California: COPPA v. CAADC - strength lies in knowing the differences
The breadth of the CAADC may sweep in many online services, products, and features (CAADC Online Services) that are now considered outside the scope of COPPA. These may include: children's websites that do not collect personal information; websites directed toward teens; and general audience sites that are routinely accessed by a significant number of children. In addition, the CAADC's requirements for compliance are much broader than COPPA because the CAADC focuses not only on the use and collection of personal information but also how the design of a CAADC Online Service may harm a child. Due to the breadth of the CAADC, even though businesses have over a year before the law is effective, they should consider determining how this law may affect their business as soon as possible. To help business determine how to comply with the CAADC, below is a list of the differences between COPPA and the CAADC.
The primary goal of COPPA is to place parents in control of the information that is collected from their children.
The goal of the CAADC is broader than COPPA. While it is possible that parents may have control over the information that is collected from children under the CAADC, its primary focus is the overall safety and well-being of children while online.
The original COPPA rule became effective on 21 April 2000. Then, an amended rule took effect on 1 July 2013.
The CAADC will become effective on 1 July 2024.
Types of websites
COPPA applies to online services that are directed to children under the age of 13 and online services that have actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
To determine whether an online service is directed towards children, COPPA considers the following factors:
Please note that the 'collection' of information under COPPA is defined broadly and includes requesting, prompting, or encouraging a child to submit personal information online.
The CAADC covers online products, services, and features (CAADC Online Services) that are likely to be accessed by children. Under the CAADC, a CAADC Online Service is likely to accessed by children if it is reasonable to expect that the CAADC Online Service would be accessed by children. The factors reviewed to make this determination are broader than COPPA. Not only does the CAADC include COPPA's directed to children factors, but it also includes any CAADC Online Service that has a 'significant' audience of children and any CAADC Online Service that is substantially similar to another online service, product, or feature that is routinely accessed by a 'significant' number of children. 'Significant' is not defined in the CAADC and, therefore, it is difficult to determine which sites will have to comply with the CAADC at this time.
Below is a list of indicators considered when determining whether children are likely to access a CAADC Online Service:
Types of operators
COPPA applies to operators of commercial websites and online services (including mobile apps and Internet of Things devices). COPPA does not apply to online services run by not for profits.
Only businesses that meet the CPRA business thresholds must comply with the CAADC. To comply with the CAADC, you must be a for-profit organisation, doing business in California, use the personal data of California residents and meet at least one of the following criteria:
Similar to COPPA, the CAADC does not apply to online services.
Children under the age of 13.
While COPPA does not apply to minors 13-17, the FTC has previously stated that it is concerned about teen privacy and does believe that 'strong, more flexible protections may be appropriate for this age group'. More recently, the Federal Trade Commission ('FTC') has arguably granted these protections to teens under its Section 5 powers in a settlement with a gaming company.
Consumers under the age of 18.
COPPA is triggered by the collection of personal information from children.
The CAADC does not have a triggering event. All CAADC Online Services that are likely to be accessed by children must comply with the CAADC.
What is personal information?
COPPA defines personal information to include the following:
Personal information under CAADC uses the same definition in Section 1798.140 of the California Privacy Rights Act of 2020. This definition arguably is broader than COPPA. Below is a list of differences:
Privacy tools that must be provided for parents
Online service providers must provide a mechanism for parents to: review a child's personal information; have the child's personal information deleted; and refuse to permit its further collection or use.
The CAADC requires that a CAADC Online Service provide prominent, accessible, and responsive tools to help children, or if applicable, their parents or guardians, exercise their privacy rights and report concerns. The types of tools required is not defined by CAADC.
These same requirements also apply to all terms of service, community standards, and any other policies provided as part of the CAADC Online Service.
Age estimator/age gate
COPPA does not require websites to estimate the ages of users. However, COPPA does allow websites to use age gates to stop children from accessing areas of the online service where personal information is being collected.
The CAADC requires businesses to estimate the age of child users with a reasonable level or certainty. If the business is unable to do this, then the business will have to provide the privacy and data protections afforded to children to all consumers. To avoid having to provide these privacy protections to all consumers, businesses may have to consider having age gates to determine ages for any CAADC Online Service that is likely to be accessed by children.
Default privacy settings
The CAADC requires that CAADC Online Services that are likely to be accessed by children configure all default privacy settings provided to children at the highest level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children.
Monitoring of child by the parent or guardian
If the CAADC allows the child's parent, guardian, or any other consumer to monitor the child's online activity or track the child's location, the business must provide an obvious signal to the child when the child is being monitored or tracked.
Businesses that are tracking activity in the background of an application will need to consider how they will communicate this signal to end users.
Protecting a child's physical health, mental health, and wellbeing
The CAADC prohibits business from using personal information in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or wellbeing of a child.
The CAADC prohibits the profiling of a child by default unless both of the following criteria are met:
Precise geolocation information only can be collected with verifiable parental consent.
Businesses cannot collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is strictly necessary for the business to provide the CAADC Online Service requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the CAADC Online Service.
In addition, businesses must provide an obvious sign to the child for the duration of the collection of the precise geolocation information.
Data Protection Impact Assessment ('DPIA')
Businesses are required to conduct a DPIA before any new CAADC Online Service is offered to the public. Then, businesses must continuously review all DPIAs every other year.
Specifically, the DPIA must identify the purpose of the online product or service, how it uses information, and the risks of material determent to children that arise from the business's data management practices, by analysing whether the online product or service could do any of the following:
Businesses cannot use dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected to provide that online service, product, or feature, to forego privacy protections, or to take any action that the business knows or has reason to know is materially detrimental to a child's physical health, mental health, or wellbeing.
Limitations on collection
Subject to limited exceptions, online service providers can only collect personal information from children after receiving verifiable parental consent.
While the CAADC does not require verifiable parental consent, it does state that businesses should not collect, sell, share, or retain any personal information that is not necessary to provide the CAADC Online Service.
COPPA gives states and certain federal agencies authority to enforce compliance. Under FTC enforcement, a court can hold operators who violate COPPA liable for civil penalties of up to $50,120 per violation. The amount of civil penalties the FTC seeks will depend on the type of violation.
Any violation of the CAADC is subject to an injunction and liable for a civil penalty of up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation, if the violation is not cured within a 90-day period. While the penalties are limited to each child, it is possible that there are multiple violations per child, which could greatly increase the number of penalties imposed on businesses. The CAADC does not include a private right of action. The California Attorney General has exclusive jurisdiction to enforce the law.
Potential future of these laws
Several new federal privacy bills have been introduced in 2022 and 2023 which will potentially overhaul COPPA. However, until that happens, it appears that the FTC is attempting to expand its powers to protect the privacy of minors under the age of 18 through its Section 5 powers.
The future of the CAADC is murky. As part of the law, the CAADC created the California Children's Data Protection Working Group, which is supposed further develop the law to answer many of the outstanding questions children's privacy professionals have about the implementation of this law.
In the meantime, a conglomerate of technology companies are attempting to strike down the CAADC as unconstitutional. This challenge is in the beginning stages, and we may not have resolution before the 1 July 2024 effective date.
Nerissa Coyle McGinn Partner
Loeb & Loeb LLP, Chicago