Overview
The California Attorney General’s CCPA draft regulations impose additional requirements for collection of data from children under 13 on top of those imposed by the federal Children’s Online Privacy Protection Act (COPPA), and also create additional requirements for minors between the ages of 13 and 16. Businesses will need to have reasonable processes in place to ensure that the person providing consent for the sale of a child’s data on his or her behalf is actually their parent or legal guardian. Minors must also be able to opt in, and later, opt out, of the sale of their PI. Businesses should include these practices in their privacy policies.
Key Elements of Article 5 (pages 21-22)
In addition to the requirements of COPPA, § 999.330 requires that businesses that have actual knowledge that they collect PI from children under 13 must “establish, document, and comply with a reasonable method” for verifying that the personal authorizing the sale of a child’s data is actually that child’s parent or guardian. Section 999.330(b) lists several methods that are “reasonably calculated” to ensure that is the case, including providing a signed consent form under penalty of perjury; requiring parents or guardians to use payment methods such as credit cards that provide notification of each transaction; asking the parent or guardian to communicate in person with trained personnel, either through a toll-free line or videoconference; or verifying the parent or guardian against a government database, and then promptly deleting their PI from the business’s database. Parents must also be notified of their right to later opt out of the sale of their child’s personal information. Note that actual knowledge is not otherwise defined in the CCPA or in the draft regulations, and it is not known whether the California Attorney General intends for businesses to look to COPPA standards here.
Section 999.331 requires businesses that have actual knowledge they collect or maintain the PI of minors to establish, document, and comply with a reasonable process to allow minors to opt in to the sale of their PI, and inform them of their right to opt out of such sale at a later date.
Businesses must include descriptions of these processes in their privacy policies. However, businesses that exclusively target offers of goods or services directly to consumers under 16 years old and do not sell their personal information without affirmative authorization, or the affirmative authorization of the child’s parent or guardian, are not required to provide notice of the right to opt out.
What it Means/Takeaways
Simply complying with COPPA requirements will not be sufficient to ensure CCPA compliance. The CCPA regulations require businesses to take reasonable steps to ensure that the person authorizing consent for the sale of a child’s data on his or her behalf is actually their parent or legal guardian. This takes aim at the ease with which children can forge parental signatures or other means of giving consent, and does not allow businesses to turn a blind eye to the reasonableness of their consent mechanisms, if they have actual knowledge that children under 13 use their website. The requirements in Article V apply to businesses that actual knowledge that they collect PI from children and minors, so this may discourage mixed age websites from age-gating or otherwise asking for the ages of their users, to avoid incurring the requirements herein.
Recommendations
Businesses that knowingly collect children’s PI should establish and implement one of the processes suggested in § 999.330(b) to reasonably ensure that the person providing consent for the sale of data is the child’s parent or guardian. Businesses should consider operational issues when determining which method or methods will be the least burdensome for them to implement. Businesses should also carefully document such processes, and include descriptions in their privacy policy.