The Bottom Line
- Lawmakers have been discussing updates to COPPA for years, and the proposed CTOPPA may finally accomplish that goal. The bill raises the age for consent from 13 to 15, changes COPPA’s knowledge standard, and bans targeted advertising to children.
- If the bill becomes law, marketers will need to adapt to these new data collection and use requirements.
The newly introduced Children and Teens’ Online Privacy Protection Act (CTOPPA) is aimed at overhauling U.S. privacy rules for children’s data under the existing Children’s Online Privacy Protection Act (COPPA). The bill was proposed by Senators Edward J. Markey (D-Mass.) and Bill Cassidy (R-La.) on May 11, 2021. Among other changes, the Senators’ bill proposes:
- A prohibition on collecting personal information from 13-to-15-year-old users without their consent;
- Replacing COPPA’s actual knowledge standard with a new “constructive knowledge” standard;
- A ban on targeted advertising directed at children; and
- A right of erasure that would allow parents and children to eliminate certain personal information from online platforms.
The bill also proposes a new Youth Privacy and Marketing Division at the Federal Trade Commission (FTC).
Verifiable Consent Requirements Extended to Users Younger Than 16
Expanding upon the existing rules for children younger than 13, the proposed bill would introduce a new consent mechanism for teenagers 13 to 15 years of age (referred to in CTOPPA as “minors”). Companies would be required to obtain verifiable consent from such users in order to collect, use or disclose their personal information. However, unlike children below the age of 13 under COPPA, for whom consent must be obtained from a parent or guardian, these teenagers can give their own consent.
Constructive Knowledge Standard
COPPA requirements currently apply to operators of online services that have “actual knowledge” that they are “collecting or maintaining personal information from a child.” CTOPPA would replace this actual knowledge standard with a “constructive knowledge” standard. An operator would be deemed to have constructive knowledge that data is being collected from a child if that operator “directly or indirectly collects, uses, profiles, buys, sells, classifies or analyzes (using an algorithm or other form of data analytics) data” about the ages of users or to determine whether an online platform’s content is directed to a particular age range.
Constructive knowledge could also be inferred from data obtained through:
- Reports received under COPPA self-regulatory guidelines;
- Complaints from parents or third parties;
- Internal communications (such as documents about advertising practices, insertion orders, or promotional material to marketers);
- Publicly available information; or
- Communications to an ad network that content is intended for users of a particular age.
Ban on Targeted Advertising Directed at Children
The proposed legislation would make it unlawful for an operator of an online service “to use, disclose to third parties, or compile personal information of a child for purposes of targeted marketing if”:
- The child is the user of a service, and that service’s operator has constructive knowledge that personal information is being collected from children; or
- The service is directed to a child.
Targeted marketing of minors is permitted if the company has secured a minor’s verifiable consent. Contextual advertising would not be affected by the proposed changes.
Right of Erasure
Online services must provide parents, children and minors with a mechanism to “erase or otherwise eliminate content or information” that they have provided to the service when such content “contains or displays personal information of children or minors” and the service has made it “publicly available” through its platform. The erasure requirement does not apply to content that is provided to the service by a third party.
Proposal for a Youth Privacy and Marketing Division at the FTC
CTOPPA calls for a new Youth Privacy and Marketing Division to be established within the FTC, which would be responsible for addressing “the privacy of children and minors” and “marketing directed at children and minors.” The Youth Privacy and Marketing Division would be required to report annually to House and Senate committees.
The proposed bill also provides that:
- Companies must follow the well-established Fair Information Practices Principles (FIPPs), which include the principles of collection limitation, data quality, purpose specification, retention limitation, security safeguards, openness, individual participation, and prohibitions on racial and socioeconomic profiling;
- Online services which collect personal information from users 13-15 years old must adopt and comply with a “Digital Marketing Bill of Rights for Minors” based on the FIPPs listed above; and
- Internet connected devices targeted to children and minors must meet appropriate data security standards, and must prominently display an easy-to-understand privacy dashboard explaining how information is collected, transmitted, retained, used and protected.