Congress enacted the Children’s Online Privacy Protection Act in 1998, but left the implementation of the law to the FTC despite numerous criticisms. While proposed amendments to COPPA have come and gone through the years, no substantive changes have been enacted. This may be about to change with the potential passage of the Do Not Track Kids Act of 2015.
The Do Not Track Kids Act of 2015 is an amendment to COPPA contained within a broader piece of legislation known as the Commercial Privacy Bill of Rights Act of 2015. Sen. Robert Menendez [D-NJ] introduced the new bill to the Senate on February 24, 2015. The stated purpose of the bill is:
“To establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission, to amend the Children’s Online Privacy Protection Act of 1998 to improve provisions relating to collection, use, and disclosure of personal information of children, and for other purposes.”
You can view the legislation here. The COPPA amendments are found in Title II of the Bill.
New Age Provisions
Critics often attack COPPA over the odd “under 13” age provision. As currently written, online properties directed at children under 13 must first obtain verified parental consent from parents before collecting personal information from those children. Sites directed at older teens, including mere 13-year-olds? No consent is required.
Logically, it seems rather odd the original drafters of the law felt 12-year-olds require so much protection while 13-year-old individuals do not. Is the decision-making ability of a 13-year-old really that much better than a 12-year-old? COPPA proponents have mumbled various supporting arguments for years, but few carry much weight.
The Do Not Track Kids Act of 2015 tacitly takes the side of critics on the age issue. While the “under 13” age designation remains, the legislation adds a new category of COPPA compliance for “minors” older than 12 and younger than 16. [Sec. 203(a)(1).]
The new “minors” category does not require the online operator to obtain verified consent from parents prior to collecting or using information from a minor as defined in the amendment. Instead, consent must be obtained from the minor prior to using their information for targeted marketing purposes. However, the collection of information from minors [13 to 15] is only allowed if the operator adopts and complies with the Fair Information Practices Principles described in subsection (b).
And here come the vague and burdensome provisions:
(b) Fair Information Practices Principles.—The Fair Information Practices Principles described in this subsection are the following:
(1) COLLECTION LIMITATION PRINCIPLE.—Except as provided in paragraph (3), personal information should be collected from a minor only when collection of the personal information is—
(A) consistent with the context of a particular transaction or service or the relationship of the minor with the operator, including collection necessary to fulfill a transaction or provide a service requested by the minor; or
(B) required or specifically authorized by law.
(2) DATA QUALITY PRINCIPLE.—The personal information of a minor should be accurate, complete, and kept up-to-date to the extent necessary to fulfill the purposes described in subparagraphs (A) through (D) of paragraph (3).
(3) PURPOSE SPECIFICATION PRINCIPLE.—The purposes for which personal information is collected should be specified to the minor not later than at the time of the collection of the information. The subsequent use or disclosure of the information should be limited to—
(A) fulfillment of the transaction or service requested by the minor;
(B) support for the internal operations of the website, service, or application, as described in section 312.2 of title 16, Code of Federal Regulations;
(C) compliance with legal process or other purposes expressly authorized under specific legal authority; or
(D) other purposes—
(i) that are specified in a notice to the minor; and
(ii) to which the minor has consented under paragraph (7) before the information is used or disclosed for such other purposes.
(4) RETENTION LIMITATION PRINCIPLE.—The personal information of a minor should not be retained for longer than is necessary to fulfill a transaction or provide a service requested by the minor or such other purposes specified in subparagraphs (A) through (D) of paragraph (3). The operator should implement a reasonable and appropriate data disposal policy based on the nature and sensitivity of such personal information.
(5) SECURITY SAFEGUARDS PRINCIPLE.—The personal information of a minor should be protected by reasonable and appropriate security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure.
(6) OPENNESS PRINCIPLE.—
(A) IN GENERAL.—The operator should maintain a general policy of openness about developments, practices, and policies with respect to the personal information of a minor. The operator should provide each minor using the website, online service, online application, or mobile application of the operator with a clear and prominent means—
(i) to identify and contact the operator, by, at a minimum, disclosing, clearly and prominently, the identity of the operator and—
(I) in the case of an operator who is an individual, the address of the principal residence of the operator and an e-mail address and telephone number for the operator; or
(II) in the case of any other operator, the address of the principal place of business of the operator and an e-mail address and telephone number for the operator;
(ii) to determine whether the operator possesses any personal information of the minor, the nature of any such information, and the purposes for which the information was collected and is being retained;
(iii) to obtain any personal information of the minor that is in the possession of the operator from the operator, or from a person specified by the operator, within a reasonable time after making a request, at a charge (if any) that is not excessive, in a reasonable manner, and in a form that is readily intelligible to the minor;
(iv) to challenge the accuracy of personal information of the minor that is in the possession of the operator; and
(v) if the minor establishes the inaccuracy of personal information in a challenge under clause (iv), to have such information erased, corrected, completed, or otherwise amended.
