Yesterday, Rep. Kathy Castor (D-FL) introduced an updated version of the “Protecting the Information of our Vulnerable Children and Youth Act” (Kids PRIVCY Act), which would make broad changes the Children’s Online Privacy Protection Act (COPPA).  Rep. Castor introduced a similar bill in early 2020, but it stalled alongside other proposals to overhaul the federal children’s privacy law last year.

Enacted in the late 1990s, COPPA applies only to certain personal information collected, used, or disclosed online from children under 13 years old.  The PRIVCY Act would greatly expand COPPA’s scope in several ways.  First, it would broaden the definition of personal information to include physical characteristics, biometric information, health information, education information, contents of messages and calls, and browsing and search history — and would apply the definition whether collected from the child or not.  Second, it would create a new class of “teenagers” between the ages of 13 and 17 whose personal information would be subject to the bill’s requirements.  While parental consent would still be required only for children under 13, teenagers themselves would have to provide opt-in consent before their personal information was collected, used, or shared online.

The PRIVCY Act also would significantly expand the scope of online sites and services that are subject to the law.  Currently, COPPA applies only to sites or services that either are directed to children under 13 or have “actual knowledge” that they collect personal information from children under 13, which is a high bar to meet.  Rep. Castor’s bill would expand the bill beyond child-directed sites and services to those that are “‘likely to be accessed by children or teenagers,” which means that “the possibility of more than a de minimis number of children or teenagers accessing the digital service is more probable than not.”  Additionally, the PRIVCY Act would apply the notice and consent requirements to online sites and services that have actual or constructive knowledge that they “process” personal information about children or teenagers.

The bill doesn’t just expand the COPPA’s applicability — it also places new requirements on online sites and services.  Significantly, the bill prohibits online sites and services from displaying targeted advertising to children and teenagers based on their behavior or personal information.  The bill also provides for rights to access, correction, and deletion of children’s and teenagers’ personal information, and it imposes limits on the ability of operators to disclose personal information to third parties.

The PRIVCY Act incorporates certain features of the UK’s new Age Appropriate Design Code, including requiring operators to conduct Privacy and Security Impact Assessments and to make the “best interests” of children and teenagers a primary design consideration.  The bill also requires operators to take a “risk-based approach” to determining the age of users on the site, directing the FTC to engage in rulemaking to help companies determine what are appropriate “age assurance” mechanisms.

Like its predecessor, the PRIVCY Act would repeal COPPA’s safe harbor provision, which enables covered operators to rely on a safe harbor if their privacy practices have been certified by FTC-approved organizations.

On the enforcement front, the PRIVCY Act would allow the FTC to pursue civil penalties that are 50 percent higher than the current maximum (a jump from $43,792 to $63,795 per violation) as well as punitive damages.  Separately, it would create a private right of action that would allow parents to sue online sites and services for violations of the bill’s provisions.

Rep. Castor’s bill joins a growing number of proposals to update COPPA.  In May, for example, Senators Markey and Cassidy introduced the Children and Teens’ Online Privacy Protection Act, which would expand COPPA to impose additional requirements on minors between the ages of 13 and 16, among other things.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.