In this post, we offer insights on the revisions recently made by the California Attorney General’s office to Article 5 of its draft regulations pertaining to special rules regarding minors. Article 5 imposes special requirements on businesses that sell the personal information of children and minors. We previously reported on this part of the draft regulations here. In addition to explaining the key changes from the revised draft regulations, we again offer our recommendations and summarize the elements of the draft regulations in their latest form.
Overview
The California Attorney General’s CCPA draft regulations impose additional requirements for collection of data from children under 13 on top of those imposed by the federal Children’s Online Privacy Protection Act (COPPA), and also create additional requirements for minors between the ages of 13 and 16. Businesses will need to have reasonable processes in place to ensure that the person providing consent for the sale of a child’s data on his or her behalf is actually their parent or legal guardian. Minors must also be able to opt in, and later, opt out, of the sale of their PI. Businesses should include these practices in their privacy policies.
Key Elements of Article 5 (pages 21-22)
In addition to the requirements of COPPA, § 999.330 requires that businesses that have actual knowledge that they sell PI from children under 13 must “establish, document, and comply with a reasonable method” for verifying that the person authorizing the sale of a child’s data is actually that child’s parent or guardian. Previously, the draft regulations required this of businesses that merely collect and maintain PI from children under 13, but the revised regulations only require it of businesses that sell the same. Section 999.330(b) lists several methods that are “reasonably calculated” to ensure that is the case, including providing a signed consent form under penalty of perjury; requiring parents or guardians to use payment methods such as credit cards that provide notification of each transaction; asking the parent or guardian to communicate in person with trained personnel, either through a toll-free line or videoconference; or verifying the parent or guardian against a government database, and then promptly deleting their PI from the business’s database. The revised regulations clarified that the list of practices in § 999.330(a)(2) is illustrative, rather than comprehensive, and that a consent form may be signed by a parent or guardian either physically or electronically.
Parents must also be notified of their right to later opt out of the sale of their child’s personal information. Note that actual knowledge is not otherwise defined in the CCPA or in the draft regulations, and it is not known whether the California Attorney General intends for businesses to look to COPPA standards here. Although the revised regulations added several definitions to the text, “actual knowledge” remains undefined.
In the revision to the regulations, sub-section (c) was added to § 999.330 requiring businesses to “establish, document, and comply with a reasonable method,” following the suggested methods in § 999.330(a)(2), “for determining whether a person submitting a request to know or a request to delete the personal information of a child under the age of 13 is the parent or guardian of that child.”
Section 999.331 requires businesses that have actual knowledge they sell the PI of minors to establish, document, and comply with a reasonable process to allow minors to opt in to the sale of their PI, and inform them of their right to opt out of such sale at a later date. Like § 999.330, the standard in the draft regulations originally applied to business that have actual knowledge they collect and maintain the PI of minors, but the revised regulations lessened the burden by requiring them to sell it before they must comply with the requirement.
Businesses must include descriptions of these processes in their privacy policies. However, businesses that exclusively target offers of goods or services directly to consumers under 16 years old and do not sell their personal information without affirmative authorization, or the affirmative authorization of the child’s parent or guardian, are not required to provide notice of the right to opt out.
What it Means/Takeaways
Simply complying with COPPA requirements will not be sufficient to ensure CCPA compliance. The CCPA regulations require businesses to take reasonable steps to ensure that the person authorizing consent for the sale of a child’s data on his or her behalf is actually their parent or legal guardian. This takes aim at the ease with which children can forge parental signatures or other means of giving consent, and does not allow businesses to turn a blind eye to the reasonableness of their consent mechanisms, if they have actual knowledge that children under 13 use their website. The requirements in Article V apply to businesses that actual knowledge that they sell PI from children and minors, so this may discourage mixed age websites from age-gating or otherwise asking for the ages of their users, to avoid incurring the requirements herein. Nonetheless, the revision to the regulations significantly lessened the compliance burden on businesses by requiring them to sell, rather than simply collect and maintain, the PI of children or minors in order to be subject to the requirements in this section.
Recommendations
Businesses that knowingly sell children’s PI should establish and implement one of the processes suggested in § 999.330(b) to reasonably ensure that the person providing consent for the sale of data is the child’s parent or guardian. Businesses should consider operational issues when determining which method or methods will be the least burdensome for them to implement. Businesses should also carefully document such processes, and include descriptions in their privacy policy.