WHAT IS IT?
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) was passed into law by Congress in 1998. The Federal Trade Commission issued enforcement regulations, which became effective on April 21, 2000. COPPA protects the information about children by placing parents in control of what information businesses may collect. As described by the FTC’s website, COPPA applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a sweeping privacy law that outlines requirements for how businesses may collect and process data and information about consumers. The language of CCPA is fairly broad in terms of what kind of information requires compliance under CCPA, and what constitutes “sale” of data. The CCPA also includes strict enforcements mechanisms, including fines for violations ranging from $2,500-$7,500 per violation; and a private right of action for individuals whose privacy rights are violated under CCPA, with civil penalties ranging from $100-$700 per incident. The California Legislature passed the CCPA on June 28, 2018, and enforcement began on July 1, 2020.
WHO IS REQUIRED TO COMPLY?
COPPA applies to operators of commercial websites and online services (including mobile apps and IoT devices) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. (See More)
CCPA applies to for-profit businesses that collect, process, and maintain personal information about California residents, and meet any of the following criteria:
- Have annual gross revenues in excess of US$25 million;
- Receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis;
- Derive 50 percent or more of their annual revenues from selling California residents’ personal information.
(Click hereto see more)
RULES FOR PROTECTING MINORS
COPPA Rules for Minors
The FTC website describing COPPA compliance, lists the following steps to ensure compliance with protections for minors:
- Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
- Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.
- Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
- Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
- Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.
- Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement
CCPA Rules for Minors
The CCPA includes parental consent requirements consistent with COPPA for children under13 years of age. For children between ages 13-16, CCPA imposes new obligations to obtain opt-in consent from the child.Businesses will need to have reasonable processes in place to ensure that the person providing consent for the sale of a child’s data on his or her behalf is actually their parent or legal guardian. Minors must also be able to opt in, and later, opt out, of the sale of their PI. Businesses should include these practices in their privacy policies. (Source: National Law Review).
WHAT IT MEANS FOR COMPLIANCE
Businesses that collect information about minors need to familiarize themselves with requirements and obligations under both COPPA and CCPA. It is important to note that complying with COPPA does notcover all areas of CCPA compliance. California’s CCPA requires that businesses take reasonable measures to ensure the individual authorizing consent for collection, processing, or sale of a minors’s data is actually the parent or legal guardian of that minor. This mechanism addresseshow easy it is for children to forge parental signatures and makes businesses accountable for the consent verification and opt-in/opt-out mechanisms they use.Under CCPA, businesses are also responsible for knowing the age of the individuals they collect information on, and cannot broadly claim ignorance about a consumer’s age since they are accountable for consent mechanisms. The non-discrimination provisions in CCPA may also discourage websites from asking users to declare theirage simply to avoid the compliance requirements for minors.