that they are taking the proper steps to comply with applicable rules.
With respect to the Children’s Online Privacy Protection Act’s (COPPA), organizations can refer to the FTC’s website and specifically Complying with COPPA: Frequently Asked Questions, which provides helpful guidance from the Federal Trade Commission (FTC) for parents and businesses alike on complying with COPPA’s strict requirements.
As a general reminder, COPPA applies to (a) operators of commercial websites and online services (including mobile apps and IoT devices) directed to children under 13 that collect, use, or disclose personal information from children, (b) operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13 and (c) websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
Personal information under COPPA includes names, address, and telephone, but also screen or user names, identifiers such as those used for tracking, photo, video and audio files, and geolocation information sufficient to identify street name and name of a city or town.
Note also that the personal information of children requires heightened protection under other data protection laws, some of which define personal information more broadly than COPPA. The General Data Protection Regulation provides for heightened requirements where organizations process the personal data of children in the EEA, with cut-off ages (between 13 and 16) determined by individual member states. In California, the California Consumer Privacy Act (CCPA) creates protections for children and teens with respect to the sale of their data.
For those curious about regulatory actions, a list of FTC enforcement actions can be found here. It should also be noted that COPPA gives states and some federal agencies authority to enforce with respect to entities over which they have jurisdiction. New York is one example of a state that has brought several COPPA-related enforcement actions. Even absent an enforcement action, regulators are paying attention. As Zoom took over remote learning last spring, the New York Attorney General signaled to the company that it was “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network” and noting the use of the platform by families and schools. Zoom has since updated its policies after reaching an agreement with the NY AG’s office. The California Attorney General has also indicated that it will make children’s privacy a priority as it begins enforcement of the CCPA – which applies to personal information collected both online and offline by for-profit organizations. Covered businesses under the CCPA and third parties that receive data as a sale should therefore review the manner in which data is collected where children are concerned. Finally, there have also been a number of lawsuits in recent years with respect to children’s online privacy, filed against the likes of Tik Tok, Viacom, and other giants, many filed by child advocacy groups.
All in, as all eyes are on our children in this unusual 2020 return to school, now is a good time to make sure that your organization complies with children’s privacy laws.