Online Data Protection for Minors
The various laws and protections for minors in the U.S.
By Ryan M. Norchi
March 8, 2021
Everyone wants to feel safe about their personal information collected by data companies online, but they don’t necessarily stop to consider what is keeping their children safe in the same respect. By age 11, approximately half of all children in the United States own smartphones, and this number has only been trending upward over the past two decades. Adults may not be unbeknownst to the dangers presented by big data aggregators such as Facebook or Google, but children may not fully understand the intricacies of personally identifiable information (PII) as a commodity. This is why many free smartphone apps and online games are built to be addicting as by prolonging app usage, companies are able to collect and sell more data from their users. Those most susceptible to these practices are likely to be children. Given the increasing rate at which children are using smartphones, parents want to know how their children are protected online. While only a few state and federal privacy laws have been rolled out over the past 20 years to keep children safe, this information is also important for any businesses with websites or companies that have developed apps if they wish with regulations. The most important law protecting minors’ data, passed at the federal level in 1998, is the Children’s Online Privacy Protection Rule (COPPA). While some laws, such as the Children’s Internet Protection Act (CIPA), are concerned with children, COPPA is the only Federal law concerned with protecting children’s privacy online. There are, however, a small number of states that have passed laws that directly protect children’s data even further, while other states simply have general data protection laws that also apply to children.
COPPA is the primary federal law regulating the collection of data from children online that still stands today. The primary goal of COPPA was to protect children under the age of 13. The law requires that online services provide notice of any information they take, how they use that information, and who they may share that data with in order to remain compliant. It also requires that parental consent be provided before any website may take that information. Parents and guardians must also have the ability to review and refuse use of any data collected from their child. For these regulations to be relevant, either the operator of the website must know that children are using the app, via date of birth verification for example, or be a website specifically targeted at children. The Federal Trade Commission (FTC) is the primary entity responsible for enforcement of these regulations. Unfortunately, many large, online service companies have had violations of these rules and regulations. Recent examples include YouTube and TIkTok. At the time, TikTok was called musical.ly. They paid out a $6M settlement over allegations that they had been collecting PII from known minors, and not posting notices or seeking parental consent in a manner compliant with COPPA.
The specific type of data protected by COPPA is Personally Identifiable Information (PII). PII is most simply defined as information that would allow someone to link that given information with a specific individual. This generally pertains to names, addresses, contact information, social security numbers, photographs, family information, and health information. In addition to protecting minors’ PII, COPPA also prohibits operators from soliciting more information than is necessary from children through conditioning techniques such as the use of offering in-game prizes. Any collection of information from minors that is necessary for the online service to run is also legally required to be deleted as soon as the operator is able to. This means that retention of PII may only last as long as is sufficient to fulfill the original purpose of said retention.
Passed in 1998, COPPA remains a strong, though very baseline level of protection for minors acting online. It requires that online services request consent from parents before collecting any data from children under 13 years of age, which gives parents a great deal of oversight over the amount and type of data their children are giving up online. It also ensures that children who do choose to give up PII online are only doing so for a limited time, and with limited commercial use.
However, there are some notable drawbacks to COPPA. One of the primary issues with COPPA is whether or not a website is directed at children can be a difficult and subjective matter. For example, there was a legal dispute regarding whether YouTube is a website directed at kids. A recent investigation deemed that YouTube is a website directed at kids, and that, up until recently, they were not compliant with COPPA regulations. The second argument against COPPA is that it is not expansive enough. As it currently stands, COPPA only applied to children under the age of 13. This means that many young teenagers lack the same protections that non teens have.
COPPA provides some security for children under the age of 13 at the federal level; there are some states, Connecticut for instance, that have general online privacy laws that would apply to children. The only two states that have online privacy laws that apply specifically to children are California and Delaware. In 2015, California passed the Online Eraser law, a law that goes multiple steps further than COPPA. The California Online Eraser bill provides protection to all minors under the age of 18. These protections allow minors to remove or request to remove any information posted on an online service, web site, or app. This bill separates itself from COPPA by explicitly prohibiting online advertising and marketing certain products to minors, including items such as firearms, alcohol, tobacco, and lottery tickets. This means not only that websites specifically designed to attract minors may not advertise, or allow third party advertising of, any of these products, but also that these products may not be marketed directly to known minors on any other site not necessarily targeted at minors.
Delaware is the only other state with its own legislation regarding online data protection for minors. Similarly to California’s Erasure Bill, the law passed by Delaware in 2016 also prohibits online services from marketing certain products to children under the age of 18 that it deems inappropriate for minors. Once again, this includes online services targeted at children, and operators with awareness that a child might be using their service. If an advertising service is using a website to market to users, the operator of the website is legally required to disclose that a particular user is a minor. At this point, liability shifts to the advertising service. Outside of this particular instance, online operators may not disclose the PII of a child if it is known that said information will be used for the purpose of marketing those illicit products.
The United States and European Union have many laws regarding compliance and online data privacy, but very few directly handle the protection of minors. The United States passed COPPA in the late 1990s with the primary purpose of providing parents an avenue to regulate what information their children allow to be collected on the internet, but some might argue that COPPA is relatively limited in scope. California and Delaware have since enacted very similar bills policing primarily the advertising of illicit products to minors, but have also granted certain freedoms to view and delete collected information online. This is a proper start, but until more states start to adopt safer online policies for children, the safest route is to use login apps that simply do not allow for the collection and storage of any personal data.