Child Privacy Protections Compared: California Consumer Privacy Act v. Proposed Washington Privacy Act

|

By Anisha Reddy, Tyler Park, and Amelia Vance

As legislatures consider enacting broad consumer privacy legislation, officials must consider whether, and how, to address children’s and teen’s privacy. The leading models for addressing consumer privacy contain language addressing child privacy that differs in significant ways. Many states have introduced legislation that mirrors the framework of the California Consumer Privacy Act (CCPA). The proposed Washington Privacy Act (SB 6281) has also emerged as an influential framework. CCPA and SB 6281 differ in many respects, including with regard to child privacy. As described below, the frameworks take different approaches to the age of youth protected, the statutory knowledge standards, and the consumer rights granted. 

As FPF previously wrote, SB 6281 would create a comprehensive data protection framework for Washington residents that includes both individual rights and obligations on data “controllers,” (both for-profit businesses and nonprofits) that go beyond the rights and obligations in CCPA. A bill similar to SB 6281 failed to pass the Washington legislature in 2019, but SB 6281 is an influential model for states considering alternatives to California’s approach to consumer privacy legislation. 

Both CCPA and SB 6281’s approaches to child privacy build on the federal Children’s Online Privacy Protection Act (COPPA), which requires “operators of commercial websites and online services directed to children under 13 or knowingly collecting personal information from children under 13 to obtain verifiable parental consent prior to the collection, use, or disclosure of children’s personal information.” A chart with a full comparison of the relevant language in COPPA, CCPA, and SB 6281 is below. 

CCPA adds new consumer rights for children and also extends child privacy protections to teens. SB 6281 would add new consumer rights for children, such as data portability, but would not extend child-centric protections to teens. The approaches differ in how they craft protections for children: CCPA contains specific requirements regarding the sale of children’s data, while SB 6281 would place children’s data in a larger category of “sensitive data” that would enjoy heightened protection – the category would also include types of data not related to age such as biometrics. 

CCPA and SB 6281 differ in three key ways: 

  • the age of youth who are protected;
  • the knowledge standards; and 
  • the consumer rights granted. 

Age of youth who are protected: CCPA extends child privacy protections to youth under age 16, while SB 6281 would provide heightened protections for children under 13. Though SB 6281’s approach mirrors COPPA’s age threshold, CCPA’s expansion of special protections to teens is likely to become more common. Most consumer privacy bills introduced since CCPA was passed in 2018 would also extend protections to teens. Creating special protections for teens’ data is consistent with international trends – Europe’s GDPR sets age 16 as the threshold for special privacy protections, but permits member states to reduce the age as low as 13; many countries have chosen to retain age 16 as the age of consent for data processing. Though SB 6281 would not apply age-based protections to teens’ data, it would apply strong protections to sensitive data for all consumers, not just young people. Therefore, teens using online services in Washington would still experience a meaningful increase in their privacy rights and protections.

Knowledge Standards: CCPA and SB 6281 contain different “knowledge standards” – they have different thresholds for determining when a regulated entity “knows” a user is a child. SB 6281 would categorize the “personal data from a known child” as “sensitive data,” which would require parent permission before a collector could process the child’s data. What constitutes a “known child” in this context is not clear. 

In contrast, CCPA adopts the “actual knowledge” standard from COPPA and adds that a business that willfully disregards a consumer’s age has actual knowledge of the consumer’s age. Entities are subject to COPPA if they have “actual knowledge that they are collecting, using, or disclosing personal information from children under 13.” While many experts have traditionally advised companies that this standard was applicable only if the company knew a specific child was using their platform, the FTC’s recent YouTube settlement has raised questions about whether more generalized knowledge that children are using an entity’s service could be interpreted as falling under the actual knowledge standard–for example, the FTC’s complaint noted that YouTube enticed brands to market on YouTube by highlighting that children were using the service. 

