The Kids Are (Not) Alright in Pandemic: Children’s Online Privacy under COPPA, FERPA, and More

The Kids Are (Not) Alright in Pandemic: Children’s Online Privacy under COPPA, FERPA, and More

Children born in the 21st Century have never experienced a world without the internet. The world wide web is ubiquitous in most young people’s lives. Ninety-two percent of US children now have an online presence before they turn 2 years old. Forty-five percent of teens report a near-constant online presence, averaging nine hours online a day. Unlike their parents who were forced to adapt to technological change over the course of a lifetime, children are digital natives who intuitively build friendships and worldviews around the internet. Children’s internet use has also increased as a result of the COVID-19 pandemic, speeding up the trend towards digital socialization. However, use of the internet during childhood presents particular privacy challenges that may not be readily apparent to most children. Children are often more willing to share personally identifying information (PII) on the internet without fully grasping the risks of a data breach. Children are also more susceptible than other online users to targeted advertising and identity theft. Traditional consumer protection solutions may not be enough to protect children’s data since children often do not read or understand a website’s privacy policy.

Parents who object to a website’s data collection practices may lack the tools necessary to ensure that their child’s internet use is fully supervised. Given the financial and physical risks to children when their personal data is breached, policy makers around the world have devised regulations to specifically protect children’s PII. Since the internet is accessible to people of all ages, compliance with these regulations can be tricky, particularly since laws protecting children’s PII differ between jurisdictions. This article will outline the main laws regulating the data privacy of children in the US and EU to provide a better understanding of the current compliance landscape.


What is COPPA and how do you comply?

The Children’s Online Privacy Protection Act of 1998 (“COPPA”) regulates data collection practices of commercial websites or applications directed at children. The law also regulates data collection practices of commercial websites where the operator has actual knowledge it is collecting personal information from children in the United States. COPPA applies even where personal information collection is voluntary rather than mandatory. Under this statue a “child” is any person under the age of 13. “Personal information” is defined broadly to include most forms of data that could be used to identify a child such as a name, email address, IP address, geolocation, or audio/video recordings. The law requires an operator provide notice on the website that outlines (1) what information is collected from children, (2) how the operator intends to use such information, and (3) any disclosure practices for such information. In most instances the law also requires operators obtain verifiable parental consent before an operator may collect data from a child. The verification requirement can be satisfied in a few ways including submission of a signed consent form, phone or video verification, cross referencing a parent’s government-issued identification against a database, or requiring the parent provide account information for a monetary transaction. Once a child’s data is collected operators take on additional compliance responsibilities under COPPA. An operator must ensure reasonable procedures are in place to protect the confidentiality, security, and integrity of data collected from children. Before an operator may share data with a third party it must verify that the third parties’ data practices are also reasonably confidential and secure under COPPA regulations. An operator cannot retain a child’s data unless it is being used for the intended purpose outlined in a privacy policy, and it must delete any data as soon as it is no longer useful. The operator must also provide parents access to their child’s personal information upon request so that parents may review and ask for information to be deleted. COPPA is enforced by both the Federal Trade Commission and States’ Attorneys General. Enforcement actions can result in fines of up to $43,792 for each violation. As arguably the strongest data privacy law in the United States, COPPA has produced in many high-profile enforcement actions against companies like Sony Music, TikTok, Girl’s Life, the Hershey Company, and YouTube. YouTube’s COPPA violations resulted in a settlement of $170 million and major changes to internal company procedures to ensure future data collection practices related to child-directed content and targeted advertising complied with the company’s COPPA obligations. COPPA compliance issues have led many popular services including Facebook, Twitter, and Snapchat to disallow children under 13 from accessing the platform all together. Since enforcement actions can be a large undertaking, the FTC has encouraged industry groups to adopt self-regulatory “safe harbor” programs. In order to qualify for self-regulation, the industry group must submit a proposal that provides (1) substantially the same or greater protections as FTC regulation, (2) an annual review of each operator’s practices, and (3) disciplinary mechanisms for non-compliance. So far, the FTC has approved seven safe harbor programs. One notable example is the Entertainment Software Rating Board or ESRB, a self-regulatory organization that traditionally assigns age and content ratings to video games. Since 2013 the ESRB has worked with video game publishers and developers to standardize the industry’s data collection practices. Ninety-one percent of US children between 2 and 17 play video games in some form, making the video game industry particularly vulnerable to regulatory risks from COPPA. Industries with a similar exposure to children’s data may find that a safe harbor program is the best way to ensure regulatory compliance is efficient and manageable.


