California Goes Beyond COPPA to Protect Children’s Privacy
On July 1, 2020, the California Attorney General will begin to enforce the California Consumer Privacy Act (CCPA) under which California residents benefit from the most expansive privacy protections in the United States. As an FTC-approved Safe Harbor program under the Children’s Online Privacy Protection Act (COPPA), I am most interested in the protections afforded California children.
Under Section 1798.120(c) of the CCPA, absent opt-in consent, a business is prohibited from selling the personal information of a California resident, if the business has “actual knowledge” the resident is under 16 years old. For children 13 to 15 years old, the opt-in consent can come directly from the child. The current version of the California Attorney General’s draft regulations requires that consent to come in two steps: first, the child must request to opt-in, then the child must separately confirm the opt-in choice. For children under 13 years old, opt-in consent must come from a parent or guardian using one of several methods that will be approved in the regulations. In both cases, the business must provide notice of the right and method to later opt-out.
When compared with current protections afforded by COPPA, Section 1798.120(c)’s biggest change is that it extends protections to children under 16 years old, whereas COPPA’s protections extend only to children under 13 years old. How material this difference turns out to be will depend largely on how the California Attorney General, and likely California courts, interpret the term “actual knowledge.” The statute says that if a business willfully disregards a child’s age, it will be deemed to have actual knowledge. What does that mean in an online world where most websites and apps don’t request or require a user’s age? How would those businesses have actual knowledge, if at all? Will they be expected to make assumptions based on the content of their websites and apps (i.e., something closer to constructive knowledge) or have a duty to monitor their user base to identify potential underage users (e.g., review user profiles)? It is far too early to know how these questions will ultimately get answered, but with July 1 almost here, that process is almost underway.
It is also noteworthy that the stakes are likely to be high. The current ballot initiative to pass the California Privacy Rights Act (CCPA 2.0) in November would triple the penalty for violations involving minors to $7,500 for each violation. CCPA 2.0 would also create a new agency to enforce the law and to pursue penalties.
• • •
Have more questions about CCPA compliance? Feel free to reach out to us through our Contact page to learn more about our program. Be sure to follow us on Twitter and LinkedIn for more privacy-related updates.