Now, On the Internet, Will Everyone Know if You’re a Child? 

With help from Laquan Bates, Policy Intern for Youth and Education

How Knowledge Standards Have Changed the Status Quo

As minors increasingly spend time online, lawmakers continue to introduce legislation to enhance the privacy and safety of kids’ and teens’ online experiences beyond the existing Children’s Online Privacy Protection Act (COPPA) framework. Proposals have proliferated in both the federal and state legislatures across the U.S. with varying approaches to minors’ privacy protections. Key pieces of this discussion are the age of individuals online, whether online sites and services know that an individual is a child, and how to balance kids’ and teens’ protections with anonymity online.

Recent state legislative proposals have used varied language to communicate knowledge standards and the obligations online sites and services have to know their audience or  individuals’ ages, such as “likely to be accessed by a child,” “targets or is reasonably anticipated to be accessed by children,” and “has actual knowledge, or willfully disregards a minor’s age.”  These standards can determine the scope of a law’s obligations and be accompanied by varying age thresholds defining a child, parental consent requirements, and age assurance mechanisms. With the variety and ambiguity of language used, it has become difficult for online service providers to determine whether they are required to ascertain the age of individuals using their service. 

We have prepared a resource summarizing the knowledge standards currently used in enacted U.S. privacy and online safety laws. 

Key Observations 

• All eleven enacted state youth privacy and safety laws provide protections for individuals beyond 13 years of age. 
• Laws with “likely to be accessed” or similar standards are less likely to require parental consent. 
• State privacy laws have varying degrees of requirements for the age assurance of individuals.
• Three out of four state youth privacy laws use a constructive knowledge standard. 
• State social media laws are more likely to have no knowledge standard for user age than other enacted privacy laws with youth privacy provisions. Social media laws with no knowledge standard typically require age verification, which, in practice, equates to actual knowledge of individuals’ ages. Three out of seven social media laws have no knowledge standard.
• Comprehensive state privacy laws with youth privacy provisions most often use an actual knowledge standard for knowing the age of minors. Six out of eight of these comprehensive laws use an actual knowledge standard. 
  

The Status Quo of Knowledge Standards Under COPPA

Knowledge standards can impact the scope of entities required to comply with a law as well as the law’s obligations, like the specificity of age assurance required. For example, under COPPA, businesses are required to obtain verifiable parental consent before collecting personal information from children under the age of 13. COPPA’s requirements apply to operators of websites or online services that are directed to children under 13 years of age or that have actual knowledge that they are collecting personal information from children under 13.  

U.S. legislation uses two types of knowledge standards regarding an individual’s age: actual knowledge and constructive knowledge. 

Actual knowledge refers to operators of online services, websites, or products being aware of, or knowing, a user’s age. Under COPPA, operators are not required to ask the age of users or visitors to obtain actual knowledge that a user or visitor is a child. An operator may still choose to ask about the age of users or visitors. Without asking the age of users or visitors, an operator may have actual knowledge of a user’s age if they receive information that allows them to determine the person’s age, like their grade in school. 

Constructive knowledge refers to operators of online services, websites, or products being legally presumed to know that a user is a child because they should have known the age of the user. Constructive knowledge can refer to instances in which an operator suspected the age of a user but decided against further inquiry. When a constructive knowledge standard is used, it may trigger an obligation for operators to ascertain the age of a user. 

The audience of a site or service determines the legal obligations of a company under COPPA. The COPPA Rule dictates that a website or online service may have one of three types of audiences: a general audience, a child-directed audience, or a mixed audience.

• A general audience site or service is one that is intended for individuals above the age of thirteen.
• A child-directed site or service is one where children under thirteen are the primary target audience. To determine what is “directed to children,” operators may consider whether the website or service is “targeted to children.” The FTC considers a list of characteristics when determining if a site or service is directed to children such as the subject matter; visual content; use of animated characters or child-oriented activities and incentives; music or other audio content; age of models, presence of child celebrities, or celebrities who appeal to children; advertising promoting the site or service, advertising appearing on the site or service, reliable empirical evidence of the site or service’s audience composition; reliable evidence of the audience the company intended to target in offering the site or service.
• A mixed audience site or service is one “directed to children” under the COPPA Rule, but whose primary target audience is not children under thirteen. 
  

A child-directed site under COPPA must treat all individuals as if they are children. Thus, child-directed sites are effectively considered to know or reasonably should know that individuals are children. Sites and services that are child-directed or have a mixed audience must comply with the law’s privacy protections, while general audience sites with no actual knowledge of collecting personal information from children do not. Operators of mixed audience sites or services may implement an age screen to ensure they do not collect personal information from children or they can obtain verifiable parental consent for that collection. However, operators of mixed-audience sites that implement an age screen may not block children from participating altogether, and discovering that an individual is a child will trigger COPPA’s consent and notice requirements. General audience sites may also choose to use an age screen, but COPPA does not prohibit them from blocking children from participating. The FTC has made it clear that mixed audience sites and services are considered “a subset” of the child-directed category. 

