Yesterday, Rep. Kathy Castor (D-FL) introduced an updated version of the “Protecting the Information of our Vulnerable Children and Youth Act” (Kids PRIVCY Act), which would make broad changes the Children’s Online Privacy Protection Act (COPPA). Rep. Castor introduced a similar bill in early 2020, but it stalled alongside other proposals to overhaul the federal children’s privacy law last year.
Enacted in the late 1990s, COPPA applies only to certain personal information collected, used, or disclosed online from children under 13 years old. The PRIVCY Act would greatly expand COPPA’s scope in several ways. First, it would broaden the definition of personal information to include physical characteristics, biometric information, health information, education information, contents of messages and calls, and browsing and search history — and would apply the definition whether collected from the child or not. Second, it would create a new class of “teenagers” between the ages of 13 and 17 whose personal information would be subject to the bill’s requirements. While parental consent would still be required only for children under 13, teenagers themselves would have to provide opt-in consent before their personal information was collected, used, or shared online.
The PRIVCY Act also would significantly expand the scope of online sites and services that are subject to the law. Currently, COPPA applies only to sites or services that either are directed to children under 13 or have “actual knowledge” that they collect personal information from children under 13, which is a high bar to meet. Rep. Castor’s bill would expand the bill beyond child-directed sites and services to those that are “‘likely to be accessed by children or teenagers,” which means that “the possibility of more than a de minimis number of children or teenagers accessing the digital service is more probable than not.” Additionally, the PRIVCY Act would apply the notice and consent requirements to online sites and services that have actual or constructive knowledge that they “process” personal information about children or teenagers.
The bill doesn’t just expand the COPPA’s applicability — it also places new requirements on online sites and services. Significantly, the bill prohibits online sites and services from displaying targeted advertising to children and teenagers based on their behavior or personal information. The bill also provides for rights to access, correction, and deletion of children’s and teenagers’ personal information, and it imposes limits on the ability of operators to disclose personal information to third parties.
The PRIVCY Act incorporates certain features of the UK’s new Age Appropriate Design Code, including requiring operators to conduct Privacy and Security Impact Assessments and to make the “best interests” of children and teenagers a primary design consideration. The bill also requires operators to take a “risk-based approach” to determining the age of users on the site, directing the FTC to engage in rulemaking to help companies determine what are appropriate “age assurance” mechanisms.
Like its predecessor, the PRIVCY Act would repeal COPPA’s safe harbor provision, which enables covered operators to rely on a safe harbor if their privacy practices have been certified by FTC-approved organizations.
On the enforcement front, the PRIVCY Act would allow the FTC to pursue civil penalties that are 50 percent higher than the current maximum (a jump from $43,792 to $63,795 per violation) as well as punitive damages. Separately, it would create a private right of action that would allow parents to sue online sites and services for violations of the bill’s provisions.
Rep. Castor’s bill joins a growing number of proposals to update COPPA. In May, for example, Senators Markey and Cassidy introduced the Children and Teens’ Online Privacy Protection Act, which would expand COPPA to impose additional requirements on minors between the ages of 13 and 16, among other things.