ENTERPRISE | CONSUMER PRIVACY TIPS | DATA BREACHES & ALERTS | WHITEPAPERS

Summary of Latest Senate Bill to Amend COPPA

Senators Edward Markey (D-Mass) and Josh Hawley (R-Mo) introduced a bill to amend the Children’s Online Privacy Protection Act (COPPA) last week to expand the law’s protections to include children ages 13-15. It would also give children and parents the right to delete personal information (referred to in the media coverage as an “eraser button”) and make other changes to the law originally passed in 1998. A version of the bill has been introduced in the past few years but has not yet been adopted.

The proposed bill comes only a few weeks after the owner of video-sharing app TikTok was hit with a record fine of $5.7 million to settle allegations that it illegally collected children’s data. If an agreement happens this year on a new federal privacy law, there is a strong possibility that a version of these COPPA amendments could be added at some point to that legislation.

Here is a summary of the children’s privacy bill:

Data Collection – It would continue the current prohibition on data collection without parental consent under the age of 13 under a constructive knowledge standard rather than the current actual knowledge requirement. It would also add a ban on data collection for 13 to 15 year olds without the user’s consent. If a website or mobile app is directed at children, then each user shall be treated as a child or minor except as permitted by regulations developed by the FTC.

Eraser Button – To the extent technologically feasible, an operator would need to implement a mechanism to permit users to erase or eliminate submitted content that is publicly available and contains the personal information of children. It would also need to make users aware of how to exercise this ability.

Digital Marketing Bill of Rights for Minors – If an operator adopts and complies with the Fair Information Practices Principles described in section 4 of the bill, it is lawful for the operator of a website directed at minors or where they have constructive knowledge that the minor is a minor to collect personal information from the minor. Otherwise, it is a violation of the law for such data collection to occur.

Advertising – It would ban targeted marketing to kids. It bans data collection, use and disclosure of personal information if the website or app is directed to children or the child is a user and the operator has constructive knowledge they are a child.

Connected Device Privacy Dashboard – The manufacturer of a connected device directed at children would need packaging containing a privacy dashboard to display whether, what and how personal information of a child is collected, transmitted, retained by the device, retained by the manufacturer, used by the manufacturer, and protected. The connected device would need to inform a consumer of the extent to which it meets the highest data security and cybersecurity standards, including how to obtain security patches. It would also need to specify the extent it provides meaningful control to the parent or minor, its data minimization, the location of the privacy policy, the type of information collected, the minimum period before it will stop getting security patches and software updates, if it can be used without being connected to the internet, and other appropriate information specified by the FTC. The regulations would be required within one year and the requirements would take effect 180 days after their publication.

Connected Device Security – The security requirement would prohibit the sale of connected devices after enactment of regulations specifying the cybersecurity and data security standards. The regulations would be developed for different subsets of devices based on the degrees of risk, the sensitivity of the information, and the functionality of the device. The bill also specifies that the standards be consistent with the specified Fair Information Practice Principles, promote data minimization, and to the extent practicable, incorporate existing cybersecurity and data security standards.

Mobile App Study – The law requires the FTC to submit a report on the processes of mobile and online applications directed to children or minors and the processes they use to ensure COPPA compliance.

FTC Youth Privacy and Marketing Division – The bill would create the Youth Privacy and Marketing Division within the Federal Trade Commission. The division would be responsible for the new law, the privacy of children and minors, and marketing directed at them. The bill authorizes the Director of the division to hire adequate staff to carry out its duties and asks for an annual report on its work to the House Energy Committee and Senate Commerce Committee.

Enforcement

COPPA would continue to be enforced by the Federal Trade Commission under the FTC Act, except for certain carve outs for the appropriate agencies to regulate insured depository institutions, federal credit unions, air carriers, Federal land banks, an activities subject to the Packers and Stockyards Act. The bill specifies that violations are an unfair or deceptive act or practice and that civil penalties may exceed restrictions in section 5(m) of the FTC Act if found appropriate by the court to deter violations of the law. It also expressly authorizes penalties against first time offenders that violate the law.

A State attorney general may bring a civil action on behalf of the residents of the state to enjoin practices, enforce compliance, obtain damages or compensation, and obtain other appropriate relief. Where feasible, the State attorney general needs to provide written notice of the action and a copy of the complaint before filing. The FTC has the right to intervene in any action by a state.

The law would take effect 90 days from the date of enactment.

Summary of Latest Senate Bill to Amend COPPA

Contact

888-252-5653

About

Consumers

Businesses