Older children would be protected by the same online privacy laws that apply to younger kids, under a bipartisan bill introduced in the U.S. House of Representatives this week.
The legislation would update the Children’s Online Privacy Protection Act, or COPPA, raising the age for the law’s parental consent protections to 16, up from age 13. That would cover a lot more kids, and presumably, a lot more kids who are on social media platforms that are popular with adolescents.
So what’s COPPA? It’s the law that requires operators of commercial websites, online services, and mobile apps to get permission from parents before gathering information about kids under the age of 13. The goal: To give parents more say about how their children’s data is collected.
The law only applies to websites or apps that are aimed at kids, or have “actual knowledge” that their users are younger than 13. (Importantly, some companies go out of their way to try and avoid finding out that some of their users are younger than 13, so that they don’t have to follow COPPA’s requirements, experts say.)
The law is directed at companies, not school districts. (In fact, earlier this year, the FTC slapped the social-networking platform TikTok, with a $5.7 million fine for violating child online privacy laws.)
But it’s still important for K-12 ed tech leaders to track COPPA. The FTC, which administers the law, has said that in some situations, schools can stand in for parents, essentially giving the OK for student data to be collected if a particular app or website is used in school.
And that can get very complex. Companies often pass the burden of getting parental consent on to districts, which then either make decisions in lieu of parents, or spend a lot of time, money, effort, and energy in getting permission from individual parents for kids’ data to be shared. Much more in this great explainer on COPPA from my colleague, Ben Herold.
So what kind of changes is the bill seeking?
Beyond just raising the age for COPPA protections from 13 to 16, the bill would make it clear parents have the option to delete personal information about their child. It would also make it crystal clear that geolocation and biometric information are protected under the law. And it would reiterate that COPPA applies to mobile applications, not just websites and other online services.
What’s more, if the bill becomes law, it would require the Federal Trade Commission to put out new rules on COPPA, which could impact the way it applies to school districts.
California recently passed an update to its own privacy laws that would give 13- to 16-year-olds the chance to decide if their data can be sold. This bill would differ from that law by leaving the consent with parents. A discussion draft of other federal legislation recently introduced by Sen. Roger Wicker, R-Miss., also embraces the idea that COPPA protections should extend to age 16.
The writing is on the wall, then, that policymakers want to privacy protections to apply to older kids, said Amelia Vance, the director of the education privacy at the Future of Privacy Forum, a Washington think tank.
“We have a consensus,” she said. “It’s no longer acceptable to just extend child privacy protection to age 13. We see in states, in the U.S., and internationally, that these protections are being extended to age 16.”