Revisiting COPPA: How recent developments have shaped the discussions

By: Alvaro Marañon

While calls for comprehensive federal privacy legislation may continue to fall upon deaf ears, concerns about protecting children’s online privacy might have already been heard with talks of forthcoming regulatory change. Illustrating this shift, the Federal Trade Commission (FTC) welcomed comments on the effectiveness of the 2013 amendments to the Children’s Online Privacy Protection Act (COPPA). The amendments specifically updated the COPPA Rule to address the advances in mobile devices and social networking, and to expand the definition of personal information by including geolocation and persistent identifiers like cookies. More recently, the FTC held a public workshop to explore proposals to further update the COPPA Rule. This recent push has been propelled by two major developments over the past year: (1) the legislative proposal by Senator Markey titled “COPPA 2.0”; and (2) the  record-breaking FTC settlements for COPPA Rule violations.

In effect since 2000, COPPA creates a set of information privacy guidelines governing the collection, use, and access of personal information by operators of commercial websites or onlines services directed to children. These requirements are imposed upon companies if they have “actual knowledge” that they are collecting personal information from a child that is under 13 years old. Having a clear and detailed privacy policy, providing parents the opportunity to review the collected information, and requiring operators to protect the confidentiality, security, and integrity of any collected personal information are some of the main provisions. While numerous enforcements have been brought, legislative amendments have recently been proposed.

Last March, Senators Markey of Massachusetts and Hawley of Missouri announced a proposal to modify the existing scope and rules of COPPA. Among the various considerations, the bill  proposes to ban targeted advertising directed at children (defined as any user under 13), create a new division within the FTC to handle youth privacy and marketing, and modify the parental ability to view collected information by creating an “Eraser Button” that would permit the parent or user to delete their information. The bill also calls for a new and flexible cybersecurity standard for internet connected devices targeted towards children and minors (defined as any user between 13 to 15) by considering the sensitivity of information collected, the context in which it is collected, its security capabilities, and more.  

While the bill does well to account for  the interests between innovation and privacy, its outright ban of all targeted advertising of children, the changing of the “actual knowledge” standard to constructive, and the expansion of the disclosure requirement make it a highly problematic bill. 

The outright ban on all targeted advertising directed at children raises concerns for its overbreadth and encompassing of potentially beneficial ads. Secondly, changing the knowledge standard to a broader definition may seem beneficial on its face but is impractical with the inability to accurately determine one’s intended and actual audience. Lastly, these new requirements put operators in a difficult spot with their privacy and security policies. This “Eraser button” intends to improve privacy and security by requiring operators to gather more personal information and have it readily available for viewing by outside parties.  These two options, while well intended, run afoul to the policy trend for more data minimization and anonymization. Although these are just proposals, assessing its potential impact on practices and operations can help prepare for compliance costs and strategic planning for new entrants and incumbents. 

But what is the current state of COPPA? FTC Commissioner Wilson’s opening remarks at the recent COPPA workshop reiterated an important characteristic about the regulatory environment: the COPPA rule permits the FTC to keep pace with changes in technology, the development of new business models and data collection, and the manner in which children interact with these online services. This was demonstrated with the 2013 COPPA amendments, which was in response to the expansion of the smartphone market. The emergence of the Internet of Things (IoT) devices and the surge in platforms that host third-party content merits a reassessment of the current rules but whether to make any substantive changes is less clear. Looking at recent enforcement cases can help determine n if changes to the rules are needed. 

In February 2019, the FTC settled the then largest civil penalty for a COPPA violation when Musical.ly agreed pay $5.7 million for failing to seek parental consent before collecting personal information from users under 13 years old. Their application, TikTok, permitted users to upload short video clips on an interconnected platform where they could interact, comment, and directly message other users. 

In May 2019, three dating applications were removed from Apple’s and Google’s respective application store after the FTC alleged they violated COPPA by permitting users under 13 to access them. Although no fine resulted, the removal demonstrated the FTC’s ongoing supervision in this field. 

Lastly, in September 2019,  Google and YouTube settled to pay a record $170 million for the allegations by the FTC and the NY Attorney General that they had collected personal information from children without their parents’ consent. Specifically, the complaint alleged that through the use of cookies, YouTube had collected personal information from viewers of child-directed channels. Then YouTube used this information to deliver targeted ads to viewers of this channel. Despite the operators classifying themselves as general audience sites, the complaint focused on the operators failure to take action once they had notice of the channels directed at children. Importantly, COPPA does not require operators to determine if videos produced by third parties are directed to kids, but in light of this settlement, Google and YouTube have revised their advertising policies. 

While the FTC has brought COPPA enforcement in the past, this proceeding was differentiated by the severity of the fines. As noted by FTC Chairman Simmons, the civil penalty obtained against Google and YouTube was 10 times larger than all of the 31 prior COPPA cases combined. Aside from the financial implications, this settlement marked a pivotal point in COPPA enforcement by holding a platform liable for the content posted by a third party. 

These developments help indicate areas of consideration for regulators and stakeholders in this industry. First, there will be an increased reliance upon machine learning to catch violators and help identify child directed programs. Second, the lack of clarity regarding what the relevant factors are and what their respective role in the determination of child directed programming will lead to an increase in the creation of segmented “child-only” services. Lastly, a ban of all targeted advertisements directed at children could chill investment and lead various stakeholders to entirely abandon the market. While both  TikTok and YouTube announced initiatives to further fund, promote, and expand the services and content for their child specific channels, not all industry players may be capable of following suit.  

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: