As part of our continuing coverage of the Congressional Privacy Bill, we provide below a deeper examination and explanation of Title II of the bill, the Do Not Track Kids Act of 2015. The Do Not Track Kids Act of 2015 amends the Children’s Online Privacy Protection Act (“COPPA”) by making its protections more expansive and robust. Specifically, the bill extends COPPA’s protections to teenagers, expands the scope of the entities subject to COPPA’s provisions, and imposes new obligations on those entities.
COPPA currently requires websites and online services that knowingly collect information from children under the age of 13 or that are targeted toward children under the age of 13 to make certain disclosures and obtain parental consent before collecting and using personally identifiable information obtained from children.
The bill extends COPPA’s provisions to teenagers by creating a new category of “minors,” defined to mean individuals over the age of 12 and under the age of 16. The bill clarifies that an operator of a website, online service, online application, or mobile application directed to children or minors must treat all users as children or minors for purposes of the bill, except as otherwise permitted by regulation.
The bill expands the scope of the entities subject to COPPA’s provisions by redefining the term “operator” to include operators of online and mobile applications. Currently, the term refers only to operators of Internet websites and online services. The bill applies this definition specifically to operators and providers of websites, services, or applications who collect or maintain personal information from or about their users, allow another person to collect such personal information, or allow users of such websites, services, or applications to publicly disclose personal information.
The bill also imposes a host of additional obligations on operators. It requires verifiable parental consent, under specified circumstances, for the collection, use, or disclosure of personal information of a child. Personal information includes certain online contact information collected in response to a specific request from a child when such information is used to contact a different child.
It also requires an operator of a website, online service, online application, or mobile application directed at children or minors, or an operator having actual knowledge that personal information being collected is from children or minors to have verifiable parent consent (in the case of a child) or consent of a minor (in the case of a minor) before: (1) using, disclosing to third parties, or compiling personal information collected from children or minors for targeted marketing purposes; and (2) collecting geolocation information in a manner that violates other provisions of the bill.
Relatedly, the bill redefines “disclosure” to mean the release of personal information. Currently, the term means the release of personal information collected from a child in identifiable form.
The bill prohibits an operator from discontinuing service provided to a child or minor on the basis of a refusal—by the child’s parent or the minor—to permit the further use or maintenance in retrievable form, or future collection, of certain personal or geolocation information.
Notably, the bill contains an “eraser button” provision: It requires the Federal Trade Commission (“FTC”) to promulgate regulations that require operators to implement mechanisms that permit a user to erase content submitted by the user that is publicly available through the operator’s websites, services, or applications, and that contains or displays personal information of children or minors. Recently-enacted legislation in California contains a similar “eraser button” provision, giving California minors the right to “remove content or information” that they submit to websites, online services, online applications, or mobile applications.
The bill also prohibits an operator of a website, online service or applications directed to minors from collecting personal information from minors unless the operator has adopted, and complies with, a Digital Marketing Bill of Rights for Teens that is consistent with the Fair Information Practices Principles the bill establishes. The Fair Information Practices Principles are the following:
- Collection limitation principle: Personal information should be collected from a minor only when collection of the personal information is (A) consistent with the context of a particular transaction or service or the relationship of the minor with the operator, including collection necessary to fulfill a transaction or provide a service requested by the minor; or (B) required or specifically authorized by law.
- Data quality principle: The personal information of a minor should be accurate, complete, and kept up-to-date to the extent necessary to fulfill the purposes described in the purpose specification principle.
- Purpose specification principle: The purposes for which personal information is collected should be specified to the minor not later than at the time of the collection of the information. Subsequent use or disclosure of the information should be limited to: (A) fulfillment of the transaction or service requested by the minor; (B) support for the internal operations of the website, service, or application, as described by FTC regulations; (C) compliance with legal process or other purposes expressly authorized under specific legal authority; or (D) other purposes that are specified in a notice to the minor and to which the minor has consented before the information is used or disclosed for some other purpose.
- Retention limitation principle: The personal information of a minor should not be retained for longer than is necessary to fulfill a transaction or provide a service requested by the minor or another purpose specified above. The operator should implement a reasonable and appropriate data disposal policy based on the nature and sensitivity of such personal information.
- Security safeguards principle: The personal information of a minor should be protected by reasonable and appropriate security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure.
- Openness principle: The operator should maintain a general policy of openness about developments, practices, and policies with respect to the personal information of a minor. The operator should provide each minor using the website, online service, online application, or mobile application of the operator with a clear and prominent means to:
- to identify and contact the operator, by, at a minimum, disclosing, clearly and prominently, the identity of the operator and an appropriate address;
- to determine whether the operator possesses any personal information of the minor, the nature of such information, and the purpose for which the information was collected and is being retained;
- to obtain any personal information the minor that is in the possession of the operator from the operator, or from a person specified by the operator, within a reasonable time after making the request, at a charge (if any) that is not excessive, in a reasonable manner, and in a form that is readily intelligible to the minor;
- to challenge the accuracy of personal information of the minor that is in the possession of the operator; and
- if the minor establishes the inaccuracy of personal information, to have such information erased, corrected, completed, or otherwise amended.
The bill makes clear, however, that nothing in this principle should be construed to permit an operator to erase or otherwise modify personal information requested by a law enforcement agency pursuant to legal authority.
- Individual participation principle: The operator should (A) obtain consent from a minor before using or disclosing the personal information of the minor for any purpose other than the purposes above and (B) obtain affirmative express consent from a minor before using or disclosing previously collected personal information of the minor for purposes that constitute a material change in practice from the original purposes specified.
The bill instructs the FTC to promulgate implementing regulations that further define the Fair Information Practices Principles.
Finally, the bill sets forth enforcement provisions for the FTC, other federal agencies, and states.