Think of the Children: A Comparison of APRA and COPPA 2.0
May 6, 2024 by Miles Light, Counsel, Privacy Technology, BBB National Programs
Although there is widespread agreement that children need to be protected online, the main point of contention seems – once again – to center on how best to do that. A generation ago, the Children’s Online Privacy Protection Act of 1998 (COPPA) set ground rules for online businesses when collecting and processing data collected from individuals under 13.
Where do we stand today?
In the past few years, following a growing number of longitudinal studies and psychological experts, advocates, parents, and policy makers raising concerns about a statistically significant correlation between poor adolescent mental health outcomes and social media use, COPPA’s narrow scope is being reexamined.
An original sponsor of 1998’s COPPA, Senator Ed Markey (D-MA) is looking to breathe new life into the Napster-era law with updates that would age up COPPA while layering on new protections. Amidst stalled talks on comprehensive legislation in the past few Congresses, Senator Markey has continued his campaign to pass the Children and Teens Online Privacy Protection Act (CTOPPA), popularly dubbed COPPA 2.0.
Meanwhile, rearing its head at an important time, a federal consumer privacy bill focused on regulation of all consumer data, the American Privacy Rights Act (APRA), also seeks to impose heightened protections for children.
It is vital that the business community at large parse through these two approaches and understand where these bills would overlap or contradict each other. To help you with that parsing, BBB National Program’s Children’s Advertising Review Unit (CARU) privacy team is breaking them down.
Comparing the Main Objectives
APRA enables heightened protections on all consumer data, with new obligations on businesses. Among these obligations is a more stringent set of requirements focused on the processing of sensitive data. Due to the nature of its data minimization requirements and the specific permitted purposes for the use of sensitive data, APRA has been viewed by many privacy scholars as being closer to a “GDPR-like” model, perhaps in some ways even more restrictive.
APRA lacks any consent or legal bases provisions to allow for additional data processing use cases, which is where it differs from the GDPR and perhaps supersedes its expectations. Of note, one of the categories of protected sensitive covered data in APRA is “information of a child” (child being defined as under the age of 17), which means the law would add new requirements for businesses processing the data of, about, or from a 13–17-year-old.
But, while APRA includes this catchall data minimization provision, it does not explicitly tackle some of the thornier issues focused on online safety, research, and advertising and marketing to minors.
As was noted during an April Energy & Commerce hearing, a few members of Congress are disappointed by the lack of clear and robust protections on children’s information. Cue the COPPA 2.0 bill's entrance, which was also introduced and supported in a bipartisan manner this legislative session. Importantly, COPPA 2.0 hones in on protections for all minors under 17.
Comparing Key Provisions
Definition of a Minor
Both APRA and COPPA 2.0 define minors as under 17; however, COPPA 2.0 makes a distinction between the following:
- “Child” is defined as an individual under 13 years of age.
- “Teen” is defined as an individual over 12 but under 17.
APRA refers to individuals under 17 as “covered minors,” and data about a covered minor is defined as one of the categories of “sensitive covered data” necessitating conformance with APRA’s sensitive covered data minimization requirements.
- Information about a covered minor, the language used in APRA, is notably broader than COPPA Classic, which specifies compliance obligations where personal information is collected from a child.
Knowledge Standard
APRA does not appear to establish a knowledge-based regime concerning the data of minors, unlike many other privacy proposals from the states.
COPPA 2.0, on the other hand, would loosen COPPA’s stringent “actual knowledge” standard to an “actual knowledge or knowledge fairly implied on the basis of objective circumstances” standard (enforcement bodies would consider the totality of the circumstances when assessing whether a reasonable and prudent person under the particular circumstances would have known that a user was a minor). The bill also calls on the FTC to issue guidance that provides best practices and examples to help operators understand this standard.
