Keypoint: Last week, the FTC signaled an increased focus on COPPA enforcement, targeting education technology companies while California and federal lawmakers consider enacting new laws to regulate the processing of children’s data.
Over the past few months there has been a growing bipartisan consensus among lawmakers and regulators of the need for increased regulation around the processing of children’s data. In a sign of the significance of the issue, President Biden specifically addressed children’s data privacy in his State of the Union Address. As discussed below, recent actions by the Federal Trade Commission (the “Commission”) and lawmakers signal that companies processing children’s data should expect to see increased scrutiny.
FTC Signals Increased COPPA Enforcement Against Ed Tech Companies
The Commission announced in a public meeting held on Thursday, May 19 that it will prioritize the enforcement of the Children’s Online Privacy Protection Act (“COPPA”) as it applies to the use of education technology.
In the meeting, Commissioner Chair Lina M. Khan emphasized a renewed focus on the use, retention, and collection restrictions under COPPA, in addition to the notice and consent requirements. Following the meeting, the Commission issued a Policy Statement highlighting increased scrutiny of compliance “with the full breadth of the substantive prohibitions and requirements of the COPPA Rule and Statutory language.”
The Policy Statement specifically targets education technology companies. When the COVID-19 pandemic closed schools and forced remote learning for children, ed tech tools became a necessary part in a child participating in school-related activities. The Commission emphasized in its statement that “children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools.”
The Policy Statement provides that in investigating providers of ed tech and other covered online services, the Commission will focus on the following restrictions under COPPA:
- Prohibition Against Mandatory Collection: Companies must not condition participation in any activity on a child disclosing more information than is necessary for the child to participate in that activity. Companies cannot stop students from engaging in an ed tech activity if they do not provide information beyond what is reasonably necessary to administer the student’s participation in an activity. For example, if an ed tech company does not need to email students, it cannot condition a student’s access to schoolwork on the student providing an email address.
- Use Prohibitions: Companies are limited in how they can use the personal information they collect from children. For example, ed tech companies are prohibited from using information for commercial purposes such as marketing and advertising since these purposes are unrelated to the provision of school-requested online services.
- Retention Prohibitions: Companies must not retain personal information collected from a child for longer than is reasonably necessary to fulfill the purpose for which the company collected the information. For example, it is unreasonable for companies to retain children’s data for speculative future potential uses.
- Security Requirements: Companies must have procedures in place to maintain the confidentiality, security, and integrity of children’s personal information. Even absent a data breach, companies may violate COPPA if they lack reasonable security.
The Commission voted 5-0 to adopt the Policy Statement, indicating a willingness to protect children’s privacy extends across party lines. Commissioner Chair Lina M. Khan and Commissioners Alvaro Bedoya, Rebecca Kelly Slaughter, and Christine S. Wilson, issued statements on the matter. After last week’s confirmation of Commissioner Alvaro Bedoya, the Commission now has a three to two democrat majority.
The White House issued a statement commending the Commission for unanimously taking a step in the direction of strengthening privacy protections for children. This aligns with President Biden’s previous remarks in his State of the Union address emphasizing the need to strengthen privacy protections, ban targeted advertising on children, and demand technology companies stop collecting personal data from children.
Following the public meeting, the Commission announced that it will host a virtual event on October 19, 2022, to examine how to best protect children from manipulative marketing practices. The Commission plans to bring together researchers, child development and legal experts, consumer advocates, and industry professionals to examine the techniques companies use to advertise to children online and what protective measures can be taken. The Commission is seeking research papers and written comments to be submitted by July 18, 2022.
California Lawmakers Consider New Children’s Data Privacy Requirements
In California, lawmakers recently introduced Assembly Bill 2273 – California Age-Appropriate Design Code Act – to further protect children’s personal information. The bill requires businesses to maintain children’s personal information with the highest level of privacy possible and prohibits the use of personal information that could be harmful to the overall well-being and health of the child. Of note, the act defines a child as a consumer under 18 years of age.
California lawmakers also introduced Assembly Bill 2486, which establishes an Office for the Protection of Children Online within the California Privacy Protection Agency. The new office would be charged with “ensuring that digital media available to children in [California] are designed, provided, and accessed in a manner that duly protects the privacy, civil liberties, and mental and physical well being of children.”
California lawmakers have also introduced the Social Media Platform Duty to Children Act. The bill imposes on an operator of a social media platform a duty not to addict child users and prohibits a social media platform from addicting a child by certain means such as using or selling a child’s personal data.
The proposed bills would add to the growing state efforts to regulate children’s data. In a previous article, we analyzed how the California Privacy Rights Act, Colorado Privacy Act, and Virginia Consumer Data Protection Act all treat children’s data. Connecticut’s recently enacted privacy law also provides for additional children’s data privacy rights.
Proposed Federal Laws
In the federal government, there have been two approaches for tackling the issue of children’s data. One approach is to expand and update COPPA. Last May, Representative Castor introduced the Kids PRIVACY Act, which expands coverage to websites likely accessed by children and direct operators of such websites to ensure the best interest of children are a primary design consideration. Senator Markey’s Children and Teens’ Online Privacy Protection Act similarly overhauls COPPA by creating a new category of minors ages 13-15.
The second approach is to enact a separate piece of legislation to complement COPPA. Senator Blumenthal introduced the Kids Online Safety Act in February. The act requires covered entities to conduct annual risk audits and make opt-out systems the default preference for covered services. Additionally, social media platforms must prevent and mitigate harm to minors by limiting content promoting potentially harmful material.
Although COPPA is often considered a notice and consent regime, ed tech companies must pay particular attention to the substantive limitations on the use, retention, and collection of children’s personal information. The FTC will scrutinize ed tech companies unlike other companies that may engage in surveillance and the monetization of personal data. In addition to this new targeted scrutiny, companies may be subject to state privacy law requirements that should be take into consideration as well.