Parents who object to a website’s data collection practices may lack the tools necessary to ensure that their child’s internet use is fully supervised. Given the financial and physical risks to children when their personal data is breached, policy makers around the world have devised regulations to specifically protect children’s PII. Since the internet is accessible to people of all ages, compliance with these regulations can be tricky, particularly since laws protecting children’s PII differ between jurisdictions. This article will outline the main laws regulating the data privacy of children in the US and EU to provide a better understanding of the current compliance landscape.
What is COPPA and how do you comply?
How does FERPA protect children’s data?
The Family Education Rights and Privacy Act (“FERPA”) is another important federal statute which protects the data privacy of children. Unlike COPPA which regulates a large category of children’s online PII, FERPA specifically regulates policies relating to educational records. The statute is administered by the United States Department of Education and it applies to any educational agency or institution which receives federal education funding. If a regulated entity violates FERPA they may have federal funding terminated. Under FERPA parents of students younger than 18 have a right to inspect, review, and correct the education records of their children. Education records include most documents maintained by a regulated educational institution that contain information related to a student. Some documents, such as personal notes of an instructor, law enforcement records maintained by a school, and medical records are not considered educational records under FERPA. FERPA generally prohibits the release of education records and student PII without parental consent (or student consent if over the age of 18). However, there are limited exceptions where an institution may release or disclose protected information without first acquiring consent. Some PII, including the student’s name, address, telephone number, major, awards, and extracurricular activities, may be disclosed by a school as “directory information” so long as the school gives prior notice of which categories it intends to disclose and offers a reasonable period of time for parents or students to request that the school withhold part or all of the information. Release of education records is also permitted without consent for a variety of institutional functions, including release to teachers, administrators, other schools, specified government authorities, accreditation organizations, financial aid providers, and certain organizations conducting studies using student information. Even before the pandemic, educational institutions started to incorporate a variety of educational technologies (EdTech) into the classroom. Integration of EdTech has become vital part of schooling in the time of COVID. Disclosure of PII and education records to third party EdTech companies raises interesting questions about FERPA compliance that will be discussed further in a later article.
What State Laws cover Children’s data privacy?
In addition to federal laws protecting children’s privacy, California and Delaware have both adopted laws that address children’s data privacy for the purposes of online advertising. Like COPPA, California’s Privacy Rights for California Minors in the Digital World Act and Delaware’s Online and Personal Privacy Protection Rule both regulate operators of websites or online services who have actual knowledge that minors are using the service. Unlike COPPA, however, these state laws protect all minors under the age of 18 in addition to children under the age of 13. Both laws prohibit operators and third-party advertising services from using, disclosing, and compiling any minor’s data for direct advertising. Both states prevent sites from marketing certain products to minors online (alcohol, weapons, tobacco products, obscene material, etc.). California has also built on the protections codified in COPPA by specifically addressing children’s privacy in the California Consumer Privacy Act (CCPA). Under Section 1798.120(c) of the CCPA, absent opt-in consent, a business is prohibited from selling the personal information of a California resident where the business has actual knowledge the resident is under 16 years old. Children between the ages of 13 and 15 may opt-in on their own while children under 13 years old may only opt-in with parental consent. Children under 16, like all California residents, have the right to opt-out, preventing data collectors from selling information to third parties in the future. Companies that violate protections for minors under the CCPA may be fined up to $7,500 for each violation.
How is GDPR different from US Laws?
The EU’s General Data Protection Regulation (GDPR) provides stronger protections for children’s data than US Laws. The GDPR uses an “opt-in” model similar to California’s CCPA. Article 8 of the GDPR sets a general age of consent for data collection at 16. EU member states are authorized to lower the age of parental consent to as low as 13 years old. In order to collect data from any children covered by the GDPR an operator must make reasonable efforts to obtain permission from a parent or guardian in a manner similar to parental verification under COPPA. Processing data of a child without parental consent is illegal under EU law. Violations of article 8 can result in fines of up to 10 million euros or 2 percent of the firm’s worldwide annual revenue from the proceeding financial year.
The COVID-19 pandemic has increased the amount of time children spend on the internet. Online schooling, online gaming, and social networking have become vital aspects of children’s lives. The laws described in this article are important consumer protection tools that empower parents and children in an increasingly digital world. Now more than ever, companies need to understand and implement protection for children data. Privacy compliance starts with data companies own and which they are hold accountable for. Data identification is key to determining what data is regulated under children’s data privacy laws, what data needs to be reported on, what data needs to be deleted and enable data discovery to facilitate data subject rights when parents request their child’s data under COPPA. Data minimization and privacy by design strategies will protect companies from costly enforcement actions and due diligence with children data and as civic responsibility. Ardent Privacy solutions are geared to help companies minimize personal data footprint, provide privacy intelligence, implement RTBF (Right to be Forgotten) and enable privacy compliance. Visit ardentprivacy.ai for more information.