Children’s privacy in the Age of Information is becoming a highly sensitive issue. In addition to specific legislation designed to protect children’s data in the EU and California, the USA is taking action on a federal level. Specifically the Federal Trade Commission (FTC) has issued two large fines in cases related to illegal collection and processing of children’s data.
In February 2019, the FTC imposed a $5.7 million fine on the operators of the social media app Musical.ly, (now rebranded as TikTok). The complaint filed by the Department of Justice on behalf of the FTC, alleges that Musical.ly violated the Children’s Online Privacy Protection Act (COPPA), by failing to seek parental consent before collecting information from users under the age of 13; using it without parental consent; and failing to delete personal information at parents’ request.
COPPA is the strongest US federal consumer privacy statute and empowers the FTC to fine companies up to $42,530 for each violation.
The $5.7 million fine was the largest civil penalty obtained by the FTC in a case related to children’s privacy until now. However, on 4 September 2019, Google-owned YouTube agreed to pay $136 million to the FTC and $34 million to the state of New York in a case related to children’s data privacy mishandling on its YouTube video platform.
The FTC and New York Attorney General allege that YouTube had violated COPPA by collecting and processing information about children under the age of 13 without parental consent.
Google is expected to change its YouTube content relating to children and bring an end to advertising directed at them. To this end, YouTube is finalising plans to end targeted ads on videos children are likely to watch. The company must also obtain consent from a parent or legal custodian before collecting or sharing personal data of children. Under this settlement, YouTube will notify channel owners geared toward a child audience that their content may be subjected to COPPA, and provide annual training to employees who deal with them.
YouTube has long maintained that its primary site is not for children and in 2015 the company created ‘YouTube for kids’. This separate app that does not collect data on minors, was created in part to address issues related to data privacy for children. YouTube CEO Susan Wojcicki said that the company will increase promotion of this platform. Naturally, the crackdown might have a financial impact on those producing videos for children. To offset any losses the company plans to spend $100 million over the next three years to develop original children’s content.
Going forward, YouTube will treat data from a user watching children’s content as if it comes from a minor, regardless of age, thus stopping targeted ads on the content. YouTube will also ask creators to self-identify videos with child content and use artificial intelligence to identify videos that target children. Moreover, it will eliminate the use of comments and notifications on children’s videos that require the collection of personal data.
This fine is the latest attempt by the FTC to curb violations of data privacy by Big Business. In August 2019, Facebook agreed to pay $5 billion to settle a probe into its data handling practices.
While the FTC is flexing its financial muscle to regulate data practices among Silicon Valley companies, other jurisdictions are actively creating new rules for data collection of children under 16.
New laws on data protection in the European Union and California
The EU adopted the General Data Protection Regulation (GDPR) in 2018, which specifically recognises children as vulnerable natural persons that merit a special protection in the law. Under the GDPR, parents or guardians are to provide consent for individuals under the age of 16 although Member States have discretion to lower the age limit to 13 years. Simultaneously, data controllers are required to make reasonable efforts to verify that consent is indeed given by a parent or a guardian.
Similarly, the California Consumer Privacy Act (CCPA), which comes into force in January 2020, enables consumers between the ages of 13-16 the right to opt-in to have their personal information sold. For children under the age of 13, a parent or a legal guardian must affirmatively authorise the sale of the child’s personal information.
An important difference between the EU and California is that the law in Europe does not provide any exception for a controller who is unaware that they are actively collecting the personal data of a child or providing services to them. As such, companies collecting children’s data in Europe might face stronger sanctions.
Given the precedents that the FTC is creating in protecting personal data in the US and the new laws in the EU and California, it is essential for companies that handle personal data in the course of business to be mindful of the new legal landscape on both sides of the Atlantic. Whether companies designate an in-house Data Protection Officer (DPO) or outsource this service, the advice is to have them supervise the following key activities in relation to children’s data:
- map where this data is processed within your organisation;
- undertake Data Protection Impact Assessments (DPIAs) where risks are high; and
- ensure training and awareness programmes are in place.