Since its inception in 1998, the Children’s Online Privacy Protection Act (COPPA) has been the cornerstone of protecting the personal data of minors under the age of 13 in the United States. COPPA imposes various requirements, including parental consent, notice and transparency, and data minimization, among other things, on online services that are “directed to children [under 13]” and “mixed audience” online services, or those that have actual knowledge that they have collected personal data from a child [under 13] online.
Many organizations that previously did not have to worry about COPPA or COPPA-based standards as applied to state consumer privacy laws should be aware of the trend in state privacy legislation to expand restrictions and obligations beyond COPPA’s under age 13 standard, to minors that are at least 13 and under the age of 18 (“Teens”). This trend began in 2020 with the California Consumer Privacy Act (CCPA) requiring consent for “sale” of personal information of consumers at least age 13 but younger than 16 years of age (the California Privacy Rights Act expanded that requirement to “sharing” as well). Consent must be given by the Teen or, if the consumer is under age 13, by the parent, using COPPA verification standards. Other relevant aspects regarding this trend, of which organizations should be aware, include:
- There are now ten state privacy laws that provide specific requirements and obligations as to Teens’ personal data. Of the nineteen states1 that have signed consumer privacy bills into law, ten of them (including CCPA) expand the treatment of minor data beyond COPPA’s under 13 standard to Teens. These laws provide various ranges from 13 to 17 years of age (e.g., at least age 13 but younger than 16, 17 or 18).
- The controller’s actual knowledge of age is not required in many of these states. Many of these states notably do not require a controller to have actual knowledge of age for the obligations to apply. Rather, they apply a “willful disregard” and/or a “knew or should have known” standard that prohibits businesses from turning a blind eye to the collection and processing of Teens’ data. Provisions in privacy policies and terms of service stating that a website or service is not intended for, or restricting the use of the website or service by, users under 18 will likely not prevent companies from violating these new requirements where a company willfully disregards or knew or should have known that it had Teen users or customers. This is reflective of how the FTC determines, for COPPA purposes, if an online service is directed at children under 13, or a general audience site – the latter having an actual knowledge standard and the former requiring a presumption that users are under 13.
- Some states prohibit the sale and targeted advertising involving minor data, with no consent exceptions. Maryland prohibits the sale and targeted advertising involving personal data of consumers under age 18.
- The remaining states require consent for sale and targeted advertising involving Teens’ personal data; Connecticut’s SB3 provides additional consent requirements. The general trend in many of these states is to require consent for certain processing involving Teens’ personal data, such as for sale or targeted advertising. Consent must be obtained from the minors themselves unless the minor is under 13, in which case COPPA’s “verifiable parental consent” standard still applies. Connecticut’s SB3, which amends its general consumer privacy law (and notably contains provisions going into effect on July 1 and October 1, 2024), provides restrictive data minimization provisions that require consent in other contexts, including for any processing of minor data beyond what is required to provide a product or service requested by a consumer.
- The states are broader in scope than COPPA as to both Teens and children’s (under 13) personal data. California and other state privacy laws have anchored certain of their consumer privacy rights and obligations regarding personal data about children, regardless of from whom the personal data is collected (rather than regulating only personal data collected from a child as set forth in COPPA). Moreover, the state privacy laws regulate personal data collected offline, whereas COPPA only applies to personal data collected online.
Below, we provide further details on the Teens’ data trend under state privacy laws and the interrelation between COPPA and the state privacy laws.
SPB has reference charts relating to the state privacy laws’ trend regarding Teens’ data and numerous other topics.
What Restrictions and Obligations Do the State Privacy Laws Place on Personal Data of Teens?
As mentioned above, a trend among several of the state privacy laws has been to regulate the personal data of Teens, in addition to children under the age of 13. Such trends are discussed under this section.
