Revisiting COPPA: How recent developments have shaped the discussions

By: Alvaro Marañon

While calls for comprehensive federal privacy legislation may continue to fall upon deaf ears, concerns about protecting children’s online privacy might have already been heard with talks of forthcoming regulatory change. Illustrating this shift, the Federal Trade Commission (FTC) welcomed comments on the effectiveness of the 2013 amendments to the Children’s Online Privacy Protection Act (COPPA). The amendments specifically updated the COPPA Rule to address the advances in mobile devices and social networking, and to expand the definition of personal information by including geolocation and persistent identifiers like cookies. More recently, the FTC held a public workshop to explore proposals to further update the COPPA Rule. This recent push has been propelled by two major developments over the past year: (1) the legislative proposal by Senator Markey titled “COPPA 2.0”; and (2) the  record-breaking FTC settlements for COPPA Rule violations.

In effect since 2000, COPPA creates a set of information privacy guidelines governing the collection, use, and access of personal information by operators of commercial websites or onlines services directed to children. These requirements are imposed upon companies if they have “actual knowledge” that they are collecting personal information from a child that is under 13 years old. Having a clear and detailed privacy policy, providing parents the opportunity to review the collected information, and requiring operators to protect the confidentiality, security, and integrity of any collected personal information are some of the main provisions. While numerous enforcements have been brought, legislative amendments have recently been proposed.

Last March, Senators Markey of Massachusetts and Hawley of Missouri announced a proposal to modify the existing scope and rules of COPPA. Among the various considerations, the bill  proposes to ban targeted advertising directed at children (defined as any user under 13), create a new division within the FTC to handle youth privacy and marketing, and modify the parental ability to view collected information by creating an “Eraser Button” that would permit the parent or user to delete their information. The bill also calls for a new and flexible cybersecurity standard for internet connected devices targeted towards children and minors (defined as any user between 13 to 15) by considering the sensitivity of information collected, the context in which it is collected, its security capabilities, and more.  

While the bill does well to account for  the interests between innovation and privacy, its outright ban of all targeted advertising of children, the changing of the “actual knowledge” standard to constructive, and the expansion of the disclosure requirement make it a highly problematic bill. 

The outright ban on all targeted advertising directed at children raises concerns for its overbreadth and encompassing of potentially beneficial ads. Secondly, changing the knowledge standard to a broader definition may seem beneficial on its face but is impractical with the inability to accurately determine one’s intended and actual audience. Lastly, these new requirements put operators in a difficult spot with their privacy and security policies. This “Eraser button” intends to improve privacy and security by requiring operators to gather more personal information and have it readily available for viewing by outside parties.  These two options, while well intended, run afoul to the policy trend for more data minimization and anonymization. Although these are just proposals, assessing its potential impact on practices and operations can help prepare for compliance costs and strategic planning for new entrants and incumbents. 

But what is the current state of COPPA? FTC Commissioner Wilson’s opening remarks at the recent COPPA workshop reiterated an important characteristic about the regulatory environment: the COPPA rule permits the FTC to keep pace with changes in technology, the development of new business models and data collection, and the manner in which children interact with these online services. This was demonstrated with the 2013 COPPA amendments, which was in response to the expansion of the smartphone market. The emergence of the Internet of Things (IoT) devices and the surge in platforms that host third-party content merits a reassessment of the current rules but whether to make any substantive changes is less clear. Looking at recent enforcement cases can help determine n if changes to the rules are needed. 

In February 2019, the FTC settled the then largest civil penalty for a COPPA violation when agreed pay $5.7 million for failing to seek parental consent before collecting personal information from users under 13 years old. Their application, TikTok, permitted users to upload short video clips on an interconnected platform where they could interact, comment, and directly message other users. 

In May 2019, three dating applications were removed from Apple’s and Google’s respective application store after the FTC alleged they violated COPPA by permitting users under 13 to access them. Although no fine resulted, the removal demonstrated the FTC’s ongoing supervision in this field. 

Lastly, in September 2019,  Google and YouTube settled to pay a record $170 million for the allegations by the FTC and the NY Attorney General that they had collected personal information from children without their parents’ consent. Specifically, the complaint alleged that through the use of cookies, YouTube had collected personal information from viewers of child-directed channels. Then YouTube used this information to deliver targeted ads to viewers of this channel. Despite the operators classifying themselves as general audience sites, the complaint focused on the operators failure to take action once they had notice of the channels directed at children. Importantly, COPPA does not require operators to determine if videos produced by third parties are directed to kids, but in light of this settlement, Google and YouTube have revised their advertising policies. 

While the FTC has brought COPPA enforcement in the past, this proceeding was differentiated by the severity of the fines. As noted by FTC Chairman Simmons, the civil penalty obtained against Google and YouTube was 10 times larger than all of the 31 prior COPPA cases combined. Aside from the financial implications, this settlement marked a pivotal point in COPPA enforcement by holding a platform liable for the content posted by a third party. 

These developments help indicate areas of consideration for regulators and stakeholders in this industry. First, there will be an increased reliance upon machine learning to catch violators and help identify child directed programs. Second, the lack of clarity regarding what the relevant factors are and what their respective role in the determination of child directed programming will lead to an increase in the creation of segmented “child-only” services. Lastly, a ban of all targeted advertisements directed at children could chill investment and lead various stakeholders to entirely abandon the market. While both  TikTok and YouTube announced initiatives to further fund, promote, and expand the services and content for their child specific channels, not all industry players may be capable of following suit.  

