The newly introduced Children and Teens' Online Privacy
Protection Act (CTOPPA) is aimed at overhauling U.S. privacy rules
for children's data under the existing Children's Online
Privacy Protection Act (COPPA). The bill was proposed by Senators
Edward J. Markey (D-Mass.) and Bill Cassidy
(R-La.) on May 11, 2021. Among other changes, the Senators'
bill proposes:
- A prohibition on collecting personal information from 13-to-15-year-old users without their consent;
- Replacing COPPA's actual knowledge standard with a new "constructive knowledge" standard;
- A ban on targeted advertising directed at children; and
- A right of erasure that would allow parents and children to eliminate certain personal information from online platforms.
The bill also proposes a new Youth Privacy and Marketing Division at the Federal Trade Commission (FTC).
Verifiable Consent Requirements Extended to Users
Younger Than 16
Expanding upon the existing rules for children younger than 13, the
proposed bill would introduce a new consent mechanism for teenagers
13 to 15 years of age (referred to in CTOPPA as
"minors"). Companies would be required to obtain
verifiable consent from such users in order to collect, use or
disclose their personal information. However, unlike children below
the age of 13 under COPPA, for whom consent must be obtained from a
parent or guardian, these teenagers can give their own consent.
Constructive Knowledge Standard
COPPA requirements currently apply to operators of online services
that have "actual knowledge" that they are
"collecting or maintaining personal information from a
child." CTOPPA would replace this actual knowledge standard
with a "constructive knowledge" standard. An operator
would be deemed to have constructive knowledge that data is being
collected from a child if that operator "directly or
indirectly collects, uses, profiles, buys, sells, classifies or
analyzes (using an algorithm or other form of data analytics)
data" about the ages of users or to determine whether an
online platform's content is directed to a particular age
range.
Constructive knowledge could also be inferred from data obtained through:
- Reports received under COPPA self-regulatory guidelines;
- Complaints from parents or third parties;
- Internal communications (such as documents about advertising practices, insertion orders, or promotional material to marketers);
- Publicly available information; or
- Communications to an ad network that content is intended for users of a particular age.
Ban on Targeted Advertising Directed at
Children
The proposed legislation would make it unlawful for an operator of
an online service "to use, disclose to third parties, or
compile personal information of a child for purposes of targeted
marketing if":
- The child is the user of a service, and that service's operator has constructive knowledge that personal information is being collected from children; or
- The service is directed to a child.
Targeted marketing of minors is permitted if the company has secured a minor's verifiable consent. Contextual advertising would not be affected by the proposed changes.
Right of Erasure
Online services must provide parents, children and minors with a
mechanism to "erase or otherwise eliminate content or
information" that they have provided to the service when such
content "contains or displays personal information of children
or minors" and the service has made it "publicly
available" through its platform. The erasure requirement does
not apply to content that is provided to the service by a third
party.
Proposal for a Youth Privacy and Marketing Division at
the FTC
CTOPPA calls for a new Youth Privacy and Marketing Division to be
established within the FTC, which would be responsible for
addressing "the privacy of children and minors" and
"marketing directed at children and minors." The Youth
Privacy and Marketing Division would be required to report annually
to House and Senate committees.
Other Provisions
The proposed bill also provides that:
- Companies must follow the well-established Fair Information Practices Principles (FIPPs), which include the principles of collection limitation, data quality, purpose specification, retention limitation, security safeguards, openness, individual participation, and prohibitions on racial and socioeconomic profiling;
- Online services which collect personal information from users 13-15 years old must adopt and comply with a "Digital Marketing Bill of Rights for Minors" based on the FIPPs listed above; and
- Internet connected devices targeted to children and minors must meet appropriate data security standards, and must prominently display an easy-to-understand privacy dashboard explaining how information is collected, transmitted, retained, used and protected.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
