May 26, 2020

May 26, 2020

Subscribe to Latest Legal News and Analysis

Senators Markey and Hawley Introduce Bill to Expand COPPA

As expected, 2019 is shaping up to be the year for privacy reforms, including possible amendments to the 20-year old Children's Online Privacy Protection Act (COPPA). Senators Edward Markey (D-Mass) and Josh Hawley (R-MO) have introduced legislation that would expand COPPA's scope to offer new protections to minors age 13-15, establish new limitations on collecting personal information on children and minors, and create a new division within the Federal Trade Commission (FTC) charged with overseeing marketing directed at children and minors, among other things.

The COPPA amendments do not create new rights of action (unlike the CCPA), nor do they alter the current preemption provision of COPPA which establishes that COPPA preempts inconsistent state laws.

Significant changes to COPPA would include:

  • A new opt-in consent requirement for the collection of personal information from "minors" (defined as users between 13 and 15 years old), similar to the California Consumer Privacy Act (CCPA) in addition to protections for "children" under 13, per current law.
  • An obligation on operators to create a mechanism that would allow a parent, if the user is a child, or a minor, to remove the child's or minor's personal information from an online service. Operators are prohibited from discontinuing service to that user (referred to by the Senators as an "erasure button").
  • A ban on targeted marketing directed at children and minors.
  • Revision of COPPA's "actual knowledge" standard governing data collection to "constructive knowledge" of covered operators. COPPA applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13, and websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Constructive knowledge means that covered operators are deemed to have knowledge that they are collecting or maintaining personal information from a child or minor, if, by reason of care and due diligence, they should have known that fact.
  • A requirement for operators to explain the types of personal information collected online, how the information is used and disclosed, and information collection policies. COPPA already requires disclosure to parents, but application to minors is also similar to the CCPA.
  • Strict cybersecurity requirements for internet connected devices aimed at children and minors.
  • A new packaging requirement for manufacturers of connected devices targeted to children and minors to "prominently display" on their packaging a "privacy dashboard" that describes how personal information is collected, transmitted, retained, used, and protected.
  • Creation of a Youth Privacy and Marketing Division within the FTC to oversee marketing directed towards children and minors.

Sen. Markey, the author of COPPA and the current bill to amend it, has been a vocal advocate in Congress for children's privacy. He is also one of the sponsors of the Children and Media Research Advancement (CAMRA) Act, introduced on February 26, 2019. This legislation would direct the National Institutes of Health to study the effect of technology and media on infants, children, and adolescents with regard to cognitive, physical, and socio-emotional development. According to the legislation, this research over the next few years would "investigate the impact of exposure to and use of media such as mobile devices, computers, social media, applications, websites, television, motion pictures, artificial intelligence, video games, and virtual and augmented reality."

Whether it makes sense to modify COPPA now, or await further research, may be an open question. For companies that have already implemented COPPA compliance policies, practicing privacy and security by design are already part of their business operations, but understanding the potential impacts on operations and data management procedures will be critical to both weigh in on the proposed legislation and to assess measures to comply if it goes forward.

© 2020 Keller and Heckman LLP


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of Beyond Telecom Law Blog and Consumer Protection Connection.

Education: Washington and Lee University (B.A., 1997); American University, Washington College of Law (J.D., 2002).

Admissions: District of Columbia; Maryland

Memberships: American Bar Association