In five states, controllers cannot process the personal data of a consumer for targeted advertising or sale without the consumer’s consent when the controller:
- Has actual knowledge and willfully disregards that the consumer is at least 13 but younger than 16 (New Hampshire);
- Has actual knowledge or willfully disregards that the consumer is at least 13 but younger than 16 (Connecticut*)
- Has actual knowledge or willfully disregards that the consumer is at least 13 but younger than 18 (Delaware);
- Has actual knowledge that the consumer is at least 13 but younger than 16 (Montana); or
- Knows that the consumer is between the ages of 13 and 16 (Minnesota)
In two states, controllers cannot process the personal data of a consumer for targeted advertising, sale or profiling in furtherance of decisions that produce legal effects or effects of similar significance without the consumer’s consent when the controller has actual knowledge or willfully disregards that that the consumer is:
- at least 13 but younger than 16 (Oregon); or
- at least 13 but younger than 17 (New Jersey).
*Connecticut’s SB3 amends its general privacy law to expand coverage of Teens to those at least 13 years of age but younger than 18 years of age (instead of at least 13 but younger than 16 as in its general privacy law). In addition to requiring consent for targeted advertising or sale of such Teens’ personal data, SB3 requires consent for processing the personal data of Teens aged at least 13 but younger than 18 (applying an actual knowledge or willful disregard standard) for:
• profiling in furtherance of any fully automated decision made by such controller that produces any legal or similarly significant effect concerning the provision or denial by such controller of any financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunity, health care services or access to essential goods or services;
• any processing that is not “reasonably necessary to provide [the] online service, product or feature”;
• any processing other than for the purpose that the controller disclosed at the time the personal data was collected, or that is reasonably necessary for and compatible with the disclosed purpose;
• any processing for longer than reasonably necessary to provide the online service, product or feature; and
• collecting precise geolocation if it is not reasonably necessary to provide the online service, product or feature (notably, the relevant provision provides a strict retention limitation only for the “time necessary to provide such online service, product or feature”)
See the final section below for more information regarding SB3.
In Maryland, a controller may not process the personal data of a consumer for targeted advertising or sale if the controller “knew or should have known” that the consumer is under age 18. There is no consent exception, perhaps making Maryland the strictest regime as it relates to Teens’ personal data.
California diverges slightly from the above state privacy laws in that it prohibits the selling or sharing of the personal data of consumers if the business has actual knowledge that the consumer is less than 16, unless the consumer is at least 13 and has affirmatively authorized the sale or sharing. If the consumer is under age 13, a parent or guardian must provide the affirmative authorization. Note that in California, a business that willfully disregards the consumer’s age is deemed to have actual knowledge of the consumer’s age.
How is Sensitive Data of Children and Teens Treated Under the State Privacy Laws?
As to Teens, the state privacy laws (except Maryland and Delaware) do not materially change the requirements regarding the processing of sensitive data for nonexempt purposes; prior consent from the consumer is required in states that require opt-in consent (most) and the ability to opt out (or a use/disclosure limitation) is required in the states that require the same (Utah, Iowa and California). As to children under 13, many state privacy laws define “personal data of a known child [under 13]” as sensitive data and apply the consent standards described above.
Maryland and Delaware have heightened restrictions as to sensitive data of children (and Teens, as to Maryland), and diverge from COPPA’s under age 13 scope (notably, Maryland’s restrictions on sensitive data apply regardless of age). In Maryland, a controller may not collect, process or share sensitive data concerning a consumer (of any age) unless it is strictly necessary to provide or maintain a specific product or service requested by the consumer. Additionally, Maryland completely prohibits the sale of sensitive data of all consumers with no exceptions.
In Delaware, controllers cannot process sensitive data concerning a known child (under age 13) without first obtaining consent from the child’s parent or guardian, and complying with another Delaware law (§ 1204C of Chapter 12C of title 6). § 1204C generally restricts an operator of a website, online or cloud computing service, online application or mobile application directed to minors (under age 18) from marketing or advertising, or engaging in other activities that would result in the marketing or advertising, of products or services related to alcohol, tobacco, firearms, drugs, piercings and tattoos, lotteries and other similar products or services to minors (under age 18).
Does Compliance with COPPA’s Verifiable Parental Consent Requirement Fulfill Consent Obligations Under the State Privacy Laws?
Yes, some of the state privacy laws provide that compliance with COPPA’s verifiable parental consent fulfills consent obligations, but only with respect to children under 13. For the states that require consent for certain processing of Teens’ personal data, consent of the consumers (Teens) themselves is required.
