Representative Kathy Castor (D-FL) has introduced the Protecting the Information of Our Vulnerable Children and Youth Act (PRIVCY ACT), which is a significant rewrite of the Children’s Online Privacy Protection Act (COPPA). In so doing, the bill expands the scope of COPPA’s protections and creates new enforcement mechanisms. The children advocacy groups, Common Sense Media and the Campaign for a Commercial-Free Childhood, have come out in public support of the bill, as has the privacy advocacy group, the Center for Digital Democracy.
Rep. Castor introduced her bill in the midst of ongoing negotiations between Democratic and Republican staff of the House Energy & Commerce Committee on a larger, bipartisan, federal privacy bill. In December, committee staff circulated a bipartisan staff draft, seeking stakeholder comments, which we analyzed here. The deadline for filing comments has passed, and committee staff is reportedly sifting through and digesting those comments. The draft bill has numerous bracketed provisions, indicating that staff have yet to agree on the substance of those provisions, and they remain unresolved. Among the bracketed provisions is “Children’s Privacy”. The PRIVCY ACT, as well as other children’s privacy bills, such as those introduced by Reps. Bobby Rush (D-IL) and Tim Walberg (R-MI), will likely play a significant role in determining the parameters and policy substance of that bracketed section.
Like COPPA, the PRIVCY Act requires opt-in “verifiable consent” as a condition for covered entities to proceed with the collection and use of children’s data. COPPA currently applies to children ages 12 and under; the PRIVCY Act creates a new class of protected youth, “young consumers” ages 13 to 17, that are afforded the protections of the bill. Furthermore, unlike COPPA, the PRIVCY Act applies to both the online and offline worlds. The bill applies to any covered entity under the Federal Trade Commission’s (FTC) jurisdiction, as well as common carriers and non-profit organizations (which are currently carved out under the FTC Act.) The bill also covers an extensive list of covered information, online and offline, which COPPA does not necessarily cover now. Therefore, it is likely that many covered entities that are not currently under COPPA’s purview but are currently holding and processing children’s and young consumer’s information would be subject to the requirements of the bill.
Under the bill, a covered entity “that has actual or constructive knowledge” that it is “processing” the information of a young consumer (13-17) or child (12 and under) must seek “verifiable consent” from the young consumer or the child’s parent to engage in that processing. Verifiable consent entails “express, affirmative consent… that is specific, informed and unambiguous”. Given that the PRIVCY Act’s definition of “process” includes not only the acts of collecting, creating and obtaining, but also those of storing, retaining and using, the bill would not only require covered entities going forward to seek consent before collecting and using information, but would also likely require certain covered entities that already possess covered information to seek the new required consent.
For instance, if a data broker has actual or constructive knowledge that it has information on a 12-year-old child, the data broker must seek the verifiable consent of the child’s parent in order to keep that information. The data broker must seek and gain this consent regardless if it lawfully obtained this information without parental consent under COPPA. This appears to also hold true for covered entities that collected information with parental consent under COPPA. For example, if a mobile application for kids sought and received parental permission to collect user data on a 12-year-old child, that app developer will likely have to go back and receive consent from the parent of that user – or, if the user is now 13 years or older, from the young consumer – under the PRIVCY ACT’s new verifiable consent requirement. Significantly, the bill also prohibits covered entities from withholding or diminishing services to children or young consumers based on that consent, nor are entities allowed to create financial incentives for consumers to provide consent.
The PRIVCY Act directs the FTC to promulgate a series of rules under section 553 of the Administrative Procedures Act (APA) to effectuate these and other requirements. In so doing, the Commission will likely be tasked with codifying in regulation what constitutes “actual or constructive knowledge” that would trigger the bill’s consent obligations; the agency will also likely have to clarify how verifiable consent shall meet the “specific, informed and unambiguous” standard. As noted earlier, COPPA currently affects a narrower universe of online covered entities. Under the FTC’s “COPPA Rule” (promulgated pursuant to the Act and as amended in 2013), the “operator of a website or online service directed at children” (12 or under) must obtain verifiable parental consent before collecting information on a child. The same holds true of a website or online service “that has actual knowledge that it is collecting personal information from a child”. The PRIVCY Act’s new threshold for covered entities that have “constructive” knowledge that they process covered information would likely be a critical portion of the FTC’s rule. It’s worth noting that the FTC is currently reviewing the COPPA Rule for possible revisions, including its standard for actual knowledge.
The PRIVCY ACT allows for covered entities to proceed with processing children’s and young consumers’ information without verifiable consent if the data is de-identified and under other codified specific circumstances, such as the one-time use of contact information to reply to a request from a child or young consumer.
Under the bill, covered entities are required to develop and make available machine-readable privacy policies that are “clear, easily understood, and written in plain and concise language”. These privacy policies will inform consumers’ consent (or non-consent) and must include data practices such as categories of collected information, sources and use of that information, third party transfers, and data retention policies. The PRIVCY Act prohibits covered entities from using covered information for targeted advertising purposes, places restrictions on the transfer of that information to third parties, and requires covered entities to adopt “reasonable security policies, practices and procedures” with regard to the covered information they hold. The bill also requires covered entities to allow consumers to access, correct, and delete their stored information, similar to the rights provided European Union citizens under the General Data Protection Regulations (GDPR). All of these provisions are subject to FTC rulemakings.
The PRIVCY Act also significantly alters COPPA’s existing enforcement regimen. The bill establishes a private right of action and prohibits the use of arbitration provisions in contracts. The bill beefs up the FTC’s existing enforcement authority under COPPA by increasing the cap on civil penalties by 50 percent per individual violations and further provides the Commission with the authority to seek punitive damages. Lastly, the bill also eliminates COPPA’s Safe Harbor provision, which allows covered entities to establish and abide by Commission-approved self-regulatory guidelines certified by third parties.