In December, Attorneys General from 24 states and the District of Columbia submitted detailed comments to the Federal Trade Commission on proposed revisions to the rules implementing the federal Children’s Online Privacy Protection Act (COPPA). These comments were significant for multiple reasons.
The obvious reason is that State Attorneys General have concurrent enforcement authority for COPPA. The COPPA statute delegates to the FTC an unusual amount of administrative discretion in establishing standards and requirements. Therefore, the bi-partisan comments of 25 enforcement authorities on perceived shortcomings in the current COPPA rule will likely be carefully considered by the FTC.
Another reason the State Attorney General letter is significant is that State AGs have authority to enforce other state laws relating to children’s online privacy which are not pre-empted by COPPA, including state data privacy statutes. Because COPPA only applies to children up to age 13, states are free to legislate protections for older teenagers. Some states, such as California and Delaware, have already done so. State AGs may also seek to enforce state laws applicable to children thirteen and under which are not pre-empted by COPPA. Areas where State AGs find the substance or enforcement of COPPA deficient are likely areas of State AG focus in the future.
Based on the FTC letter, one clear area of concern for State AGs is the ability of third parties to avoid application of COPPA’s limitations on tracking of minors by willfully ignoring the ages of people on the platforms they are tracking, and the incentive that COPPA gives site operators to ignore the content of the child-oriented material placed on their site by third parties. Some of this state level concern is reflected in the language of the California Consumer Privacy Act’s provisions relating to the sale of minor web site users’ personal information, which provides that businesses that willfully disregard a consumers’ age are deemed to have actual knowledge of consumers’ ages. A second major area of concern for State AGs is expanding the range of data whose privacy is protected by statute – specifically in areas such as biometric data and health data. Again, some of this concern is reflected in the new California privacy statute, which specifically includes biometric information within its ambit.
Aside from weighing in with the FTC, some State AGs have been explicitly saying that the data privacy of children will be a priority for them. California Attorney General Xavier Becerra has specifically stated that early enforcement actions of the CCPA will focus on protection of children. New Mexico Attorney General Hector Balderas, the author of the State AG letter to the FTC, has filed two separate actions seeking to protect the privacy of children: (i) a 2018 suit against Tiny Lab Productions and large technology companies such as Google and Twitter, alleging that the defendants had illegally derived personal data about children from mobile gaming applications, and (ii) a new suit filed just last month against Google, alleging that the company’s “G Suite for Education” web based service provided to schools was illegally collecting and using children’s personal information. Both actions are still pending, and as suggested above, both actions allege both violations of COPPA and violations of state statutory and common law.
The takeaway: the data privacy rights of children, including older teenagers who are not protected by COPPA, is an emerging priority for State AGs. Companies that handle private data of minors should be vigilant in staying abreast of new state statutes and regulations, and also attentive to the comments of State AGs with respect to what new privacy requirements are on the horizon.