COPPA

2021 was another busy year for data privacy regulatory enforcement and litigation. With some distance to reflect on last year, we have prepared this post identifying and describing important trends from 2021 that can help provide insight into what to expect in the data privacy landscape in 2022.

Data Privacy Regulatory Enforcement Trends

Federal Trade Commission (FTC) and state enforcement action in 2021 centered on several key areas, including protecting children.

An FTC enforcement action last year alleged that the maker of an online coloring book application violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information about children who used the app without notifying their parents and obtaining their consent.  The allegations note that the app included a “Kids” category that was targeted to children.  The FTC further claimed that the app’s social media features collected personal information from users and that some parents, lacking knowledge of these features, may have inadvertently permitted their young children to use the app.
Continue Reading 2021 Trends in Privacy Regulatory Enforcement and Litigation

This week, Senators Ed Markey (D-Mass.) and Bill Cassidy (R-La.) introduced the Children and Teens’ Online Privacy Protection Act, which would update the Children’s Online Privacy Protection Act (COPPA).  COPPA is the comprehensive federal children’s privacy law enacted in 1998 that regulates the collection, use, and disclosure of personal information online from children under 13.
Continue Reading Senators Markey and Cassidy Introduce Bill to Update the Children’s Online Privacy Protection Act

The FTC recently updated Complying with COPPA: Frequently Asked Questions, the set of FAQs meant to provide informal guidance for complying with the Children’s Online Privacy Protection Act and the Commission-issued COPPA Rule.  In an accompanying blog post, the FTC staff emphasized that the revisions to the FAQs “don’t raise new policy issues” and that they were implemented primarily to streamline and reorganize the content “to make the document easier to use.”  While the new FAQs generally only reinforce concepts from recent key settlements, enforcement policy positions, and separately-issued regulatory guidance, some of the updates also provide helpful additional context around specific issues such as mixed audience sites and services, age gates, and common consent mechanisms.
Continue Reading Federal Trade Commission Updates, Streamlines COPPA FAQs

On March 5, Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) introduced the Kids Internet Design and Safety (KIDS) Act.  The bill, which covers online platforms directed to children and teenagers under 16 years old, aims to curb the time spent by these minors on such platforms and could dramatically affect advertising and influencer content on kids’ channels.

The bill would prohibit platforms directed to minors from implementing features that encourage users to spend more time online, such as “auto-play” settings that automatically load a new video once the selected one finishes playing, push alerts that encourage users to engage with the platform, and the display of positive feedback received from other users.  It would also ban badges or other visual incentives and rewards based on engagement with the platform.

Additionally, the KIDS Act would prohibit platforms from recommending or amplifying certain content involving sexual, violent, or other adult material, including gambling or “other dangerous, abusive, exploitative, or wholly commercial content.”  The bill would require the implementation of a mechanism for users to report suspected violations of content requirements.
Continue Reading New Bill Seeks to Impose Design Restrictions on Kids’ Online Content and Marketing

On January 30, House Rep. Kathy Castor (D-FL) introduced the Protecting the Information of our Vulnerable Children and Youth (“PRIVCY”) Act, a bill that promises to be a significant overhaul of the Children’s Online Privacy Protection Act (“COPPA”).

Currently, COPPA applies only to personal information collected from children under 13 years old.  The PRIVCY Act would greatly expand COPPA’s scope by making any personal information – including biometric, geolocation, and inferred information, whether collected from the child or not – subject to the law’s requirements.  It also brings a new group of “young consumers” – individuals aged 12 to 18 years old – under the law’s umbrella.  The PRIVCY Act would obligate online sites and services that have actual or constructive knowledge that they “process” personal information about children or young consumers to provide notice to, and obtain consent from, those children’s parents or from those young consumers.  The bill also provides for rights to access, correction, and deletion of children’s and young consumers’ personal information, and it imposes limits on the ability of operators to disclose personal information to third parties.

Additionally, the privacy bill would completely repeal COPPA’s safe harbor provision, which enables covered operators to rely on a safe harbor if their privacy practices have been certified by FTC-approved organizations.  Currently, seven safe harbor organizations have been approved by the FTC.
Continue Reading Kids’ Privacy Bill Allowing for Private Suits Introduced in House

On October 22, 2019, the Federal Trade Commission reached a proposed settlement with the developer of three so-called “stalking” apps that enabled purchasers of the app to secretly monitor the mobile devices on which they were installed.  Developer Retina-X Studios, LLC and its owner James N. Johns marketed the three apps—MobileSpy, PhoneSheriff, and TeenShield—as a means to monitor children and employees by sharing detailed information about these individuals’ smart phone activities, including their text messages and GPS locations.  The FTC complaint alleges that the developer failed to ensure that the apps would be used for legitimate and lawful purposes, did not secure personal information collected from children and other users, and misrepresented the extent to which that information would be kept confidential.

While the FTC settlement represents its first case against developers of tracking apps, the complaint’s allegations rely on provisions of the FTC Act that are broadly applicable to companies that collect, store, and/or monitor users’ personal information, as well as the Children’s Online Privacy Protection Act (“COPPA”): 
Continue Reading FTC Reaches Settlement with Developer of Tracking Apps

Earlier this week, the Federal Trade Commission and Department of Education announced plans to hold a joint workshop on the application of the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) to educational technology products and services in the K-12 school environment.  In advance of the workshop, the FTC and Department of Education are soliciting comments on several key questions regarding COPPA and FERPA compliance for educational technology providers.  This is a valuable opportunity for Ed Tech providers to provide feedback to both agencies on the practical application of COPPA and FERPA in this arena.
Continue Reading FTC and Department of Education Announce Joint Workshop on FERPA and COPPA Compliance for Ed Tech

The FTC staff published today a “Six-Step Compliance Plan” for businesses to comply with the Children’s Online Privacy Protection Act (COPPA).

The guidance, which provides a useful framework for businesses, states explicitly that COPPA applies to connected toys and other devices that collect personal information from children over the Internet.  The FTC’s 2013

Under the Children’s Online Privacy Protection Act (COPPA), operators of certain websites, mobile applications, and other online services must provide parents notice and obtain verifiable parental consent before collecting, using, or disclosing personal information from children under the age of 13 online.  The FTC has approved a new facial-recognition based method to comply with COPPA,

By Megan L. Rodgers

What information is being collected by mobile apps and websites directed at kids? With whom is that information shared? What notice is provided to parents? Regulators in the U.S. and abroad continue to focus on these issues.

The FTC recently released a follow-up report on privacy notices in mobile apps directed at kids. The report follows two FTC kids’ app surveys released in February 2012 and December 2012, and a campaign by the FTC to bring all apps in compliance with the revised COPPA Rule by July 1, 2013.

How did mobile apps directed at children fare? The results were mixed. The FTC looked at hundreds of mobile apps and noted that there has been “a step in the right direction” since their last survey, but the FTC was careful to point out that “there’s more work to be done.” In December 2012, only 20% of apps had a link to a privacy policy available to parents before downloading the app; today, the number of apps with direct links to a privacy policy is 45%. Although this is an improvement, the FTC said that for many kids’ apps, parents still do not have an easy way to learn about data collection and usage practices.
Continue Reading Regulators in the U.S. and U.K. Monitoring Mobile Apps and Websites Directed at Children