In a heavily digital era, children’s online privacy has never been so crucial due to the ease of accessibility to the Internet. Children’s data is usually considered sensitive because they are a vulnerable demographic. They may not understand the risks of data processing and the impacts on their online privacy and, therefore, be unable to provide informed consent.
The federal Children’s Online Privacy Protection Act (COPPA), set the standard for protecting children’s privacy by providing them and their parents with safeguards to maintain their privacy online. While additional federal legislation is currently in the works, several states are busy drafting and enacting state-specific legislation to bolster children’s protections, such as consumer privacy laws that include provisions relating to children’s data, Age Appropriate Design Codes, and laws exclusively concerning children.
With so many state-specific laws, it’s paramount to keep track of and be aware of your obligations across states. This article compares and contrasts children’s privacy laws and highlights key privacy requirements to help you stay on top of your children’s data responsibilities.
Federal children’s privacy requirements
COPPA
COPPA specifically applies to operators of online websites and services oriented for children under the age of 13 who collect, use, and/or share their personal information, including operators with actual knowledge that they are processing data from children under the age of 13.
Some key requirements for operators include providing a privacy notice on their website and directly to parents explaining their activities of children’s data processing, developing procedures to obtain verifiable parental consent, and providing parents the right to review their child’s personal information in their possession, including the opportunity to refuse further data collection/processing.
However, as technologies become increasingly advanced, operators are finding new ways to collect information from children and teens. In response, proposed amendments are being made to COPPA through the Children’s and Teens Online Privacy Act (COPPA 2.0). This act passed the Senate on July 29, 2024.
COPPA 2.0 adds a new definition of ‘teens,’ which is defined as an individual over the age of 12 and under the age of 17. The amendments require the exercise of standard data processing principles, such as data and purpose limitation. They prohibit operators from disclosing to third parties or collecting children’s and teens’ personal information for targeted advertising. Operators are also required to develop a mechanism that enables users or their parents to erase personal information of a child or teen from their website.
The Kids Online Safety Act (KOSA)
KOSA is another federal bill that’s highly anticipated, which recently passed the Senate on July 29, 2024. The main difference between COPPA and KOSA is that KOSA focuses on governing the use of algorithms and displaying certain content to children by social media providers.
Key requirements under KOSA mandate that providers offer mechanisms for parents to flag harmful content on the platform. Providers must also supply tools that allow parents to monitor their child’s online activity. They are required to disclose information to parents about how children’s data is processed within their algorithms. Additionally, KOSA prohibits advertising products or services to children that are illegal to sell to them.
Navigating state children’s privacy requirements
Consumer privacy laws
More and more states are proposing consumer privacy laws, while 20 have already signed their laws. Most state laws have several overlapping requirements related to children. Including:
- defining the age of children under 13,
- enabling parents/guardians to exercise consumer rights on behalf of a child,
- strictly allowing the processing of childrens’ sensitive information only when COPPA requirements are met,
- and establishing consent requirements for processing children’s data for marketing purposes.
However, there are nuances in some state laws that are worth flagging.
Colorado is a unique state as it’s the only state whose consumer privacy law includes a separate definition of ‘minor’, defined as any consumer under the age of 18. It also provides an exclusive definition of ‘heightened risk of harm to minors’ and an impact assessment must be performed in the event of such risk on the online product or service.
The law prohibits certain activities when providing online products, services, or features, such as prohibiting:
- processing without consent from the child or parent for secondary purposes,
- processing data for longer than necessary,
- using deceptive design patterns to extend a child’s online activity,
- and deploying direct messaging features without applying safeguards to limit an unconnected adult from sending messages to a child.
Colorado and Virginia prohibits the collection of childrens’ precise geolocation data, unless the data is necessary to provide the online service and is collected/retained for a limited time, a child is provided a signal informing them about geolocation data collection, and consent from the child or parent has been obtained.
Similar to Colorado, some states provide their own definition of a ‘minor’, also defined as an individual under 18, including in:
- California’s Protecting Our Kids from Social Media Addiction Act;
- Tennessee’s Protecting Children from Social Media Act;
- Utah’s Social Media Regulation Act; and
- New York’s Children’s Data Protection Act and Stop Addictive Feeds Exploitation Act.
