On September 8, 2022, the Brazilian Data Protection Authority (“ANPD”) launched a public consultation on the processing of minors’ personal data (encompassing children under 12-years-old and adolescents between the ages of 12- and 18-years-old).  The consultation will conclude on October 7, 2022.  According to the ANPD, the purpose of the consultation is to resolve divergent interpretations among public authorities, academics, privacy professionals, and representatives of civil society regarding the Brazilian Data Protection Law’s (“LGPD”) provision on the processing of minors’ personal data (Article 14).  The Authority will use the feedback it receives to draw up guidelines on the topic and, possibly, amend the LGPD.

Continue Reading Brazil’s ANPD Launches Public Consultation on the Processing of Minors’ Personal Data

On June 14, 2022, representatives of the EU’s Consumer Protection Cooperation (CPC) Network, together with several national data protection authorities in the EU and the secretariat of the European Data Protection Board (“EDPB”), endorsed five key principles for fair advertising to children (see press release here).  These recommendations are based on relevant requirements

Today, the Federal Trade Commission (FTC) announced that it anticipates proposing a privacy rulemaking this month, with comments closing in August.  This announcement follows the agency’s statement in December that it planned to begin a rulemaking to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” 

On May 25, 2022, the Irish Data Protection Commission (“DPC”) issued 3 short guides for children, with the objective of raising awareness among adolescents about data protection and their privacy rights, as well as serving as a resource “for parents, educators and anyone [else] interested in children’s safety and wellbeing online”. The 3 guides

On May 19, the Federal Trade Commission (“FTC”) adopted, on a unanimous basis, a policy statement reminding educational technology vendors (“ed tech vendors”) of their duty to comply with the substantive privacy protections of the Children’s Online Privacy Protection Act (“COPPA”) and the Commission-issued COPPA Rule.  The policy statement reiterates the requirements of the Rule and previous informal guidance from Commission staff, and makes clear that ed tech vendors may not submit children to commercial surveillance and data monetization practices when using technology in the classroom.

Continue Reading FTC Unanimously Adopts Policy Statement on Education Technology and COPPA

Last week, Senators Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN) introduced the bipartisan Kids Online Safety Act (“KOSA”), which would impose new safeguards, tools, and transparency requirements for minors online.  The bill applies to entities that are a “commercial software application or electronic service that connects to the internet and that is used, or is

2021 was another busy year for data privacy regulatory enforcement and litigation. With some distance to reflect on last year, we have prepared this post identifying and describing important trends from 2021 that can help provide insight into what to expect in the data privacy landscape in 2022.

Data Privacy Regulatory Enforcement Trends

Federal Trade Commission (FTC) and state enforcement action in 2021 centered on several key areas, including protecting children.

An FTC enforcement action last year alleged that the maker of an online coloring book application violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information about children who used the app without notifying their parents and obtaining their consent.  The allegations note that the app included a “Kids” category that was targeted to children.  The FTC further claimed that the app’s social media features collected personal information from users and that some parents, lacking knowledge of these features, may have inadvertently permitted their young children to use the app.
Continue Reading 2021 Trends in Privacy Regulatory Enforcement and Litigation

One of every five people (20.5%) in Ireland are children under the age of 14.  This constitutes the highest proportion of children in the EU, where the average was 15.2% in 2019.  Ireland’s proportion of young people under the age of 30 is also the highest in the EU, at 39%.  It’s an influential figure for Irish policy makers and regulators, who have strengthened their approach to protection of children’s personal data in recent years.  This greater emphasis on children’s rights is due to a number of additional intersecting dynamics including EU law, child abuse scandals, a rise in cyberbullying, and a growing consensus that children face heightened digital risks.  These dynamics have also informed the planned establishment of an Online Safety Commissioner, currently advancing as part of the Online Safety and Media Regulation Bill just published and currently receiving strong media attention.

Together with the Irish DPC role as lead regulator for many leading technology and social media companies, these legal and cultural headwinds provide the context within which the DPC aims to develop strong child data protection standards.

Introduction

Following extensive public consultation, with experts as well as school children, the DPC has issued comprehensive guidance on the processing of children’s data.  Entitled “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing,” the guidance sets out 14 principles (referred to as “the Fundamentals”) for organizations engaged in processing the personal data of children.

In addition to the usual GDPR expectations, the specific Fundamentals also include:

  • Zero interference with a child’s best interests, where organizations rely on legitimate interests as their legal basis for processing;
  • “Know your customer” requirements focusing on child-oriented transparency; and
  • Specific guidance around age verification and consent

The overall aim of the Fundamentals, in protecting the best interests of children, is to at least set a default floor of high standardised protection for all data subjects where children may form part of a mixed user audience.

Continue Reading Irish DPC Publishes Guidance On Processing Children’s Personal Data

On Episode 17 of Covington’s Inside Privacy Audiocast, Dan Cooper, Sam Choi, Danielle Kehl and Nick Shepherd discuss the developments related to children’s privacy, looking at relevant legislation, standards, and guidelines in the UK, the EU, and the U.S., and zooming in on some child-specific topics such as age thresholds and age verification,

On December 10th, the Federal Trade Commission (FTC) published a Statement of Regulatory Priorities that announced the agency’s intent to initiate rulemakings on issues such as privacy, security, algorithmic decision-making, and unfair methods of competition.
Continue Reading FTC Announces Regulatory Priorities for Both Privacy and Competition