CDD

CDD Urges the House to Promptly Markup HR 7890 - the Children and Teens' Online Privacy Protection Act (COPPA 2.0), HR 7890

Katharina Kopp
person using smartphone by Priscilla Du Preez 🇨🇦
Photo by Priscilla Du Preez 🇨🇦 on Unsplash

COPPA 2.0 provides a comprehensive approach to safeguarding children’s and teen’s privacy via data minimization and a prohibition on targeted advertising – it’s not “just” about “notice and consent”

We commend Rep. Walberg (R-Mich.) and Rep. Castor (D-FL) for introducing the House COPPA 2.0 companion bill. The bill enjoys strong bipartisan support in the U.S. Senate. We urge the House to promptly markup HR 7890 and pass it into law. Any delay in bringing HR 7890 to a vote would expose children, adolescents, and their families to greater harm.

Learn more about the Children and Teens’ Online Privacy Protection Act here:

 

Background:

The United States is currently facing a commercial surveillance crisis. Digital giants invade our private lives, spy on our families, deploy manipulative and unfair data-driven marketing practices, and exploit our most personal information for profit. These reckless practices are leading to unacceptable invasions of privacy, discrimination, and public health harms.

In particular, the United States faces a youth mental health crisis fueled, in part, by Big Tech. According to the American Academy of Pediatrics, children’s mental health has reached a national emergency status. The Center for Disease Control found that in 2021, one in three high school girls contemplated suicide, one in ten high school girls attempted suicide, and among LGBTQ+ youth, more than one in five attempted suicide. As the Surgeon General concluded in a report last year, “there are ample indicators that social media can also have a profound risk of harm to the mental health and well-being of children and adolescents.”

Platforms’ data practices and their prioritization of profit over the well-being of America’s youth significantly contribute to the crisis. The lack of privacy protections for children and teens has led to a decline in young people’s well-being. Platforms rely on vast amounts of data to create detailed profiles of young individuals to target them with tailored ads. To achieve this, addictive design features are employed, keeping young users online for longer periods of time and exacerbating the youth mental health crisis. The formula is simple: more addiction equals more data and more targeted ads which translates into greater profits for Big Tech. In fact, according to a recent Harvard study, in 2022, the major Big Tech platforms earned nearly $11 billion in ad revenue from U.S. users under age 17.

The Children and Teens’ Online Privacy Protection Act (COPPA 2.0) modernizes and strengthens the only online privacy law for children, the Children’s Online Privacy Protection Act (COPPA). COPPA was passed over 25 years ago and is crucially in need of an update, including the extension of safeguards to teens. Passed by the Senate out of Committee, Reps. Tim Walberg (R-MI) and Kathy Castor (D-FL) introduced COPPA 2.0 in the House in April. It’s time now for the House to act.

 

The Children and Teens’ Online Privacy Protection Act would:

-              Build on COPPA and extend privacy safeguards to users who are 13 to 16 years of age;

-              Require strong data minimization safeguards prohibiting the excessive collection, use, and sharing of children’s and teens’ data; COPPA 2.0 would:

  • Prohibit the collection, use or disclosure or maintenance of personal information for purposes of targeted advertising;

  • Prohibit the collection of personal information except when the collection is consistent with the context and necessary to fulfill a transaction or service or provide a product or service requested;

  • Prohibit the retention of personal information for longer than is reasonably necessary to fulfill a transaction or provide a service;

  • Prohibit conditioning a child’s or teen’s participation on the child’s or teen’s disclosing more personal information than is reasonably necessary.

  • Except for certain internal permissible operations purposes of the operator, all other data collection or disclosures require parental or teen consent.

-              Ban targeted advertising to children and teens;

-              Provide for parental or teen controls;

  • It would provide for the right to correct or delete personal information collected from  a child or teen or content or information submitted by a child or teen to a website – when technologically feasible.

-              Revise COPPA’s “actual knowledge” standard to close the loophole that allows covered platforms to ignore kids and teens on their site.

  

But what about….?

…Notice and Consent, doesn’t COPPA 2.0 rely on the so-called “notice and consent” approach and isn’t the consensus that this is an ineffective way to protect privacy online?

No, COPPA 2.0 does not rely on “notice and consent”. It would provide a comprehensive approach to safeguarding children’s and teen’s privacy via data minimization. It appropriately restricts companies’ ability to collect, use, and share personal information of children and teens by default. The consent mechanism is just one additional safeguard.

 

1.        By default COPPA 2.0 would prohibit

  • the collection, use or disclosure or maintenance of personal information for purposes of targeted advertising to children and teens - this is a flat out ban, consent is not required.

  • the collection of personal information except when the collection is consistent with the context of the relationship and necessary to fulfill a transaction or service or provide a product or service requested of the relationship of the child/teen with the operator.

  • the retention of personal information for longer than is reasonably necessary to fulfill a transaction or provide a service.

 

2.        By extending COPPA protections to teens, COPPA 2.0 would further limit data collection from children and teens as COPPA 2.0 would prohibit

  • conditioning a child’s or teen’s participation in a game, the offering of a prize, or another activity on the child’s or teen’s disclosing more personal information than is reasonably necessary to participate in such activity.

 

3.        Any other personal information that companies would want to collect, use, or disclose requires parental consent or the consent of a teen, except for certain internal permissible operations purposes of the operator.

 

COPPA 2.0's data minimization provisions prevent the collection, use, disclosure, and retention of excessive data from the start. By not collecting or retaining unnecessary data, harmful, manipulative, and exploitative business practices will be prevented. The consent provision is important but plays a relatively small role in the privacy safeguards of COPPA 2.0.

 

 But what about….?

targeted advertising, don’t we need a clear ban of targeted advertising to children and teens?

Yes, and COPPA 2.0 bans targeted advertising while allowing for contextual advertising.

  • Under COPPA 2.0 it is unlawful for an operator "to collect, use, disclose to third parties, or maintain personal information of a child or teen for purposes of individual-specific advertising to children or teens (or to allow another person to collect, use, disclose, or maintain such information for such purpose).”

 

But what about….?

…the transfer of personal information to third parties?

Yes, COPPA 2.0 requires verifiable consent by a parent or teen for the disclosure or transfer of personal information to a third party, except for certain internal permissible operations purposes of the operator. Verifiable consent must be obtained before collection, use, and disclosure of personal information via direct notice of the personal information collection, use, and disclosure practices of the operator. Any material changes from the original purposes also require verifiable consent.

(Note that the existing COPPA rule requires that an operator gives a parent the option to consent to the collection and use of the child's personal information without consenting to the disclosure of his or her personal information to third parties under 312.5(a)(2). The FTC recently proposed to bolster this provision under the COPPA rule update.)