Understanding the Updated Guidelines on Cookies and Consent Under the GDPR
With the growing prominence of the internet throughout the 90’s, children were able to begin creating their digital footprint at a young age without fully understanding what they are signing up for, raising concerns around online platforms’ approach to privacy. To address these matters, the government enacted laws to govern child privacy. Adherence to these laws set forth allows organizations to mitigate these concerns, however, simply following guidelines will not fully protect organizations from financial and reputational risk. Organizations have made direct efforts to comply with the regulations, but many are still facing consequences for not designing sufficient privacy notices and consent management processes. Let us explore these two regulations in more detail and highlight the ramifications of insufficient child privacy compliance efforts.
Regulatory Response:
Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 2000 with the intent of placing parents and guardians in control of their children’s personal information (PI). COPPA applies to all websites and online services that are directed towards children or knowingly collect the PI of children. COPPA defines a child as an individual under the age of 13. The law includes requirements for covered entities regarding choice and access to PI, privacy notices, parental consent of PI collection, and rules around security and retention of PI. The California Consumer Privacy Act (CCPA), enforced by the Attorney General of California, echoes many of the COPPA’s requirements. However, the CCPA notably adds that children between the ages of 13 and 16, though legally allowed to consent on their own behalf, must give express authorization before organizations collect their PI.
Organizations can face strict financial penalties from the US government for non-compliance, especially when not meeting privacy notice and consent management requirements. In the following sections we examine two foundational elements of these laws to show practical challenges and solutions for addressing their requirements related to privacy notices and consent management.
Privacy Notice Requirements:
Privacy notices should be a fundamental part of an organizations’ online presence. The COPPA and CCPA require covered entities to develop and maintain a notice that is both understandable and takes reasonable measures to ensure it is delivered to parents and guardians, prior to the collection of a child’s PI. A visible link to the privacy policy is required on every webpage that collects PI. The notice should:
- provide a description of the types of PI collected;
- explain how the PI is collected;
- explain how the PI is used;
- identify any third parties or services collecting PI;
- explain what PI will be processed by third parties; and
- explain PI collection methods by third parties.
While both regulations define the requirements for an acceptable privacy notice, end-user comprehension remains an issue with most notices. This is not a new concern as the FTC’s 2010 “Protecting Consumer Privacy in an Era of Rapid Change” report noted that “consumers typically do not read, let alone understand” privacy statements. More recently, the New York Times Privacy Project analyzed 150 privacy notices including Facebook and Tumblr, and found that the vast majority were written at a college reading level. Twitter’s privacy notice is a 19-page document, once downloaded into a PDF, and Instagram directs users to a webpage with 14 lengthy sections. Given that the vast majority of privacy notices are filled with legal terminology, many organizations seem to publish policies that are not reasonably clear or condensed into a format suitable for the average user or child to understand.
Therefore, organizations should aim to craft privacy notices that are easily consumable. Organizations should consider these leading practices:
- Create a layered notice with easily digestible statements on the required sections listed at the top of each privacy notice;
- A separate section for specific PI collected on children and usage in order for parents and guardians to easily locate the information applicable to their children;
- A communications clause to inform parents and guardians about how to reach the organization with any inquires; and
- Conspicuous links to the notice by including links in the footer of webpages and mobile apps.
In addition to these privacy notice considerations, organizations must also focus on the proper implementation of consent management.
Child Privacy Consent Management:
The COPPA and CCPA both require parental consent for organizations to collect and process children’s PI. While the concept of consent seems rather straightforward on paper, methods for implementing consent can be complex when applied to organizations across various age groups.
TikTok, a video-sharing social media application, is one of many organizations receiving criticism for their lenient child privacy consent policies. Under its former name, Musical.ly, TikTok was forced to pay a $5.7 million fine to the FTC for allowing users under the age of 13 to sign-up for the application without parental consent. As a result, TikTok created a restrictive version of its application for younger users but children could easily access the adult version by falsifying their birthdate. In April 2020, TikTok introduced “Family Planning”, a feature that enables parents and guardians to link their account to their children’s account. Parents and guardians are now able to directly control the content their children see, set screen time limits, and toggle direct messages on or off.
In addition to TikTok, the FTC also fined YouTube $170 million for collecting and tracking the PI of children for targeted advertisements in 2019. As a result, YouTube announced it would implement a labelling system. Partially automated, the labelling system will mark certain videos as “child oriented”, but YouTube users will also be held accountable to manually label their own videos. This places the burden on content creators, which can lead to safety issues, especially when the content creators believe their content applies to all ages. Instagram has also recently come under fire due to their supposed negligence over children’s consent. While all most social media require users to enter their age prior to account creation, Instagram does not.
Consent can be managed through various mechanisms; organizations should consider some of these leading consent management practices:
- Capture consent via checkboxes or opt-in forms at account creation or when updates are made;
- Require users to re-confirm their consent on a periodic basis to ensure the collected consent is up to date;
- Utilize a centralized consent management system that can add efficiency by maintaining consent in one location and allows tracking of updates to consent; and
- Provide clear opt-out channels in the accounts or via any communications from the organization to the user in an easily accessible link.
While it is clear that organizations are taking steps towards proper consent management, there are further efforts to consider in achieving an effective and compliant consent management program.
Conclusion
As our online digital presence evolves, it continues to reveal new and challenging situations for organizations around child privacy risks. In order to respond appropriately, organizations should continually evolve its privacy practices alongside privacy regulations, use clear, layered notices that summarize the collection and use of PI that are easy to understand by parents and guardians. Additionally, consent management workflows should be built to incorporate all the various channels that capture consent. Organizations can continue to mitigate the risks associated with children’s privacy by taking measures to align with leading privacy standards.