Keypoint: Organizations that collect personal data from children under 16 will need to ensure compliance with additional requirements once the laws go into effect.
This is the ninth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.
In this article, we examine how the three laws treat children’s personal data. The CPRA divides children into two groups, children under 13 and children the ages of 13-15. While both groups require consent to sell or share information, the latter may do so without a parent or guardian. In comparison, the VCDPA and CPA handle children’s data similar to each other by both defining a child as under 13 years old and including personal data of a child under the definition of sensitive data (for which consent is required to process). The VCDPA and CPA do not address the treatment of data for children ages 13-15.
In addition to these three state laws, California recently introduced a bill that would further regulate children’s personal data by creating additional obligations for companies collecting data of consumers under the age of 18. Momentum is also gathering for federal legislation that further regulates children’s online personal data, with several bills aiming to update the Children’s Online Privacy Protection Act (COPPA). In March, President Joe Biden addressed the importance of protecting children’s data in his State of the Union address. We provide an overview of these new bills in this article as well.
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
The CPRA retains the CCPA’s general approach to children’s data and places different requirements on businesses for consumers under the age of 13 and consumers at the ages of 13-15.
Before analyzing the two categories, it is important to acknowledge that the CCPA/CPRA have a heightened knowledge requirement in contrast with COPPA. As explained in the Federal Trade Commission’s FAQs, COPPA applies to commercial websites or online services that are directed to children under 13 and to general audience websites or services if the operator has “actual knowledge” that it is collecting personal information from a child.
The CCPA/CPRA use the “actual knowledge” standard but also state that a “business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.”
For consumers under 13, the CCPA provides that a business may not sell a consumer’s personal information without a parent or guardian’s affirmative authorization. The CPRA expands this restriction by requiring the affirmative authorization from a parent or guardian for any selling or sharing of personal information of consumers under 13.
Under the CCPA’s regulations, a business that has actual knowledge that it sells the personal information of a consumer under 13 shall establish a method for determining that the party providing the consent is the parent or guardian of the child. The regulations state this affirmative authorization is in addition to any verifiable parental consent requirement under COPPA. The CCPA outlines methods for making the determination that an individual has the right to provide consent on behalf of a child. These methods include but are not limited to:
- Providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the business by postal mail, facsimile, or electronic scan;
- Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Having a parent or guardian call a toll-free telephone number staffed by trained personnel;
- Having a parent or guardian connect to trained personnel via video-conference;
- Having a parent or guardian communicate in person with trained personnel; and
- Verifying a parent or guardian’s identity by checking a form of government-issued identification against databases of such information, as long as the parent or guardian’s identification is deleted by the business from its records promptly after such verification is complete.
When a business receives affirmative authorization, the business shall inform the parent or guardian of the right to opt-out and the process for opting-out.
In addition to the right to opt-out, a parent or legal guardian may also submit a request to know or a request to delete personal information on behalf of their child under 13. A business shall establish a method, such as one of the methods outlined above, for confirming that the person submitting the request is the parent or guardian of the child.
For consumers at the ages of 13-15, the CCPA requires a consumer (as opposed to a parent or guardian) to consent to the sale of their personal information. This is a two-step process whereby the consumer shall first clearly request to opt-in and then separately confirm their choice to opt-in. When a business receives a request to opt-in, the business shall inform the consumer of their right to opt-out and the process for opting-out. The CPRA again expands this obligation to require a consumer’s affirmative authorization for any selling or sharing of personal information.
Under the CCPA’s regulations, if a business exclusively offers goods or services directly to consumers under 16 and does not sell the personal information without affirmative authorization from either the parent or guardian (for consumers under 13) or the consumer (for consumers 13-15), then the business is not required to provide the notice of the right to opt-out.
The CCPA provides that if a business receives direction from a consumer not to sell their personal information, or in the case of consumers under 13, has not received consent from the parent or guardian, then the business is prohibited from selling the consumer’s personal information. The CPRA expands this restriction to the sharing of the consumer’s personal information as well. The CPRA also adds a new requirement that for any consumer under 16 who does not consent to the sale or sharing of their personal information, the business must wait at least 12 months before requesting the consumer’s consent again or until the consumer is 16 years of age.
