Mapping The Regulations Protecting Children’s Privacy Online

The Internet can seem like a place without adult supervision, but in a space where minors are a growing segment of the online audience, companies are subject to a complex landscape of laws, regulations, and codes of conduct attempting to protect young users. When combined with the speed that technology is changing, it can be near-impossible to keep up.

As the online world has grown and changed over the last 25 years, the U.S. government has sought to regulate how companies can use changing technology while protecting consumer privacy and safety.

In 1998, the Children’s Online Privacy Protection Act (COPPA) was signed into law, requiring companies to implement measures to protect children online. COPPA has undergone a number of revisions since its introduction, and may soon go through another major round of changes with the Do Not Track Kids Act of 2015 currently in Congress. With elements that have already been adopted at the state level, the draft bill would extend protections for the first time to teenagers, thereby changing the operating standard for many companies’ online activities.

Understanding how COPPA has evolved and also where lawmakers are taking data privacy protection with upcoming legislation is critical for any company hoping to continue innovating and marketing. 

COPPA: Then and Now

COPPA empowered the Federal Trade Commission to issue and enforce rules around how companies engage with children online. With what seem now to be fairly basic elements, COPPA set the compliance standard for many online companies offering online experiences for kids: affects programs directed to those under 13 years old; personal information includes name, address, and Social Security number; and parents must give consent for companies to obtain this information from their children.

As technology has developed, the FTC has made an effort to keep COPPA regulations current in the face of new tools companies are using to more precisely target and market to their audiences. In 2013, COPPA was updated to include “persistent identifiers” such as cookies, geolocation information, photos, videos and audio recordings as protected personal information.

These revisions meant that COPPA now extended to protect both the data that children provided online intentionally, but also the information companies may collect via automated technology installed on their websites. Cookies and location data are helping marketers to know their customers with more precision, and the decision to regulate these technologies has implications for the ways companies can use the information.

Where we’re headed: Do Not Track Kids Act

While COPPA remains the baseline for regulating how companies can engage with children online, companies should expect more controls as new technologies cause government to adapt.

One sign of what may be ahead comes in the form of the Do Not Track Kids Act of 2015, a bill introduced to both the House and Senate earlier this year. While the text of the Do Not Track Kids Act has appeared in two previous failed draft bills in 2011 and 2013, the fact that lawmakers have continued to return to the measures included in the bill suggests that these COPPA amendments should be anticipated.

If the Do Not Track Kids Act passes this time around, what will that mean for technology providers? Quite a bit, actually. First, the bill defines and applies its safeguards to “minors” older than age 12 and under age 16, meaning that an entirely new teen demographic of Internet users will be covered by the new protections.

Second, the definition of “operator” will change: what currently only impacts websites and online services may in the future cover mobile applications — a further sign that regulators are modernizing law to square with an increasingly mobile-first consumer.

COPPA-required consent mechanisms have been seen as unwieldy by marketers and led some to make their online experience less interactive so as not to test COPPA’s parental consent requirement. Lessening the user experience isn’t the only choice, though.

Earlier this year, YouTube announced a kids-specific app to ensure only age appropriate results appear in searches. This move does segment YouTube’s audience, but it also shows the level of effort that major online operators are engaged in to meet expectations of consumers and regulators to provide a safe online environment. There’s no one-size-fits-all solution, and companies will be required to chart their own path within the legal framework.