Given the global public debate over online privacy and mounting concerns that big tech giants are tracking and monitoring children, the attention of lawmakers in both in the U.S. and Britain is shifting to children’s privacy online. In the U.S., Senator Ed Markey is leading a bilateral and bicameral push to update the Children’s Online Privacy Protection Act (COPPA), in order to make it harder for tech giants to collect personal data and location information for children younger than age 15. And in the UK, the Information Commissioner’s Office (ICO) has published a 16-point draft code of practice for children’s privacy. Together, these two moves represent a fundamental shift in the debate over online privacy and positive momentum in the move towards stronger data protection laws.
Children’s privacy and COPPA 2.0
Citing the need for stronger and more effective protections online, Senators Ed Markey (Democrat – Massachusetts) and Josh Hawley (Republican – Missouri) have introduced new bipartisan legislation that updates the Children’s Online Privacy Protection Act (COPPA), one of the few pieces of federal privacy legislation in the United States. Calling this new legislation for protecting children an “accompanying bill of rights” to COPPA, the two senators have set out new rules that will make it much harder for tech companies to track teens and young children. The original COPPA was authored back in 1998, during the early days of the modern Internet. This “COPPA 2.0” updates the legislation for the 21st century and the emergence of new innovations like Facebook and other social media platforms that rely on the collection of personal information.
First and most importantly, this new bicameral COPPA 2.0 legislation will extend privacy protections for the first time to teenagers age 13 to 15. Tech companies will not be able to collect personal information from these teens without their consent. Moreover, the legislation will prohibit tech companies from collecting personal information from children under 13 without parental consent. According to Senator Markey, tech companies are getting so sophisticated at getting kids to use their products and services that there need to be much stronger safeguards built into the online experience to avoid children’s personal data falling into the wrong hands.
One innovation within the legislation is a so-called “Eraser Button” that follows through on the “right to be forgotten.” The Eraser Button makes it possible to delete all personal information with a single click. Another innovation is the establishment of a new Youth Privacy and Marketing Division at the Federal Trade Commission (FTC), which will be responsible for making sure that tech companies are not tracking adolescents’ every move online, and that they are not improperly targeting young children with their advertising. A new Digital Marketing Bill of Rights will limit the personal collection of young children, and in fact, will ban all targeted advertising for kids. Marketing directed at children will no longer be tolerated.
This new legislation also makes an effort to regulate the use of Internet-connected toys and devices. It will prohibit the sale of Internet-connected devices for children or minors unless they adhere to “robust” cyber security standards. Moreover, packaging for these toys and devices must clearly state what type of data is being collected and how it is being used.
In today’s 24/7 digital world, the reality is that kids are using the Internet to do homework, chat with friends and play games. And, until recently, big tech companies were leveraging this fact in order to collect data on children and minors, much as they collect data on adults. The youngest are bombarded with marketing messages and potentially deceptive practices that encourage them to turn off privacy settings. The new legislation will put an end to this practice. Not surprisingly, then, this new piece of legislation has the full support of privacy advocacy organizations, such as the Center for Digital Democracy.
Children’s privacy and new UK child protection guidelines
In the UK, too, attention is turning to the world of children’s privacy. As called for by the Data Protection Act of 2018, the UK Information Commissioner’s Office (ICO) has published a 16-point draft code of practice related to children’s privacy that builds on the framework of existing data protection laws. The 16 standards will be under public consultation until May 31, and a final version of this code of practice is expected to come into effect by the end of the year.
The 16 standards represent a sort of “best-in-class” approach to dealing with children’s privacy. As such, these standards cover not only online services such as social media platforms, but also the world of connected toys and digital devices. In general, they take a very strong stance on children’s personal data. For example, all makers of connected devices should assume that their products will be used by children, unless they are able to integrate specific age authentication features directly into the product.
Many of these standards are common sense, such as the suggestion that all children’s privacy settings should come with a default setting of “high privacy.” With the goal of protecting children and ensuring children’s privacy, the ICO suggests that there should be no third-party data sharing and that all geolocation tracking features should be turned off. In general, online services must meet very rigorous standards when it comes to children’s privacy. The goal is to meet and exceed all standards of the European General Data Protection Regulation (GDPR), the touchstone data protection act that went into effect in 2018 and that provides for stiff penalties for improperly processing personal data.
One potentially controversial aspect of the new standards involves the clamping down on so-called “nudge techniques” that are designed to get children to share more of their personal data than they would like, or to encourage them to turn off data privacy settings. As CNBC highlighted, a strict interpretation of this nudge term would include the “like” button found on most social media platforms. After all, every “like” is a new data point used by a company to develop a sophisticated profile of a user. This could potentially present a thorny problem for Facebook, which might have to disable the “like” button across wide swathes of the platform.
Protecting children is the new priority
Clearly, around the world, data privacy has become such a mainstream topic of discussion that just about everybody can agree that devices or online platforms accessed by children need to take into account children’s privacy. In 2019 and beyond, look for other nations to follow the lead of the U.S. and UK and take steps to beef up their data protection laws to protect the interests of the child.