Wearable Technology & Regulation Gaps

By Soniya Shah

With the advent of wearables like smart watches and fitness trackers becoming more popular by the day, we have some big questions to answer around data privacy and security. There is always concern about new technology and cyber attacks, especially when data travels through wireless networks. 

Users of these devices usually do not want others looking at their data, especially when it comes to health data. However, many privacy policies are vague and even include disclaimers that information may be shared with third parties. Part of the issue is that HIPPA does not extend to this medical information, so makers of wearables legally can share medical data without incurring liability. 

Wearables obtain Information about a person including the time and duration of activity. This information coupled with demographic user profiles can provide data that is crucial to businesses looking to market to individual consumers. 

The security of this information is important because identifying individuals based on their data poses security and privacy risks. For example, insurance companies could use the information to price differentiate between customers. Despite the potential risks, wearables have gone largely unregulated by the FDA, because traditional wearables do not assist in patient treatment, and the risk of wearing a device like an Apple Watch is low. 

While most wearables are not subject to federal regulation, states have the power to regulate via consumer protection laws and other state laws. For example, California has stricter privacy laws around medical data than what is mandated by HIPAA through federal regulations. States should consider tightening regulations to protect consumer data and alleviate some of the risks that come with wearable technology. 

In early June, Senators Amy Klobuchar and Lisa Murkowski introduced the Protecting Personal Health Data Act, which would put into place new privacy and security rules around devices that collect personal health data, including wearables like fitness trackers. The Act would require the Department of Health and Human Services (HHS) Secretary to issue regulations related to privacy and security of health-related consumer devices, applications, services, and software. The bill would incorporate concepts from the European Union’s General Data Protection Regulation (GDPR), such as individual access to delete and amend health data tracked through wearables and other applications. To implement the Act, HHS would need to create a national task force to address cybersecurity risks and privacy concerns. 

HHS will need to take into account the different standards needed for each type of data that is collected, including genetic and general personal health data. Perhaps more importantly will be the ability for consumers to access their own data and have more control over what is used and collected by companies. 

The Act is part of a larger Congressional effort to increase efforts to protect consumer privacy, especially after Facebook data scandals. While this Act could be a big step for privacy and security concerns, there are no guarantees the bill will pass. While we wait for federal regulation, it might be time for states to follow in California’s footsteps and start creating legislation that protects consumers. 

A Quantum Leap: Washington Bets Big On “Hack-Proof” Technology to Secure Communications

By: Josh Cervantes

In the final weeks of 2018, Congress broke through an endemic gridlock and passed into law H.R.6227, better known as the National Quantum Initiative Act (NQIA). The NQIA signals the entry of the US into the nascent, but already contested field of quantum communications, and pits the US against its greatest strategic competitor, China. The European Union has also launched its own billion-euro program, dubbed the Quantum Flagship, further illustrating the urgency with which global powers are entering into the quantum communications arena.

Quantum communication is a field of applied quantum physics utilized in ultra-high security applications that offer unparalleled levels of data security, integrity, and intrusion detection. It allows enormous amounts of light photons, which are used to transmit data through fiber-optic cables, to assume multiple combinations of 0’s and 1’s simultaneously. The particles of 0’s and 1’s are called qubits, and their extremely fragile state means that if a hacker were to intercept the communications they would collapse and assume a value of either 0 or 1, showing that the data was tampered with. This contrasts with traditional data transmission, which uses values of either 0 or 1 to convey specific data, allowing hackers to more easily ascertain the content of a specific message. Continue reading “A Quantum Leap: Washington Bets Big On “Hack-Proof” Technology to Secure Communications”

ISPLS Announces its Second Annual Privacy Symposium

ISPLS’s biggest event of the year is officially announced. The Symposium on Government & Corporate Responsibility in a Data Driven World will be held Wednesday, March 20th from 9:00am – 3:00pm at the Washington College of Law in room NT01.

Stop by to hear from experts in the field of digital privacy.  Topics covered include Supply Chain Risk Management and Software component transparency; the use of Biometrics, and the Roles of Platforms in proper Data Governance.  Speakers include industry leaders from Consumer Advocacy Groups, Corporations, Government, Law Firms, and Think Tanks.

This is a great opportunity to hear from thought leaders and network with professionals.  Breakfast and Lunch will be provided.

Click here for more information Privacy Symposium

Cybersecurity and the Future of Medical Devices

By Soniya Shah

It’s no secret that attacks on the security of data and privacy are occurring with increasing frequency, which is alarming no matter what the data is. However, healthcare is one of the most frequently targeted sectors, and among those least equipped to handle when an attack happens, with data breaches that cost the industry about $5.6 billion a year. Particularly, attacks on medical devices pose a new concern in the Internet of Things world. Healthcare organizations have a higher sense of urgency is accessing their systems, since patient data can be time-sensitive. It’s creepy to think that a pacemaker or MRI scanner could be affected with malware. Malware software can do anything from deleting data to copying it, with a wide range of what can happen in between, including corrupting the data, extorting it, and modifying it. It’s easy to see why criminals would want to take advantage of this kind of information. Medical records contain the most intimate details about a person and that information can be used in identity theft. Continue reading “Cybersecurity and the Future of Medical Devices”

Digital Magic in the World of Disney

By:  Soniya Shah

It’s the happiest place on Earth. Until a data breach breaks the magic. Walt Disney was a pioneer of the future and all that it would bring. When designing Tomorrowland in Disney’s Magic Kingdom, engineers channeled the optimism Walt Disney felt for the future. With all his hope for the future of technology, it is hard to imagine Disney predicting data breaches. And yet that’s exactly what’s happened.

Continue reading “Digital Magic in the World of Disney”

Blog at

Up ↑