The CCPA's Impact on Businesses Processing Personal Data of Minors and Children
COPPA protects children anywhere in the United States and defines a child as an individual under the age of 13. See 16 C.F.R. § 312.2. COPPA operates by, among other things, requiring verifiable parental consent before collecting personal information from children under 13, and giving parents the ability to access and delete that data. California's Online Eraser Law protects minors, defined as individuals under the age of 18, Cal. Bus. & Prof. Code § 22580(d), by allowing them to request, and obtain removal of, content or information posted by them on a website, online service, or mobile application. Businesses, wherever located, must comply with these laws if their website or service is directed to minors, or if the business has actual knowledge that a minor is using its website or service.
The CCPA falls somewhere in the middle of this regulatory trifecta. It prohibits the "selling" of personal information (as that term is broadly defined) of California consumers under the age of 16, absent consent. Cal. Civ. Code § 1798.120(c). If the individual is between 13 and 16 years of age, the minor can "affirmatively authorize[]" the sale of the data. But if the minor is less than 13 years of age, the consumer's parent or guardian must give the consent. While the CCPA does not elaborate on the requirements for consent, use of the word "affirmatively" seemingly rules out consent through opt-out methods, such as pre-checked boxes.
Consistent with the other two statutes, a business must comply with the CCPA's consent obligations if it has actual knowledge of the minor's age. A business will be held to have actual knowledge if it willfully disregards the consumer's age. The CCPA does not define what it means to willfully disregard a minor's age. Nevertheless, one could envision that a regulator would equate a minor-oriented website or online service — such as a video game or mobile application appealing to that target audience — that fails to screen the user's age prior to use as willfully disregarding the consumer's age.
Going forward, businesses with products or services online that collect and process data from minors should be aware of the variations between these laws, including the new two-tiered consent obligation of the CCPA. Privacy policies and online notices should be revisited to account for the varying requirements of obtaining consent depending on the user's age. Does that mean the age for consent to access a particular website or play a video game should be 18? 16? 13? The answer will depend on the circumstances. Passage of the CCPA nevertheless serves as a reminder that businesses must be mindful of the data they collect, especially data belonging to minors.
This article was co-authored by Carlton Fields Law Innovation Technology Clerk Talia Boiangin.
The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.