(B) LIMITATION.—Nothing in this paragraph shall be construed to permit an operator to erase or otherwise modify personal information requested by a law enforcement agency pursuant to legal authority.
(7) INDIVIDUAL PARTICIPATION PRINCIPLE.—The operator should—
(A) obtain consent from a minor before using or disclosing the personal information of the minor for any purpose other than the purposes described in subparagraphs (A) through (C) of paragraph (3); and
(B) obtain affirmative express consent from a minor before using or disclosing previously collected personal information of the minor for purposes that constitute a material change in practice from the original purposes specified to the minor under paragraph (3).
The new “minors” age category of the Do Not Track Kids Act of 2015 should be alarming to many online operators. Not only is the proposed legislation a collection of vague “principles,” but making a determination as to whether a property is directed at minors or not should be difficult. It is currently reasonably simple to determine if a property is “directed at children under 13” by using the FTC proscribed bullet point issues:
- The subject matter of the platform;
- The video content on the site;
- The audio content on the site;
- The graphics and pictures on the site;
- The age of models used in any of the above;
- The presence of cartoon or animated characters directed at kids;
- The presence of incentives directed at kids;
- The presence of tasks kids under 13 would enjoy;
- The nature of the language used in the text; and
- The appearance, theme and content of advertising for the site.
It is difficult to see how these standards might be used with the minor category proposed in the new legislation. Specifically, how does one determine if a website with video games, for example, is directed at 13 to 15 years old teens versus a gaming site directed at 16 to 18-year-olds? If the Do Not Track Kids Act of 2015 is enacted, a huge number of online operators will suddenly face the prospect of at least partial COPPA compliance – representing both a significant financial and administrative burden for businesses.
Removal of Content
California may want to sue Senator Menendez for copyright infringement. The proposed COPPA amendment also contains a “removal of content” provision that appears to be copied from the California Minor Eraser Law enacted on January 1, 2015. The California legislation requires online operators with California users to establish a means for allowing minor users to remove content posted to the site. The genesis of the law is a belief a child of 15 who posts an embarrassing statement or photo should not have such content follow them around the rest of their life.
The legislation designed to amend COPPA contains very similar language.
SEC. 208. REMOVAL OF CONTENT.
(1) IN GENERAL.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate, under section 553 of title 5, United States Code, regulations that require an operator—
(A) to the extent technologically feasible, to implement mechanisms that permit a user of the website, service, or application of the operator to erase or otherwise eliminate content or information submitted to the website, service, or application by such user that is publicly available through the website, service, or application and contains or displays personal information of children or minors; and
The fascinating aspect of the removal provision of both the proposed COPPA amendment and California law is the practical impact is limited. The removal of content from a website, particularly one where users are actively posting content, does not equate to the removal of said content from the web. From archive sites to search engines indexing huge swaths of the web daily, the offending content will be picked up and published elsewhere. Sites such as the Way Back Machine exist for just this purpose.
Not only is content removal an ineffective tactic in many cases, but the drafters of both the California Minor Eraser Law and the Do Not Track Kids Act of 2015 realize as much. For example, the COPPA amendment legislation requires online operators:
(B) to take appropriate steps to make users aware of such mechanisms and to provide notice to users that such mechanisms do not necessarily provide comprehensive removal of the content or information submitted by such users.
[Sec. 208 (b)(1)(B).]
In essence, the drafters are admitting the goal of the legislation will not be met with this removal provision. Rather amazing, no?
Congressional representatives are constantly introducing bills for consideration. The Do Not Track Kids Act of 2015 would likely garner little interest as a stand alone bill. Whether the prospects of the bill becoming law improve since it is embedded in more general privacy legislation is difficult to predict. Join our newsletter to keep apprised of future developments.
The sponsor of this legislation, Robert Mendez, was just indicted on corruption charges. It will be interesting to see if another elected official subs in for Mendez as the primary sponsor or the bill simply dies in committee.
Richard A. Chapo, Esq.