Remember: When Creatively Engaging With Socially Distanced Kids, Be Sure to Avoid Creating COPPA or CCPA Compliance Concerns

With kids having been housebound 24/7 for weeks, and expected to remain so for the foreseeable future, many have resumed schooling remotely and are otherwise engaging online, through social media, and via web-based video-conferencing. And companies across a wide spectrum of interests and services have been creative in innovating how to meet these needs and to occupy idle youth during the pandemic. It is important, however—particularly with younger audiences—that these companies properly handle kids’ personal information which they may collect and/or use or disclose along the way. In particular, companies must ensure that they comply with the Children’s Online Privacy Protection Act (COPPA) and rules the Federal Trade Commission (FTC) maintains to implement it (the COPPA Rule). Additionally, if companies make online offerings available to kids who are California residents, they also must comply with the California Consumer Privacy Act (CCPA) and implement regulations proposed by the California Attorney General (the CCPA Proposed Regulations').

COPPA

COPPA and the COPPA Rule govern the online collection, use, and disclosure of personal information from children under 13 years old. Any operator of a website or online service directed to children under 13, or that has actual knowledge a given user is under 13 (regardless of the nature of the site or service), must obtain verifiable parental consent before collecting any personal information from the child as well as for the use and disclosure of it. Once an operator has the child’s name and/or online contact information and that of the parent, it must refrain from collecting additional personal information, or using or disclosing it, until parental consent is obtained, and it must discard the information if consent is not obtained within a reasonable time.

Under COPPA, “personal information” of a child under 13 means much more than just name, address, phone number, email address, social security number, and the like. It includes any online contact information that permits direct interaction with the child online, including screen names that allow for such contact as well as geolocation data sufficient to identify street name, city or town. It also includes any video or photo image, or audio file of the child’s voice, as well as “persistent identifiers”—such as a cookie, IP address, processor or device serial number, or unique device identifier—that can be used to recognize a user over time and across different websites or online services. Any other piece of information concerning the child or their parent(s) also qualifies, if it is collected from the child and combined with any of the foregoing. Additionally, “collecting” this personal information under COPPA includes not only when the child affirmatively enters or provides it, but also passive collection or tracking.

If the operator of a website or online service directed to children under 13, or with actual knowledge a user is under 13, needs or wishes to collect the child’s personal information, the operator must obtain verifiable parental consent using means specified in the COPPA Rule. The operator must also have a children’s privacy policy accurately describing its collection, use, and disclosure practices with respect to children’s personal information and must give parents direct notice of the policy as part of the verifiable consent process.

The FTC’s rules and policies also provide exceptions to the verifiable parental consent requirement and specify circumstances under which less stringent or more demanding forms of verifiable consent may be required. The operator must also enable parents to withdraw consent, review their children’s information, and have the information deleted upon request. All children’s personal information must be properly secured, using reasonable measures to prevent unauthorized access, and deleted when no longer necessary to fulfill the purpose for which the website or online service collected it.

CCPA

If a company processes the personal information of California residents and meets certain threshold requirements, it must also comply with the CCPA and the CCPA Proposed Regulations (which are not yet finalized). Therefore, businesses subject to both COPPA and the CCPA must be aware of the potential scenario that some data will be subject to the CCPA even if not subject to COPPA. The CCPA requires businesses to give California residents transparency about their personal information processing activities and rights to access, delete, and opt out of the sale of their personal information. Unlike COPPA, the CCPA is not primarily intended to protect children online, but it has specific requirements for children under 16.

Sales Opt-In Requirements

The CCPA requires a business, having actual knowledge a given user is under 16 years old, to obtain affirmative consent before “selling” that user’s personal information—and a business that willfully disregards the user’s age is deemed to have actual knowledge. A “sale” under the CCPA occurs any time a business provides personal information to a third party in exchange for monetary or other valuable consideration, whether by transfer, disclosure, provision of access, or like method. (However, it does not include provision of personal information to co-branded corporate affiliates, or to service providers with whom the business has a written contract that restricts their use of the personal information beyond the scope of the agreement in accordance with the CCPA’s requirements.)

Notably, opt-in consent for “sales” of personal information under the CCPA must be obtained in addition to any verifiable parental consent required under COPPA, though it may be possible to design a single consent framework to obtain consent under both statutes just once since their requirements are not mutually exclusive. A parent or guardian must opt in to sales on behalf of children who are under 13, but children between 13 and 15 may opt in on their own behalf. The CCPA Proposed Regulations provide guidance and specific requirements for the opt-in process. A business with actual knowledge that it sells the personal information of minors under 16 must state that fact in its privacy policy and include a description of the opt-in process.

The CCPA’s definition of “personal information” is quite expansive, covering non-publicly available information that relates to, describes, reasonably can be associated with, or could be reasonably linked to, directly or indirectly, a particular individual or household. In contrast, COPPA’s definition of personal information is a small subset of the CCPA’s definition; therefore, businesses subject to both statutes must be aware of the potential scenario that some data subject to the CCPA is not subject to COPPA. The CCPA provides a lengthy list of categories and specific types of information that fall within its scope, which includes “identifiers” such as real name, user name, contact information, online identifiers and unique personal identifiers, and IP address; internet or network activity information, such as browsing and search history and interaction data; and audio, electronic, and other multimedia information. It also includes education information insofar as that information meets the definition of non publicly available “personally identifiable information” under the Family Educational Rights and Privacy Act (“FERPA”), so for-profit educational institutions should examine their obligations under the CCPA and FERPA.

“Collecting” is also broadly defined as a business’ acquiring any personal information about a California resident by any means. This covers information provided directly by the individual, but also information that is collected passively or through tracking, or received from a corporate affiliate, service provider, or other third party.

The CCPA Proposed Regulations also set forth specific process requirements for businesses in connection with individuals’ rights to request to know, access, delete, and opt in or out of sales of personal information relating to minors. Businesses must establish a “reasonable method” for verifying that an adult exercising these rights on behalf of a minor is, in fact, the parent or guardian of the minor in question. In the case of a request to delete or access specific pieces of personal information relating to a household—that is, a person or group of people who reside at the same address, share a common device or the same service provided by a business, and are identified by the business as sharing the same group account or unique identifier—which contains members under age 13, businesses must obtain verifiable parental consent before complying with any such request.

Bottom Line

Those engaging in new online outreach and engagement efforts involving kids during the COVID-19 pandemic should carefully assess whether their offerings are directed at children under 13 and/or under 16 (in full, or for a substantial subset of its audience); whether they have actual knowledge that their users fall into this demographic; and whether the offerings involve the collection (and use and/or disclosure or sale) of kids’ personal information.

If so, such entities should ensure they understand the COPPA and CCPA requirements and rules and have compliance measures in place. The respective enforcement arms—the FTC for COPPA, and the California Attorney General for CCPA—take compliance seriously, and are concerned with protecting children’s privacy in general. As such, this subject should be top of mind as innovative engagement efforts with homebound kids move forward.

The facts, laws, and regulations regarding COVID-19 are developing rapidly. Since the date of publication, there may be new or additional information not referenced in this advisory. Please consult with your legal counsel for guidance.

DWT will continue to provide up-to-date insights and virtual events regarding COVID-19 concerns. Our most recent insights, as well as information about recorded and upcoming virtual events, are available at www.dwt.com/COVID-19.

This article was originally featured as a privacy and security advisory on DWT.com on April 9, 2020. Our editors have chosen to feature this article here for its coinciding subject matter.