House Democrat Introduces Legislation to Strengthen Children’s Online Privacy

The Kids PRIVCY Act would amend COPPA in a number of ways, including by:

Establishing protections for children 13–17 years old

The bill would amend COPPA to require companies to obtain opt-in consent for all individuals under the age of 18 prior to collecting, retaining or sharing users’ personal information. The measure proposes establishing a new class of “young consumers” ages 13-17 and providing them with specific protections. Currently, COPPA provides protections related to data collected from children under 13.

Expanding the enumerated types of personal information covered under COPPA

The Kids PRIVCY Act would expand the enumerated types of information covered under COPPA to include a number of additional categories, including biometric information, health information, geolocation information and search history. COPPA currently defines “personal information” as “individually identifiable information about an individual collected online” and provides examples of personal information, including first and last name, home address, telephone number and Social Security number. The bill would significantly expand upon this list of codified examples.

Expanding upon access and deletion rights provided under COPPA and establishing the right to correct personal information

Similar to other privacy proposals in the 116th Congress, the Kids PRIVCY Act would establish access, correction and deletion rights for users and require privacy policies to describe how users can exercise these rights in plain language. COPPA regulations require operators to provide parents and guardians the “opportunity at any time to refuse to permit the operator’s further use or future online collection of personal information from that child, and to direct the operator to delete the child’s personal information.” They also require operators to provide a parent, upon request, a “means of reviewing any personal information collected from the child.”

The Kids PRIVCY Act would expand upon these rights by requiring covered entities to provide access to additional information, including all covered information pertaining to a child or young consumer and the names of each third party to which the covered entity has disclosed such information. The Act would also require covered entities to provide a mechanism by which a parent or young consumer could request that personal information be corrected.

Prohibiting operators from terminating services because a parent, guardian or young consumer has exercised their access, deletion or correction rights

The Kids PRIVCY Act would prohibit covered entities from refusing to provide a service, or discontinuing provision of a service, if a young consumer, parent or guardian exercises their rights to access, deletion or correction. Under current law, operators are permitted to terminate services to a child whose parent or guardian has directed the operator to delete the child’s personal information, provided that operators cannot condition a child’s participation in an activity on the child disclosing more personal information than is reasonably necessary.

Adding a number of specific data security requirements

COPPA currently requires operations to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” The Kids PRIVCY Act would require covered entities to include certain elements in their data security policies and procedures, including information regarding data retention and breach response. The legislation also contains language that would require companies to establish concrete procedures to mitigate vulnerabilities, as well as a designated data security officer.

Repealing the COPPA safe harbor provisions

COPPA includes provisions that allow industry groups to develop self-regulatory guidelines that implement COPPA protections and seek FTC approval for their use. The FTC has approved seven safe harbor programs under these provisions. The Kids PRIVCY Act would repeal COPPA’s safe harbor program due to concerns that the program facilitates non-compliance.

Providing for increased civil penalties, punitive damages and a private right of action

Regarding enforcement, the Kids PRIVCY Act would increase the maximum allowable civil penalty per violation by 50 percent and allow the FTC to pursue punitive damages. The measure would also grant parents the ability to bring civil actions.

The FTC is in the process of reviewing its regulations implementing COPPA. It recently concluded collecting public comments regarding, among other topics, potential updates to the parental right to review or delete children’s information and factors that should be used to determine whether an online service is directed to children.

The House Energy and Commerce Committee is also currently reviewing feedback in response to a staff-level discussion draft of comprehensive federal privacy legislation. This proposal, released to the public in December, would create an online privacy bureau within the FTC and prohibit discriminatory uses of personal data. While the initial draft did not contain legislative language on controversial provisions such as preemption and a private right of action, staff left these areas in brackets for stakeholder input.

Recent proposals to amend COPPA are likely to play a significant role in the larger privacy debate in the House. Rep. Jan Schakowsky (D-IL), Chair of the Energy and Commerce Committee’s Subcommittee on Consumer Protection and Commerce, has indicated that the Committee will likely combine provisions from various bills, including the Kids PRIVCY Act, in its final product. We continue to monitor the Committee’s process on this broader House proposal.