Many of the state privacy laws provide, to various extents, that a controller’s compliance with COPPA will ensure compliance with certain consent requirements under the state privacy law. As background, COPPA requires verifiable parental consent prior to any collection, use and/or disclosure of personal data from children that is collected on an online service directed to children or on a mixed audience online service, or on a general audience online service where the provider has actual knowledge that the user is under 13.
The following states provide that, for children under 13, controllers that comply with the verifiable parental consent requirements under COPPA are compliant with any obligation to obtain consent under their privacy laws: Virginia, Connecticut, Utah, Florida, Texas, Montana, Delaware, Nebraska, New Hampshire, Minnesota, Maryland, Tennessee, Indiana, and Kentucky. Colorado states that the law does not apply to personal data regulated by COPPA, if the personal data is collected, processed, and maintained in compliance with COPPA. However, it does require parental or legal guardian consent prior to processing the personal data concerning a known child. Reading these provisions together, Colorado’s law seemingly does not regulate data collected online from children under 13 provided that it is collected, processed, and maintained in compliance with COPPA, but does otherwise require consent from a parent or legal guardian for the processing of personal data of children under age 13.
California similarly provides that a business “selling” or “sharing” (as defined in the CCPA) the personal data of a consumer that is younger than age 13 must establish, document and comply with a reasonable method for determining that the person consenting to that sale or sharing is the parent or guardian of that consumer. This requirement supplements a business’s COPPA obligations in California.
Are there any other relevant developments as to children’s or Teens’ data?
Beyond the state privacy laws, we have also previously reported on a federal privacy bill called the “Kids Online Safety Act” (KOSA). We discussed KOSA here, and amendments to KOSA here. The amended bill was published on February 15, 2024, and since then there have not been significant updates. However, sponsoring Senators have announced that KOSA has enough support to pass the Senate. You can track the bill here.
It is also notable that there have been attempts to amend COPPA, including by bringing Teens over the age of 12 and under the age of 17 into scope (COPPA 2.0). Although such amendments have not succeeded, it is possible that COPPA will be amended in the future. The federal American Privacy Rights Act bill, previously discussed here, included COPPA 2.0 within its May 23, 2024 draft. The May 23rd draft, (APRA Draft), along with COPPA 2.0, was unanimously advanced out of the House Energy and Commerce Subcommittee on Innovation in Late May 2024. Notably, APRA proposes to ban targeted advertising to a covered minor (defined as an individual under the age of 17).
Also note that Connecticut’s SB3 includes additional obligations related to online services directed to children and social media accounts. Such amendments were discussed briefly here, and will be highlighted in a future blog post. Vermont’s Act Relating to Enhancing Consumer Privacy and the Age-Appropriate Design Code also provides obligations specific to businesses that produce online products, services, or features that are targeted to residents of Vermont, if the bill is signed into law. Other states have also enacted age-appropriate design code bills, including California (although, notably, a district court has blocked enforcement of the law and litigation is ongoing) and Maryland. Maryland’s Age-Appropriate Design Code Act applies to for-profit legal entities that meet certain revenue and data processing thresholds and provide an online product reasonably likely to be accessed by children (defined as consumers under age 18), and provides obligations related to conducting data protect impact assessments, profiling prohibitions, and data minimization requirements. We have discussed other similar laws related to children’s personal data here.
Finally, New York State passed two bills focusing on children’s use of online technologies on June 7, 2024. The two bills are called the New York Child Data Protection Act and the Stop Addictive Feeds Exploitation for Kids Act. The bills are expected to be signed into law by Governor Kathy Hochul, although legal challenges to the bills are anticipated. Privacy World will discuss these bills and any legal actions in a future post.
Privacy World will continue to monitor changes to the State Privacy and federal law landscape, and keep you in the loop as to new developments related to children’s and Teens’ data.
- The Vermont legislature passed the “Act Relating to Enhancing Consumer Privacy and the Age-Appropriate Design Code” on May 10, 2024. The bill is still awaiting the governor’s signature or veto.