Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.

 Skip to Content

The CCPA's Impact on Businesses Processing Personal Data of Minors and Children
August 06, 2019
Businesses that offer services or have websites used by minors in California will have a new law to worry about come January 1, 2020 — the California Consumer Privacy Act of 2018 (CCPA). Businesses offering such services are already impacted by the FTC's Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501-6506, and California's "Online Eraser Law," Cal. Bus. & Prof. Code §§ 22580-22582. These laws aim to protect minors and children in certain jurisdictions. Precisely how they function, however, varies in material ways, resulting in a complex set of questions as to which law applies, when, and to whom.

COPPA protects children anywhere in the United States and defines a child as an individual under the age of 13. See 16 C.F.R. § 312.2. COPPA operates by, among other things, requiring verifiable parental consent before collecting personal information from children under 13, and giving parents the ability to access and delete that data. California's Online Eraser Law protects minors, defined as individuals under the age of 18, Cal. Bus. & Prof. Code § 22580(d), by allowing them to request, and obtain removal of, content or information posted by them on a website, online service, or mobile application. Businesses, wherever located, must comply with these laws if their website or service is directed to minors, or if the business has actual knowledge that a minor is using its website or service.

The CCPA falls somewhere in the middle of this regulatory trifecta. It prohibits the "selling" of personal information (as that term is broadly defined) of California consumers under the age of 16, absent consent. Cal. Civ. Code § 1798.120(c). If the individual is between 13 and 16 years of age, the minor can "affirmatively authorize[]" the sale of the data. But if the minor is less than 13 years of age, the consumer's parent or guardian must give the consent. While the CCPA does not elaborate on the requirements for consent, use of the word "affirmatively" seemingly rules out consent through opt-out methods, such as pre-checked boxes.

Consistent with the other two statutes, a business must comply with the CCPA's consent obligations if it has actual knowledge of the minor's age. A business will be held to have actual knowledge if it willfully disregards the consumer's age. The CCPA does not define what it means to willfully disregard a minor's age. Nevertheless, one could envision that a regulator would equate a minor-oriented website or online service — such as a video game or mobile application appealing to that target audience — that fails to screen the user's age prior to use as willfully disregarding the consumer's age.

Going forward, businesses with products or services online that collect and process data from minors should be aware of the variations between these laws, including the new two-tiered consent obligation of the CCPA. Privacy policies and online notices should be revisited to account for the varying requirements of obtaining consent depending on the user's age. Does that mean the age for consent to access a particular website or play a video game should be 18? 16? 13? The answer will depend on the circumstances. Passage of the CCPA nevertheless serves as a reminder that businesses must be mindful of the data they collect, especially data belonging to minors.

This article was co-authored by Carlton Fields Law Innovation Technology Clerk Talia Boiangin.
Related Practices
Cybersecurity and Privacy Esports and Electronic Gaming
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.