Data Minimization and Consent
As with all covered data under APRA, the collection, processing, transfer, and retention of a minor’s data would be subject to a general data minimization requirement. This data minimization provision would limit activities to either a list of permitted purposes or data that is “necessary, proportionate, and limited to provide or maintain” for a specifically requested product or service, OR a communication that is reasonably anticipated within the context of the business-consumer relationship.
Because information reasonably linkable to a covered minor would also meet the definition of sensitive covered data, the data of a covered minor would be subject to a sensitive covered data opt-in (affirmative express consent) requirement prior to onward third-party transfers. This also has serious implications for how covered minor data is treated in the context of advertising, as seen in the “Advertising” section below.
While COPPA has always contained a minimization requirement, its requirement is less robust than the minimization contemplated by APRA. COPPA 2.0 would retain this limited minimization concept, prohibiting companies from retaining the personal information of a child or teen for longer than is necessary to fulfill a transaction or service requested by the child or teen. Since COPPA and COPPA 2.0 only use the operative verb “retain,” this minimization requirement would not necessarily apply to collection, processing, or transfers in the same way as APRA.
COPPA 2.0 includes an opt-in consent model. It would allow teens to opt in on their own behalf while retaining the COPPA Classic requirement of Verifiable Parental Consent (VPC) from a parent or guardian for children under 13.
Advertising
One of the biggest issues Congress will have to address is how APRA handles advertising practices. There is a general requirement to provide an opt-out for targeted advertising to all consumers. However, sensitive covered data appears to be excluded from the data companies may use for targeted, first-party, and contextual advertising under the list of “permitted purpose.” As data about a covered minor constitutes sensitive covered data, this may limit how advertisers interact with minors.
Unlike APRA, COPPA 2.0 appears to allow contextual and first-party advertising to minors (with consent) while fully banning targeted advertising. The definition for individual-specific advertising appears to align well with the APRA definitions of “targeted advertising,” including traditional exclusions for search advertising, contextual advertising, and processing solely for measuring or reporting.
COPPA 2.0 also would allow operators to deliver advertising or marketing that is “age-appropriate and intended for a child or teen audience, so long as the operator does not see any [PI] other than whether the user is under the age of 17.”
Enforcement
Three parties can enforce APRA: the FTC, States’ Attorneys General (or the CPPA in California), or private plaintiffs under a limited private right of action. The private right of action is limited by specifying only a handful of situations in which pre-dispute arbitration agreements are non-binding, specifically stating that no such agreement is enforceable with respect to “a claim alleging a violation involving an individual under the age of 18.” Notably, this is a different age threshold than the definition of “Covered Minor,” which covers individuals “under the age of 17.”
Much like the current COPPA statute, the requirements of COPPA 2.0 would be enforceable under civil actions by both the FTC and States’ Attorneys General. COPPA 2.0 would retain the COPPA Safe Harbor provisions but would impose new publication requirements for any report or documentation required by regulation to be submitted by a safe harbor program. Like COPPA Classic, COPPA 2.0 does not have a private right of action.
Preemption and Relationship to Other Laws
APRA’s Section 20 proposes a complex system of preemption that aims to balance establishing a uniform national standard for comprehensive privacy requirements while allowing for states to preserve a wide range of laws outside of the scope of “comprehensive” privacy regulation.
Section 21 also preserves the 1998 COPPA statute but there seems to be a direct conflict between the obligations imposed by the APRA draft and existing COPPA compliance practices.
Members of Congress have noted that the bill would not supersede any more stringent state children’s privacy laws.
COPPA 2.0 would replace COPPA’s current preemption clause, which prevents state and local government from imposing “inconsistent” laws in conjunction with COPPA, to explicitly state that “nothing in [COPPA 2.0] shall be construed to prohibit any State from enacting a law, rule, or regulation that provides greater protection to children or teens,” opening the door for states to adopt their own laws so long as the provisions do not “conflict[].”
As policy conversations continue, make sure you are staying ahead of the curve. Set up a free COPPA Safe Harbor consultation with CARU today.