How does FERPA protect children’s data?

The Family Education Rights and Privacy Act (“FERPA”) is another important federal statute which protects the data privacy of children. Unlike COPPA which regulates a large category of children’s online PII, FERPA specifically regulates policies relating to educational records. The statute is administered by the United States Department of Education and it applies to any educational agency or institution which receives federal education funding. If a regulated entity violates FERPA they may have federal funding terminated. Under FERPA parents of students younger than 18 have a right to inspect, review, and correct the education records of their children. Education records include most documents maintained by a regulated educational institution that contain information related to a student. Some documents, such as personal notes of an instructor, law enforcement records maintained by a school, and medical records are not considered educational records under FERPA. FERPA generally prohibits the release of education records and student PII without parental consent (or student consent if over the age of 18). However, there are limited exceptions where an institution may release or disclose protected information without first acquiring consent. Some PII, including the student’s name, address, telephone number, major, awards, and extracurricular activities, may be disclosed by a school as “directory information” so long as the school gives prior notice of which categories it intends to disclose and offers a reasonable period of time for parents or students to request that the school withhold part or all of the information. Release of education records is also permitted without consent for a variety of institutional functions, including release to teachers, administrators, other schools, specified government authorities, accreditation organizations, financial aid providers, and certain organizations conducting studies using student information. Even before the pandemic, educational institutions started to incorporate a variety of educational technologies (EdTech) into the classroom. Integration of EdTech has become vital part of schooling in the time of COVID. Disclosure of PII and education records to third party EdTech companies raises interesting questions about FERPA compliance that will be discussed further in a later article.


What State Laws cover Children’s data privacy?

In addition to federal laws protecting children’s privacy, California and Delaware have both adopted laws that address children’s data privacy for the purposes of online advertising. Like COPPA, California’s Privacy Rights for California Minors in the Digital World Act and Delaware’s Online and Personal Privacy Protection Rule both regulate operators of websites or online services who have actual knowledge that minors are using the service. Unlike COPPA, however, these state laws protect all minors under the age of 18 in addition to children under the age of 13. Both laws prohibit operators and third-party advertising services from using, disclosing, and compiling any minor’s data for direct advertising. Both states prevent sites from marketing certain products to minors online (alcohol, weapons, tobacco products, obscene material, etc.). California has also built on the protections codified in COPPA by specifically addressing children’s privacy in the California Consumer Privacy Act (CCPA). Under Section 1798.120(c) of the CCPA, absent opt-in consent, a business is prohibited from selling the personal information of a California resident where the business has actual knowledge the resident is under 16 years old. Children between the ages of 13 and 15 may opt-in on their own while children under 13 years old may only opt-in with parental consent. Children under 16, like all California residents, have the right to opt-out, preventing data collectors from selling information to third parties in the future. Companies that violate protections for minors under the CCPA may be fined up to $7,500 for each violation.


How is GDPR different from US Laws?

The EU’s General Data Protection Regulation (GDPR) provides stronger protections for children’s data than US Laws. The GDPR uses an “opt-in” model similar to California’s CCPA. Article 8 of the GDPR sets a general age of consent for data collection at 16. EU member states are authorized to lower the age of parental consent to as low as 13 years old. In order to collect data from any children covered by the GDPR an operator must make reasonable efforts to obtain permission from a parent or guardian in a manner similar to parental verification under COPPA. Processing data of a child without parental consent is illegal under EU law. Violations of article 8 can result in fines of up to 10 million euros or 2 percent of the firm’s worldwide annual revenue from the proceeding financial year.


Conclusion

The COVID-19 pandemic has increased the amount of time children spend on the internet. Online schooling, online gaming, and social networking have become vital aspects of children’s lives. The laws described in this article are important consumer protection tools that empower parents and children in an increasingly digital world. Now more than ever, companies need to understand and implement protection for children data. Privacy compliance starts with data companies own and which they are hold accountable for. Data identification is key to determining what data is regulated under children’s data privacy laws, what data needs to be reported on, what data needs to be deleted and enable data discovery to facilitate data subject rights when parents request their child’s data under COPPA. Data minimization and privacy by design strategies will protect companies from costly enforcement actions and due diligence with children data and as civic responsibility. Ardent Privacy solutions are geared to help companies minimize personal data footprint, provide privacy intelligence, implement RTBF (Right to be Forgotten) and enable privacy compliance. Visit ardentprivacy.ai for more information.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.