Constructive knowledge standards cast a wider net than actual knowledge standards, meaning that more online services should be concerned about compliance with kids’ and teens’ privacy protections. Constructive knowledge standards may cause general audience service providers to be included in new legal obligations and, therefore, increase the likelihood of a company implementing age gates and age assurance methods for the use of its online services. Constructive knowledge standards are also more difficult to interpret and implement, especially in attempting to distinguish between services that are used by 17-year-olds versus those used by 18-year-olds. 

Confusion Created by New Standards 

U.S. lawmakers have trended toward requiring service providers to have a greater awareness of the age of individuals using their online services. Additionally, recent legislation has increasingly included privacy protections for minors older than 13. While some new laws have included actual knowledge standards, there has been an uptick in using more ambiguous language and constructive knowledge standards. For example, Lousiana SB 162 uses “reasonably believes or has actual knowledge” that an individual is a minor under the age of 16. The language “actual knowledge” clearly indicates an actual knowledge standard while including “reasonably believes” is confusing and may lead to ambiguity without defining how a service provider may be considered to “reasonably believe” that an individual is a minor. If “reasonably believes” means that the service provider does believe that an individual is a minor and is reasonable in doing so, then it is effectively actual knowledge and it is unclear why this additional language is necessary. 

In contrast, the Maryland Age-Appropriate Design Code applies to entities that develop and provide online services, products, or features that are “reasonably likely to be accessed by children.” The Maryland law defines “reasonably likely to be accessed by children” as meaning that it is reasonable to expect that the online product would be accessed by children based on,  (1) the online product being directed to children as defined in COPPA; (2) the online product being determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children; (3) the online product being substantially similar or the same as an online product that satisfies item (2) of this subsection; (4) the online product featuring advertisements marketed to children; (5) the covered entity’s internal research findings determining that a significant amount of the online product’s audience is composed of children; or (6) the covered entity knows or should have known that a user is a child. 

By providing these factors, the Maryland law elucidates that the use of the “reasonably likely to be accessed by children” standard encompasses platforms that have actual knowledge or are directed to children. This standard seems very similar to COPPA’s standard for audience and knowledge of age. However, the Maryland law defines “child” as a consumer under 18, causing more online services to be within the scope of the Maryland law than are currently within COPPA’s. While online services may be familiar with assessing if they are within COPPA’s scope, it may be more complicated to assess whether their online service is reasonably likely to be accessed by anyone under 18 years old because the internet use of a 17-year-old is likely more similar to that of an adult’s than of a 12-year-old’s. 

Similarly, Florida SB 262 uses “likely to be predominantly accessed by children” to describe a gaming or social media platform’s obligation to assess its service’s audience and defines “child” as any consumer under the age of 18. However, Florida SB 262 does not define this standard, leaving more ambiguity. The law states that civil penalties for non-compliance may be increased for violations that involve the data of a “known child,” and a platform that “willfully disregards” a child’s age is considered to have actual knowledge. This increase in civil penalties for having actual knowledge of a child’s age suggests that the “likely to be predominantly accessed by children” standard uses a constructive knowledge or directed-to-children standard. 

“Willfully disregards” is often a constructive knowledge standard that refers to an operator deciding to not inquire about the age of an individual despite circumstances that suggest the operator reasonably knows or should have known an individual was a child. Some recent legislation uses an actual knowledge standard and subsequently states that willful disregard of a child’s age will be deemed as having actual knowledge, such as Florida SB 262 and the California Consumer Privacy Act while other privacy laws combine an actual knowledge standard and a constructive knowledge standard such as the Connecticut Data Privacy Act’s “actual knowledge or willfully disregards” that consumers are minors. 

Conclusion

Recent U.S. legislation has changed the youth privacy status quo from COPPA compliance to additional compliance with new state laws in efforts to improve the privacy and safety of minors online. Impactful changes were made by state legislatures using novel language to communicate the requisite knowledge that an online service provider must have of a minor’s age for compliance with state laws. These laws have expanded privacy protections for teens and require more online services to comply with privacy protections for minors than ever before. Some state laws combined traditional actual knowledge standards with constructive knowledge standards while others used new language altogether. State legislatures continue to prioritize work on new youth privacy legislation and without consistent language and definitions for knowledge standards in privacy laws, compliance across jurisdictions will become exponentially more difficult.

Access our resource for a summary of the knowledge standards currently used in enacted U.S. privacy and online safety laws.