This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Data Privacy

California Privacy: CCPA/CPRA Children’s Data Protection

Sam Noss, July 18, 2023

Digital technology and social media’s increasingly central role in our lives, and in the lives of our children, means that data privacy and data protection concerns are gaining significant attention. 

With the rise in data breaches and misuse of consumers’ personal information, governments worldwide are implementing legislation to safeguard consumer rights. In the U.S., more than 10 states have enacted privacy laws, and California leads the way with its comprehensive legislation, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). 

It’s important to understand the regulatory protections of children’s data under the CCPA/CPRA and how they compare with other state and federal privacy laws in the U.S. and the European Union’s General Data Protection Regulation (GDPR).

Data Privacy Laws and Children’s Data

Children require special privacy protections as they’re more vulnerable and less aware of the potential risks associated with data processing. 

Various privacy laws recognize this need and include provisions specifically targeting the protection of children’s data for covered businesses. These laws aim to strike a balance between allowing children to benefit from digital services while ensuring their safety and privacy.

US Privacy Laws Covering Children’s Data

Children’s Data Under California Privacy Law

Under California privacy law, specifically, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), there are provisions dedicated to the protection of children’s data. The CCPA/CPRA extend privacy protections to California residents of all ages, including minors

Businesses operating in California must provide notice to consumers, including parents or guardians of minors, about the collection and use of sensitive personal information. When it comes to children’s data, the CCPA requires businesses to obtain affirmative authorization or opt-in consent to sell the data of a person under the age of 16. Children between the ages of 13 and 16 can provide their own consent, but for children under the age of 13, businesses must obtain verifiable parental consent before collecting or selling their data.

The CPRA strengthens children’s privacy rights by establishing the California Privacy Protection Agency (CPPA) to enforce the law’s provisions. The CPPA is responsible for developing regulations and guidelines to protect minors‘ personal information. By specifically addressing children’s data protection and requiring verifiable parental consent, California’s privacy law aims to ensure that children’s privacy and personal information are respected and handled with care and caution.

California Age-Appropriate Design Code

The California Age-Appropriate Design Code (CAADCA) is a set of guidelines aiming to protect the privacy and online safety of minors in California. 

The CADC is part of the CCPA and emphasizes age-appropriate design principles for websites, online services, and applications directed toward children under 18. It ensures businesses take specific measures to design their online platforms with children’s best interests in mind. The code includes provisions like providing clear and easily understandable privacy policies, obtaining verifiable parental consent before collecting personal information from minors, limiting the collection of data to only what’s necessary for providing services, and establishing robust data security practices. 

It also emphasizes the importance of minimizing personal information collection and retention, preventing the disclosure of personal information without explicit consent, and implementing strong safeguards against potential data breaches. The California Age-Appropriate Design Code Act ensures businesses prioritize the privacy and safety of young users to foster an online environment that’s more conducive to their well-being and protection.

Children’s Data Under Virginia Privacy Law

Virginia became the second state in the U.S. to pass a comprehensive data privacy law, the Virginia Consumer Data Protection Act (VCDPA). 

In contrast to California’s privacy laws, the VCPDA defines a child as “any natural person younger than 13 years of age,” and describes sensitive data as including any “personal data collected from a known child.” Any personal data collected from a child is subject to VCDPA requirements for processing sensitive data

The VCDPA, similar to the CCPA/CPRA, requires businesses to provide privacy notices and obtain consent for the processing of sensitive data, including children’s data.

Children’s Data Under Colorado Privacy Law

Colorado‘s privacy law, the Colorado Privacy Act (CPA), follows the trend of comprehensive data protection legislation and largely aligns with the VCDPA’s provisions for children’s data.

However, unlike Virginia’s law, the CPA doesn’t apply to Children’s Online Privacy Protection Act (COPPA)-regulated personal data as long as the organization collects, processes, and maintains the data in compliance with the law. Further, Colorado doesn’t require controllers to process children’s data following COPPA guidance, likely because the CPA is inapplicable to this data.

The CPA empowers individuals, including minors, to exercise privacy rights like accessing, correcting, and deleting their personal data. The CPA requires businesses to provide transparency regarding data collection practices and obtain consent for processing sensitive personal data.