Florida’s, Minnesota’s, and Rhode Island’s consumer privacy laws, and Delaware’s Online Privacy and Protect Act, provides a different requirement for processing children’s sensitive data. It is prohibited to process such data unless consent has been obtained from a parent/guardian and processing requirements, including consent requirements, under COPPA are met.
NetChoice lawsuits
The need for more children’s privacy laws is gaining momentum, and seven states have stepped-up their commitment to do so. Notably, proposals for Age Appropriate Design Codes (AADC) are garnering popularity after California was the first to propose and enact its AADC, followed by Maryland in enacting its AADC, and other states such as Illinois, Oregon, and New Mexico who have already put their draft AADC on the table.
While the ultimate goal for pumping out these laws is for the best interest in protecting children on the internet, there have been debates whether these laws are unconstitutional.
In 2022, NetChoice, an association consisting of large media companies that promote online speech, hit California’s Attorney General with a lawsuit for its AADC, as well as Utah for its SMRA in 2023, alleging that the fundamentals of these laws that regulate childrens’ access to online services contravene the U.S. First and Fourth Amendments, concerning freedom of speech.
The aftermath of these lawsuits resulted in an approved preliminary injunction on California’s AADC, effective July 1, 2024, and a pushback of Utah’s SMRA effective date from March 2024 to October 1, 2024.
State-specific laws governing children’s online privacy
Most states don’t have exclusive laws concerning children’s privacy, except for:
- California’s AADC, Protecting Our Kids from Social Media Addiction Act (POKSMAA), and Act relating to Minors Online (AMO);
- Maryland’s Age Appropriate Design Code;
- Florida’s Protection of Children in Online Spaces Act (PCOSA) and Act relating to Technology Transparency (ATT);
- Delaware’s Online Privacy and Protection Act (OPPA);
- Tennessee’s Protecting Children from Social Media Act (PCSMA);
- Utah’s Social Media Regulation Act (SMRA); and
- New York’s Children’s Data Protection Act (CDPA) and Stop Addictive Feeds Exploitation (SAFE) Act
These children’s privacy laws provide additional protections not contained in the consumer privacy laws, which establishes more stringent safeguards, as shown in the table below:
Key Regulation | Details | |
---|---|---|
Provision of Parental Controls |
California POKSMAA |
|
Provision of Parental Controls | Tennessee PCSMA |
|
Provision of Parental Controls | Utah SMRA |
|
Restrictions on Sending Notifications | California POKSMAA | Notifications are prohibited from being sent to minors between 12 AM to 6 AM and 8 AM to 3 PM without parental consent. |
Restrictions on Sending Notifications | New York SAFE | Prohibits sending notifications to minors between 12 AM and 6 AM without parental consent. |
Data Protection Impact Assessments (DPIA) | California AADC | Requires DPIA every two years to assess risks to children and develop mitigation plans. |
Data Protection Impact | Maryland AADC | Conduct DPIA to assess data use and ensure it’s in the best interest of children. Review material changes every 90 days. |
Age Verification | California AADC | Estimate the age of children and do not use their data for secondary purposes. |
Age Verification | New York SAFE | Do not use age verification data for secondary purposes and delete it after use. |
Age Verification | Florida ATT & DBR | Similar to California and New York, age verification data must not be used for secondary purposes. |
Age Verification | Tennessee PCSMA | Verify the age of new account holders and seek parental consent. Allow parents to revoke consent if needed. |
Prohibitions on Marketing and Advertising | California & Delaware | Prohibit marketing of harmful products like alcohol to children on online services. |
There are so many more nuances and requirements in the field of children’s privacy. Find everything you need to know and the hottest developments in Nymity Research’s new Privacy Simplified: U.S. Children’s Privacy page.
Join the premier regulatory database with digestible legal summaries covering 244+ global jurisdictions written by trusted privacy and legal experts.
Start your free trial