Lastly, the CPRA increased administrative fines for children’s personal information. The CPRA allows for a $7,500 fine per violation for any violation of the act involving the personal information of children under 16. Previously, the CCPA reserved this penalty for intentional violations of the act only.
The California Privacy Protection Agency (CPPA) is tasked with issuing regulations establishing technical specifications for an opt-out preference signal that allows the consumer or the consumer’s parent or guardian to specify that the consumer is under 13 or is 13-15 years of age. The rulemaking process is ongoing and in its September 2021 Invitation for Preliminary Comments on Proposed Rulemaking, the CPPA listed the topic seeking public comments.
Virginia Consumer Data Protection Act (VCDPA)
Unlike the CPRA, the VCDPA defines a child as “any natural person younger than 13 years of age.” Also, in contrast to California, the VCDPA defines sensitive data to include any “personal data collected from a known child.” Therefore, any personal data collected from a child will be subject to the requirements the VCDPA imposes on processing sensitive data. We analyzed how the VCDPA treats sensitive data in a prior article in this series.
In general, the VCDPA requires controllers to obtain consent to process sensitive data of a consumer and to conduct data protection assessments. In the case of processing a child’s sensitive data, the controller must process the sensitive data in accordance with COPPA. The VCDPA provides that controllers and processors that comply with the verifiable parental consent requirements under COPPA shall be compliant with the obligation to obtain parental consent under the act.
Similar to California, the VCDPA allows a “known” parent or legal guardian to invoke consumer rights on behalf of their child. The VCDPA expands this allowance to include any consumer right under the act.
Colorado Privacy Act (CPA)
The CPA’s treatment of children’s data is largely consistent with the VCDPA. For example, Colorado similarly defines a child as “an individual under thirteen years of age.” In addition, the CPA includes personal data from a known child in its definition of sensitive data.
However, there are two related differences between the VCDPA and the CPA’s treatment of children’s data. First, the CPA is not applicable to personal data regulated by COPPA when the data is collected, processed, and maintained in compliance with the law. Second, the CPA does not require controllers to process personal data of a child in accordance with COPPA (presumably because, as stated, the CPA is inapplicable to such data).
In the case of processing a child’s personal data, to the extent not covered by COPPA, the controller must obtain consent from the child’s parent or lawful guardian consistent with the general consent requirements under the CPA. For example, non-profits are excluded from COPPA but not the CPA.
California lawmakers recently introduced Assembly Bill 2273 – California Age-Appropriate Design Code Act – to further protect children’s personal information. Overall, it requires businesses to maintain children’s personal information with the highest level of privacy possible and prohibits the use of personal information that could be harmful to the overall well-being and health of the child. Of note, the act defines a child as a consumer under 18 years of age.
California lawmakers also introduced Assembly Bill 2486, which establishes an Office for the Protection of Children Online within the California Privacy Protection Agency. The new office would be charged with “ensuring that digital media available to children in [California] are designed, provided, and accessed in a manner that duly protects the privacy, civil liberties, and mental and physical well being of children.”
In the federal government, there have been two approaches for tackling the issue of children’s data. One approach is to expand and update COPPA. Representative Castor introduced the Kids PRIVACY Act, which expands coverage to websites likely accessed by children and direct operators of such websites to ensure the best interest of children are a primary design consideration. Senator Markey’s Children and Teens’ Online Privacy Protection Act similarly overhauls COPPA by creating a new category of minors ages 13-15. We provided an overview of the act in a previous article available here.
The second approach is to enact a separate piece of legislation to complement COPPA. Senator Blumenthal introduced the Kids Online Safety Act in February. The act requires covered entities to conduct annual risk audits and make opt-out systems the default preference for covered services. Additionally, social media platforms must prevent and mitigate harm to minors by limiting content promoting potentially harmful material.
Consequences of the Variation
The CPRA primarily restricts the selling and sharing of children’s data. Whereas the VCDPA and the CPA take a broader approach by including any personal data of a known child in their definitions of sensitive data. Although consent is required under all three laws, organizations must understand when consent must be collected and what methods to use to collect that consent under each law.