A House bill revises the Children’s Online Privacy Protection Act (COPPA) of 1998. The bill would extend COPPA’s privacy protection to teenagers age 12 to 18, expand the scope of covered information and limit allowed uses of covered information of minors, including a ban to targeted advertisement.
Under this bill, “young consumers” ages 12 to 18 would receive the same level of privacy protection granted by COPPA to children, e.g. individuals under age 13, substantially expanding privacy protection for teens. Children will need the explicit consent of their parent or legal guardian to data collection and treatment. Young consumers, instead, will be able to consent themselves, but their parents may still refuse collection and treatment of personal information at any time.
The PRIVCY Act also extends the scope of coverage to any information “linked to or reasonably linkable” to young consumers, children or their devices. The list includes, but is not limited to, the following items as long as they are not de-identified or used for employment purposes:
- Information on interactions with a “website, application, or advertisement” like search and browsing history, or clicks;
- Content of electronic communication, such as emails, messages, or conversations;
- Commercial information such as records of personal property or purchases;
- Geo-location (e.g. cellular location tracking);
- Biometric information (e.g. facial recognition, fingerprints, voice, etc.);
- Information on identity (e.g. race, gender, age, disability, sexual orientation, religion, etc.);
- Inferences drawn from covered information.
The above list adds to the personal information currently covered under COPPA: identifying information (first and last name, social security number, state identification card), home or other relevant location addresses, and contact information (telephone number, e-mail address).
Organizations must review and update their security measures at least yearly to provide up-to-date storage of children and young consumer’s data. Sharing personal information with third parties is allowed only with individual consent and as long as third-party use is consistent with the purposes outlined in the privacy policies users have accepted. In that case, firms must also ensure that any third-party company they are sharing users’ personal information with are compliant with the appropriate security measures.
Additionally, organizations may not retain or store children and young consumer’s data longer than necessary for the specified purpose of use. This bill prohibits organizations from targeting advertisements to children or young consumers based on collected personal information, with or without users’ consent.
The FTC or parents of young consumers and children would be able to pursue civil action if minors' personal information is collected or used in violation of this act, and to seek relief as well as punitive damages – compensation that surpasses the victims’ monetary losses meant to punish firms’ wrongdoing. Additionally, this bill increases the maximum civil penalties to $63,795 per infraction.
The FTC had previously pointed out that rapid changes in technology and the increased access to the internet since the establishment of COPPA in 1998 require updated rules that grant strong protection for children and young consumers. This bill has been publicly supported by many children internet safety and education organizations. Common Sense Media, a nonprofit organization that advocates for youth internet safety, has openly supported this bill: “We are seeing lawmakers in Congress renew efforts to strengthen laws that hold companies accountable…The Castor bill leads the way here [in expanding protection to teens], offering teens up to the age of 18 special protections and requiring that companies get opt-in consent before data collection, use, and sharing.”
As of March 2020, the PRIVCY Act does not have bipartisan support. House Representative Cathy McMorris Rodgers (R-WA-5) supports strengthening COPPA but worries about “the impact a private right of action would have on small businesses and innovation.” Two other online privacy bills meant to revise COPPA, S. 748 and H.R. 5573, were also introduced in January 2020, but did not advance in the legislative process.