Children’s Data – A Global Perspective

We were delighted to welcome back Gary Kibel of US firm Davis+Gilbert LLP to share his experience of protecting children’s data in the USA and what UK and EU businesses could learn from the Federal Trade Commission’s (FTC) Children’s Online Privacy Protection Rule (COPPA). We were also very pleased to have Andrew Carroll from Ireland’s Data Protection Commission (IDPC) to give us an update on the IDPC’s Children front and centre: Fundamentals for a child-oriented approach to data processing (the Fundamentals). Finally, Victor Timon and Alexander Milner-Smith from Lewis Silkin LLP were on hand to pose questions from our audience and share their thoughts on the answers.

USA

The USA passed COPPA in 1998, and it has been in force since April 2000. It was amended in 2013. As it has been in force for over 20 years, there is a lot we can learn from and use to help us as we head towards the end of the ICO’s grace period for compliance with the Children’s Code.

The purpose of COPPA will sound familiar in that it aims to:

“prohibit unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.”

However, the US approach differs not only in age range but also in scope. COPPA applies to:

“All website operators who have actual knowledge that they collect personal information from children online under the age of 13 or have a child-directed website”.

For those organisations in scope they must: 

• post a privacy policy
• obtain “verifiable parental consent”
• advise a parent/legal guardian that they can review the child's personal information, and
• establish and maintain reasonable security procedures.

The 2013 amendment also led to an expansion of the definition of “personal information” to include any:

“persistent identifier that can be used to recognize a user over time and across different websites or online services”.

This is in contrast to the ICO’s Children’s Code that applies to:

“relevant information society services which are likely to be accessed by children”.

In the ICO’s Children’s Code a child is anyone under the age of 18 and the access to the website/app etc. is “more probable than not”, rather than the COPPA approach of being “directed at children”.

Despite these differences, the common aim of protecting children’s data, the methods to do so and the technology used are very interesting when considering how to comply with the ICO’s Children’s Code. In that regard an additional, helpful resource in understanding what has worked and what lessons could be learned can be found in the FTC’s FAQs on COPPA. They were most recently revised in October 2020.

No discussion on this topic would be complete without mentioning the California Consumer Privacy Act (CCPA), the USA’s first comprehensive consumer privacy law. Under the opt-out provision for sale of personal information, if a business has actual knowledge that a user is less than 16 years of age, any sale of personal information requires an “opt-in”, and if the user is less than 13 years of age, the opt-in must come from the parent/guardian of the user. A minor also has a specific right of erasure under another California law. California has a more stringent level of protection than COPPA and it is important to bear this in mind if your organisation fails under the remit of the CCPA.

May 2021 also saw a proposed bill to update COPPA in the form of the Children and Teens’ Online Privacy Protection Act. Key provisions of this proposed legislation include raising the age of those protected from 13 to 15, adding a “right to erasure”, changing the obligation on website operators from “actual knowledge” to “constructive knowledge”, implementing a “Digital Marketing Bill of Rights for Minors” and establishing a Youth Privacy and Marketing Division at the FTC. It will be important to monitor this legislation closely to ensure you are prepared for any upcoming changes and can put relevant and proportionate compliance measures in place where appropriate.

It is clear that whether you are looking at state or federal laws the “direction of travel” is to provide more rights and protection for children and their data, a trend that is in common across all the jurisdictions discussed – and many more besides.

Ireland

As the GDPR introduced new obligations for the processing of children’s data, the IDPC recognised the need for guidance as to how the GDPR principles applied to children in practice. The Fundamentals, currently in draft form, are the culmination of several years of work, gaining insights from children’s rights experts, and various public consultations, both with children and young people, and also other stakeholders, e.g. parents, educators, children’s rights organisations and organisations which process children’s data. The result was the draft Fundamentals, which were the subject of consultation earlier in 2021 and are expected to be finalised and published later in 2021. They will be followed by a child-friendly version to ensure children and young people have access to the information they need to understand the Fundamentals and how they apply to them.

At the centre of the 14 fundamentals is the familiar concept of the “best interests of the child”. The Fundamentals have been “designed to be consistent with the ICO Code with regard to digital services”. The 23 recommendations have minor differences to the ICO’s Children’s Code in some of the draft positions but it will be essential to read the final version when it is published in order to ascertain the definitive positions and ensure compliance. Following the consultation responses, it is expected there may be some adjustment before the final version is published, e.g. in the area of profiling.

The IDPC considers those in scope of the Fundamentals as organisations whose services:

“are directed at, intended for or likely to be accessed by children”.

This reflects not only the ICO’s and COPPA’s language but also an additional category of “intended for” children. It is the broadest scope of the jurisdictions we have discussed. While the Fundamentals incorporate some of COPPA’s criteria for determining whether a service is “directed at children”, the rule and the guidance were designed 20 years apart and therefore there are discernible differences in approach.

In the Fundamentals, a child means anyone under the age of 18. Again this is consistent with the UK position, but differs from COPPA’s definition of a child being one who is under the age of 13.

For all the similarities, probably the biggest difference is the Fundamentals apply offline as well, meaning that they apply to “educational providers, sports and social clubs and communities, and health and social support providers amongst others”.

So what are the key challenges for global organisations?

For anyone working in a global organisation the key challenge will be how to comply with the different approaches in the different jurisdictions you operate in. You will need to understand the nuances of each country’s laws and undertake a risk assessment to decide whether to go for a localised or a global approach to compliance.

The importance of compliance, or certainly at the very least a roadmap for compliance cannot be underestimated. No-one wants to be the subject of enforcement action, e.g. compulsory audits, processing bans and/or fines, let alone the reputational damage such action could do to a brand. You need only look at the news headlines to see the media attention that is focussed on this area at present! While anyone operating in the US will be familiar, and hopefully compliant, with COPPA, the differences in both the ICO Children’s Code and the IDPC’s Fundamentals will require an investment of time, money and resource in order not to fall foul of the new regulatory regimes.

Should you have any questions or we can be of any assistance please do not hesitate to contact Alexander Milner-Smith, Ali Vaziri, Tamsin Hoque or your usual Lewis Silkin contact.