News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to get ready for potential amendments to US children's privacy law Related reading: FTC issues largest COPPA fine ever

rss_feed

""

""

Businesses that collect, use and disclose children’s personal information are already subject to strict legal requirements. The U.S. Children’s Online Privacy Protection Act of 1998 establishes detailed rules for operators of websites and online services that collect information from children under the age of 13. And comprehensive privacy regimes in other jurisdictions impose stringent requirements on online and offline processing of children’s information. Businesses are also acutely aware of the reputational harm that can result from compromising children’s privacy or generally failing to shield children from unsafe content and situations. Two recent legal developments in the U.S. are set to add further restrictions around processing children’s and minors’ personal information.

California's new law: Opt-in consent for sharing children's personal data

The California Consumer Privacy Act of 2018, which comes into effect Jan. 1, 2020, will govern the “selling” of Californian residents’ personal information. “Selling” is defined broadly under the CCPA to include any sharing of personal information for valuable consideration, which covers information sharing arrangements that might not conventionally be thought of as selling personal information. For example, since the CCPA defines personal information to include IP addresses, cookies, beacons, pixel tags, mobile ad identifiers and similar identifiers that can be used to track a unique consumer, family or device over time and across different services, disclosing a unique identifier to an advertising network so that it can target ads for other network members would likely constitute the selling of personal information under the CCPA.

If a company wishes to sell the personal information of a Californian minor under the age of 16, the CCPA requires it to first obtain their opt-in consent. And if a company wishes to sell the personal information of a Californian child under the age of 13, it must first obtain opt-in consent from their parent or guardian. A business that willfully disregards the age of a California resident will be deemed to have had actual knowledge of their age, and an intentional violation of CCPA, which typically requires actual knowledge of noncompliance, can result in penalties of up to $7,500 per violation.

Unlike COPPA, the CCPA’s youth-specific requirements apply even if the personal information was not collected from the children or minors themselves. This has implications for businesses that incidentally collect youths’ personal information, such as where a parent uploads a photo of their child to an online platform and the operator receives some consideration for disclosing uploaded photos wholesale to a facial-recognition software developer. Businesses subject to the CCPA should therefore carefully consider whether they potentially collect and sell any personal information from Californian youths and, unless the answer is demonstrably no, implement processes to:

  • Determine the age of Californian residents to avoid charges that they willfully disregard their age.
  • Obtain affirmative parental or guardian consent for children under 13 years and affirmative consent from minors between 13 and 16 years to sell their personal information, such as by using consent forms that include some means of verifying the identity of the individual providing their consent and their relationship to the data subject, if different.
  • Document such consents in a secure manner.

The COPPA regime describes various acceptable methods for obtaining verifiable consent, and these could be useful for CCPA compliance, too. See here for more information about how to comply with the CCPA.

Bipartisan Senate bill would significantly expand scope and requirements of COPPA

In March 2019, Sens. Edward Markey, D-Mass., who authored COPPA, and Josh Hawley, R-Mo., introduced a bill to amend COPPA that would establish strict new rules regarding how operators of online services and manufacturers of internet-connected devices may process children and minors’ personal information. Some key proposed amendments include:

  • Codifying fair information practices principles with respect to minors’ information: Regulated operators would be required to abide by eight principles regarding the collection, use and disclosure of personal information of minors between the ages of 13 to 15. These include to only collect information consistent with the context of a particular service, transaction or relationship; use information for purposes that have been specified to the data subject and obtain consent for new purposes; and retain information for as long as necessary to fulfill such purposes. The Federal Trade Commission has long recommended that these types of fair information practices principles be incorporated into consumer privacy laws, so the proposed bill marks a significant codification of such principles under U.S. federal law.
  • Governing operators with constructive knowledge that they collect children’s or minors’ information: COPPA currently applies to operators of online services that are directed at children or who have actual knowledge that they collect children’s personal information. The bill would change this “actual knowledge” standard to a “constructive knowledge” standard, meaning that the amended law would apply to operators that should, as opposed to must, have known that they were collecting personal information from children and minors. This is consistent with the CCPA clause providing that willfully disregarding an individual’s age will not provide a means of avoiding responsibility and would increase the impetus for operators of online services to determine the age of all users in case some might be children or minors.
  • Prohibiting the use of children’s personal information for targeted marketing: Regulated operators would not be permitted to collect, use or disclose a child’s personal information for the purposes of targeted marketing, which is defined to include directing advertisements at an individual or device based on the personal information of that individual, a unique identifier of that device, or psychological profiling. Regulated operators would only be permitted to process a minor’s personal information for targeted marketing purposes with their consent. These rules would effectively require regulated operators to deactivate all targeted marketing activities on webpages and services directed at children and only activate such functionality on services not directed at children where the user is demonstrably 16 years of age or older or a minor who provided their affirmative consent.
  • Regulating the design, security and packaging of connected devices for children and minors: The bill defines “connected device” to mean any device capable of connecting to the internet or to another connected device and would include internet-connected game consoles, baby monitors and children’s GPS trackers, as well as phones, tablets and computers. If the bill is passed, manufacturers of connected devices directed to children or minors must prominently display on the device’s packaging a standardized and accessible privacy dashboard containing prescribed details, such as whether, what and how children and minors’ personal information is collected, used and disclosed; the extent to which the device meets the "highest cybersecurity and data security standards"; and how parents and minors can control the manner in which the device processes personal information.

These developments illustrate that rules around the processing of children’s and minors’ information are becoming increasingly stringent. Businesses and intermediaries that may receive personal information from children and minors should update their compliance programs to focus on limiting the processing of such information, providing clear and complete legal notices, obtaining parental and guardian consent as required, reacting promptly to the inadvertent processing of sensitive personal information, and, in the case of services focused on building communities, moderating content shared within such communities to protect children and minors from harm.

Photo by Anna Samoylova on Unsplash

Author
Headshot Jonathan Tam, CIPP/C, CIPP/US IAPP Member Contributor
Tags
U.S.
Children's Privacy
Privacy Law
Privacy Operations Management
Comments

If you want to comment on this post, you need to login.

Related Stories
FTC issues largest COPPA fine ever
On Wednesday, the U.S. Federal Trade Commission announced a $5.7 million agreement with video social networking app Musical.ly (now TikTok) to settle alleged violations of the Children’s Online Privacy Protection Act. The settlement surpasses a December 2018 agreement between the New York Attorney G...
Read More queue Save This
Google asks judge to dismiss COPPA lawsuit
Google asked a federal judge to dismiss a lawsuit that accuses the company of violating the federal Children's Online Privacy Protection Act by including apps developed by Tiny Lab in Google Play’s Designed for Families program, MediaPost reports. According to papers filed last week, the company arg...
Read More queue Save This
Related Stories
Tags
U.S.
Children's Privacy
Privacy Law
Privacy Operations Management
Recent Comments