Consumer rights granted: While CCPA creates protections for children and teens that relate to the sale of their data, SB 6281 would require parental consent before a controller may “process,”  meaning perform “any operation” on, data of a known child. Under CCPA, children’s data cannot be sold unless parents (if a child is under 13) or teens (ages 13–15) opt-in to sale. CCPA also provides new protections to all consumers regardless of age: they are given the right to request deletion of personal information, the right to know how their information is used, and businesses may not discriminate against consumers for exercising CCPA rights. While CCPA’s protections for children only currently apply to the sale of data, a ballot initiative to amend CCPA would expand the legal protections to cover the “sharing” of children’s data as well; the initiative will be voted on in November 2020.

SB 6281 would require collectors to obtain opt-in consent from parents before taking a much wider variety of actions than those covered by the child privacy provisions in CCPA. Collectors would not be permitted to process “sensitive data,” a category that includes data from a known child, without obtaining consent from the child’s parent or guardian. “Sensitive data” also includes non-age-related types of data such as religious beliefs, mental or physical health information, sexual orientation, unique biometric or genetic identifiers, and specific geolocation data. While CCPA’s child-specific protections only address sale of children’s data, SB 6281 would govern “any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.” This scope of protections for children is wider than the protections included in both CCPA and COPPA.

Preemption? It is important to note that COPPA preempts some child privacy laws, preventing states from enacting requirements that conflict with COPPA provisions. Privacy expert Peter Swire has written that COPPA preempts state’s attempts to regulate activities covered by COPPA. Though the scope of COPPA preemption has not been decided by courts, the Federal Trade Commission, which enforces COPPA, wrote in an amicus brief that it believes Congress did not intend for COPPA to displace state laws that create additional protections for teens. Even if a court finds that COPPA preempts some or all of the child privacy protections in CCPA or SB 6281 (if it is enacted), both frameworks are nevertheless influential as Congress considers how to craft a comprehensive federal privacy law or update COPPA.

 

Washington state and California share a commitment to youth privacy, but the CCPA and SB 6281 approaches diverge in notable ways that could eventually create headaches for businesses attempting to comply with differing U.S. and international standards. We’ve seen this in student privacy, where edtech companies need to examine more than 100 state and federal student privacy laws to determine their legal obligations. Moving ahead in 2020, we expect to see other states introduce bills based on CCPA and SB 6281 that include additional protections for children, as well as standalone state and federal bills governing child privacy.

 

Child Privacy Protections in COPPA, CCPA, and SB 6281

COPPA  CCPA SB 6281
Age Applies to children under age 13 Applies to children under age 16 Would apply to children under age 13
Who can consent to data collection/use? Parents or guardians Parents or guardians (when child is under age 13) or Teen (when they are age 13 or over) Parents or guardians
Information Covered Personal information from a child collected or maintained by operators of commercial websites and online services directed to children or with actual knowledge the operator is collecting, using, or disclosing children’s data.  Personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age. The personal data from a known child.
Rights and Protections Parental consent must be obtained before data is collected. Parents also have rights to access and delete their child’s information. Operators must also have a privacy policy; maintain information only as long as necessary to fulfill the purpose for which it was created; and maintain the confidentiality, security, and integrity of information. Children and 13–15 year olds must opt-in for data to be sold; consumers of all ages have rights: to access, delete, opt-out of the sale of their data, be informed of collection, and not be discriminated against for exercising CCPA rights. Parental consent would need to be obtained before processing data from a “known child.” Consumers of all ages would have rights: to access, correct, delete, port, and opt-out of data processing.
How the Law/Bill Incorporates Child Privacy Entirely focused on protections for children under 13. Sale of data is opt-in instead of opt-out for children under 16; all other protections applicable to all consumers, including children. “Personal data from a known child” would be a type of “sensitive data,” and “sensitive data” requires opt-in consent before processing. 
Knowledge Standard Operators with products that are “directed to children” or that have “actual knowledge” they are collecting data from a child. Applies to businesses with “actual knowledge” that consumer is under 16; willful disregard constitutes actual knowledge. Would apply to personal data from a “known child,” with child defined as under 13. “Known” is not defined. 
Exceptions Information used for internal operations is exempt from needed consent [None applicable] Collectors in compliance with the verifiable parental consent mechanisms under COPPA and personal data regulated by FERPA