Senators Markey and Hawley Introduce Bill to Expand COPPA
As expected, 2019 is shaping up to be the year for privacy reforms, including possible amendments to the 20-year old Children's Online Privacy Protection Act (COPPA). Senators Edward Markey (D-Mass) and Josh Hawley (R-MO) have introduced legislation that would expand COPPA's scope to offer new protections to minors age 13-15, establish new limitations on collecting personal information on children and minors, and create a new division within the Federal Trade Commission (FTC) charged with overseeing marketing directed at children and minors, among other things.
The COPPA amendments do not create new rights of action (unlike the CCPA), nor do they alter the current preemption provision of COPPA which establishes that COPPA preempts inconsistent state laws.
Significant changes to COPPA would include:
- A new opt-in consent requirement for the collection of personal information from "minors" (defined as users between 13 and 15 years old), similar to the California Consumer Privacy Act (CCPA) in addition to protections for "children" under 13, per current law.
- An obligation on operators to create a mechanism that would allow a parent, if the user is a child, or a minor, to remove the child's or minor's personal information from an online service. Operators are prohibited from discontinuing service to that user (referred to by the Senators as an "erasure button").
- A ban on targeted marketing directed at children and minors.
- Revision of COPPA's "actual knowledge" standard governing data collection to "constructive knowledge" of covered operators. COPPA applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13, and websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Constructive knowledge means that covered operators are deemed to have knowledge that they are collecting or maintaining personal information from a child or minor, if, by reason of care and due diligence, they should have known that fact.
- A requirement for operators to explain the types of personal information collected online, how the information is used and disclosed, and information collection policies. COPPA already requires disclosure to parents, but application to minors is also similar to the CCPA.
- Strict cybersecurity requirements for internet connected devices aimed at children and minors.
- A new packaging requirement for manufacturers of connected devices targeted to children and minors to "prominently display" on their packaging a "privacy dashboard" that describes how personal information is collected, transmitted, retained, used, and protected.
- Creation of a Youth Privacy and Marketing Division within the FTC to oversee marketing directed towards children and minors.
Sen. Markey, the author of COPPA and the current bill to amend it, has been a vocal advocate in Congress for children's privacy. He is also one of the sponsors of the Children and Media Research Advancement (CAMRA) Act, introduced on February 26, 2019. This legislation would direct the National Institutes of Health to study the effect of technology and media on infants, children, and adolescents with regard to cognitive, physical, and socio-emotional development. According to the legislation, this research over the next few years would "investigate the impact of exposure to and use of media such as mobile devices, computers, social media, applications, websites, television, motion pictures, artificial intelligence, video games, and virtual and augmented reality."
Whether it makes sense to modify COPPA now, or await further research, may be an open question. For companies that have already implemented COPPA compliance policies, practicing privacy and security by design are already part of their business operations, but understanding the potential impacts on operations and data management procedures will be critical to both weigh in on the proposed legislation and to assess measures to comply if it goes forward.