President Biden Demands Action on Children’s Privacy, and Both Regulators and Industry Groups Are Quick to Respond

Both the Federal Trade Commission (FTC) and the Better Business Bureau National Programs Center for Industry Self-Regulation (CISR) quickly responded to President Biden’s statement during this year’s State of the Union address that “[i]t’s time to strengthen privacy protections, ban targeted advertising to children, [and] demand tech companies stop collecting personal data on our children.”

First, on April 19, 2022, the CISR introduced its TeenAge Privacy Program (TAPP) Roadmap. The roadmap, developed by the CISR with a group of U.S. businesses, is intended to help companies “build digital products and services that consider and respond to the heightened potential of risks and harms to teenage consumers,” defined as consumers aged 13 to 17, inclusive. In many ways, the roadmap promotes a privacy-by-design and by-default approach to products and services used by teens. For instance, the roadmap encourages businesses to:

• Implement opt-in consent to the collection of personal information, including for interest-based advertising purposes;
• Incorporate default settings that are privacy-protective (such as minimizing collection to only what is necessary for the delivery of the product or service and turning off the collection of precise geolocation data);
• Adapt disclosures and choices so that they are understandable to a teenage audience;
• Limit their collection of sensitive personal information;
• Shorten the retention period for personal information when there is a risk of harm to the teen; and
• Vet their service providers.

Then, exactly a month later, the FTC adopted a policy statement reiterating its commitment to enforce the Children’s Online Privacy Protection Act and its implementing rule (together, COPPA) against alleged violations by education technology companies. COPPA has long been an enforcement priority for the FTC (see some of our prior alerts It’s 10 p.m. Do You Know What Your Third-Party Integrations Are Doing? Mobile App Developer Fined $4 Million for Alleged COPPA Violations Through In-App Advertising, The Company Who Cried “General Audience”: Google and YouTube to Pay $170 Million for Alleged COPPA Violations, and Thank You, Next Enforcement: Music Video App Violates COPPA, Will Pay $5.7 Million) and, in its own words, the FTC is “committed to ensuring that [ed tech] tools and their attendant benefits do not become an excuse to ignore critical privacy protections for children.” The FTC emphasizes that it will focus in particular on:

• COPPA’s prohibition against mandatory collection of personal information: COPPA prohibits a covered company from conditioning participation in any online activity upon the child’s disclosure of more personal information than reasonably necessary to participate. For instance, if an ed tech provider does not need to email students, the student’s access to the ed tech platform cannot be conditioned upon the provision of an email address.
• Use prohibitions: The FTC has taken the position that an ed tech company may obtain the parental consent required by COPPA from a school or school district in place of the parent, but only if the company uses students’ personal information solely to provide the service and not for unrelated commercial purposes, such as advertising.
• Retention prohibitions: COPPA prohibits a covered company, including an ed tech provider, from retaining children’s personal information for longer than reasonably necessary to fulfill the purpose for which it was collected. A company may not retain the information for speculative future uses.
• Security requirements: COPPA requires a covered company to maintain the confidentiality, security, and integrity of children’s personal information. As part of this, the company must obtain assurances from its service providers and third parties that process or receive children’s personal information that they similarly have reasonable security measures in place.

We do not expect the FTC’s focus on children’s privacy to wane. The agency has announced that, on October 19, 2022, it will host researchers, child development and legal experts, consumer advocates, and industry professionals at a virtual event on children’s privacy “to examine the techniques being used to advertise to children online and what measures should be implemented to protect children from manipulative advertising.” The FTC is accepting research papers and written comments on the topic until July 18, 2022.