Child Privacy Risk Poses New Challenges for GCs As Stricter Online Protections Take Effect

It’s a scary time to be a parent. In today’s digital world, it’s hard to know where kids are spending their time online and what to protect them from. It’s also a precarious time for corporate legal departments, which are now required to understand and comply with an evolving ecosystem of regulations protecting the privacy rights of children and their data.

To date, the Children’s Online Privacy Protection Act (COPPA), a federal law that regulates the online collection of personal information from children under the age of 13, has not posed a serious threat to most companies (except for publishers and enterprises with web properties or mobile apps specifically made for children under 13).

But now, two imminent structural changes are coming to COPPA, changes that will push all corporate counsel at all enterprises to revisit child privacy risk to remain compliant. After all, non-compliance with COPPA can result in hefty fines levied by the Federal Trade Commission (FTC), reputational damage, and potentially costly litigation.

In June alone, the FTC, in conjunction with the Department of Justice, filed proposed orders against Microsoft, Amazon, and others alleging COPPA violations.

In its current form, COPPA has language that makes exceptions for certain sites, like those that are not “directed at” children or don’t require “actual knowledge” that children under 13 are using the site. However, these exceptions are unlikely to survive if congressional efforts to tighten COPPA, such as The Kids Online Safety Act (KOSA), COPPA 2.0, and The American Data and Privacy and Protection Act (ADPPA) ultimately succeed. Consequently, enterprises will need to closely study the users of their sites and apps, and potentially add age gating.

Impending updates to COPPA also seek to raise the age of consent, from 13 to as high as 17, to protect a broader range of children — a structural change which will have an even bigger impact on corporations and legal departments. As a result, many high-traffic websites, apps, and games with many users aged 13 and older will need a major timely and costly operational overhaul to stay COPPA compliant.

Burgeoning state regulations typically include similar restrictions on child privacy, with varying ages of consent. For example, Utah recently signed a bill that prohibits children under 18 from using social media apps such as Tik Tok without parental consent.

DATA CHALLENGES OF STRICTER REGULATION

For legal departments, stricter regulations bring new data challenges. With the updates to COPPA, it’s not so much about what happens after consent has been gathered (from a minor, or a guardian if the child is under 13), assuming the enterprise is following generally accepted data practices. The choke point for child privacy will be determining the user’s age, then gathering the appropriate consent if underage for the privacy regulation covering the interaction.

To tackle this challenge, general counsel will need to choose a jurisdictional strategy — either applying state regulations where the user is located or adhering to regulations in the corporation’s operating state. Since children grow up, enterprises should also track a user’s age and treat them accordingly as they pass through the age of consent for the chosen jurisdiction.

To prepare for a future with stricter COPPA regulations and trickier privacy compliance management, enterprises should also do the following:

Audit their digital channels to identify where data is being gathered (website, mobile app, text message, email, etc.) and reduce data ingestion (sign-ups, marketing, tracking) wherever possible to reduce risk.

Implement flexible consent management systems that can handle age gating, parental notices, and other relevant forms of consent.

Foster collaborative relationships between legal/compliance, marketing, and IT to ensure the company is equipped to stay agile and tackle challenges as privacy laws evolve. Operational privacy compliance is complex and rarely works when it’s just a mandate from legal.

Through all these changes, enterprises and corporate counsel can’t forget about the most important implicated stakeholder: the user. While some companies deliberately make their privacy policies convoluted and hard to read as a defense tactic, privacy regulators (including the authors of COPPA) have encouraged the use of much more user-friendly privacy notices that cover key concerns without requiring technical legal background, like a nutritional label.

User-consent experiences that leverage these trust-building features will gain much higher consent uptake and create happier customers.