What is the Children’s Online Privacy Protection Act (COPPA)?

The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law focusing on protecting the privacy and personal information of children under the age of 13. Enforced by the Federal Trade Commission (FTC), COPPA places certain obligations on website operators and online service providers collecting or processing personal information from children. 

COPPA defines personal information broadly and includes elements like names, addresses, email addresses, telephone numbers, social security numbers, precise geolocation data, biometric information, photos, videos, and audio recordings. The law also covers persistent identifiers like cookies or IP addresses that can be used to recognize a child over time and across different websites or online services.

Which Businesses Must Comply With COPPA?

COPPA compliance applies to a wide range of businesses and entities that collect or process personal information from children under the age of 13.

The law covers both commercial websites and online services that are directed to children or have actual knowledge of collecting information from children. COPPA also applies to general audience websites or online services with a separate section or portion specifically targeted at children. 

The definition of covered entities extends beyond just website operators and includes mobile apps, gaming platforms, advertising networks, social networking services, and other online entities interacting with children. Even third-party service providers that support or assist in the collection and processing of personal information on behalf of covered entities must comply with COPPA

It’s important for businesses, regardless of their size or industry, to conduct assessments and determine if their online activities fall within the scope of COPPA, as non-compliance can result in significant penalties and reputational damage.

How to Comply with COPPA

To comply with COPPA, website operators and online service providers must obtain verifiable parental consent before collecting, using, or disclosing personal information from children. They’re also required to provide clear privacy policies outlining their data collection practices and ensure the cybersecurity and confidentiality of children’s personal information. 

COPPA plays a crucial role in protecting children’s privacy online and gives parents control over the personal information collected from their children, helping to create a safer online environment for young users.

GDPR and Children’s Data

While the focus so far has been on U.S. privacy laws, it’s essential to consider the EU’s GDPR, which sets a high standard for data protection

The GDPR includes specific provisions for the protection of children’s data and applies to businesses offering goods or services to individuals in the EU. Under the GDPR, children under the age of 16 require parental consent for the processing of their personal data, although member states have the flexibility to lower the age to a minimum of 13. 

The GDPR also emphasizes the importance of clear, child-friendly privacy notices and establishes the right for children to access, correct, and delete their personal data.

Children’s Privacy Protection in the US versus the EU

Children’s privacy laws in the U.S. and the EU share a common objective in safeguarding children’s personal information. 

In the US, the Children’s Online Privacy Protection Act (COPPA) sets specific requirements for the collection and use of children’s data, federally mandating verifiable parental consent for children under 13. 

However, some state-level privacy laws in the U.S., like Tennessee’s, offer general privacy protections for individuals of all ages but focus less specifically on children’s data

On the other hand, the EU’s General Data Protection Regulation (GDPR) includes explicit provisions for protecting children’s personal data and applies to businesses offering goods or services to individuals in the EU. The GDPR requires parental consent for processing children’s personal data under the age of 16, though member states can lower this age to a minimum of 13. Additionally, the GDPR emphasizes child-friendly privacy notices and gives children the right to access, correct, and delete their personal data. The GDPR‘s stringent approach to data protection sets a higher standard compared to U.S. privacy laws, emphasizing the importance of consent, transparency, and individual rights. 

Overall, while both the U.S. and the EU prioritize children’s privacy, the GDPR provides more comprehensive and explicit protections for children’s personal data.

Closing Out

Protecting children’s data in an increasingly digital world is a crucial aspect of privacy legislation. The CCPA/CPRA, COPPA, VCDPA, CPA, and the GDPR all recognize, on some level, the significance of safeguarding children’s privacy rights. 

As technology continues to evolve, it’s crucial for lawmakers to remain vigilant in adapting and enhancing privacy legislation that adequately addresses the unique privacy concerns surrounding children’s data

By striking the right balance between innovation and protection, we can ensure children are able to explore the digital world with confidence while their privacy and safety remain intact.

subscribe to GrailMail

Like what you see?

Get data privacy updates sent straight to your inbox.