KidAware Bulletin - September 2021

UK’s Children’s Code now enforceable and continues to prompt change; New Mexico Attorney General actively defending kids’ privacy; China adopts first comprehensive data privacy law; Change is afoot at the FTC; Big Tech continues to come under scrutiny

UK’s Children’s Code is now enforceable and continues to prompt industry-wide changes

After a 12-month grace period, the Age Appropriate Design Code (aka the Children’s Code) came into force on 2 September. In a recent blog, Stephen Bonner, Executive Director of the Information Commissioner’s Office (ICO), flagged social media platforms, video and music streaming sites, and gaming platforms as potentially presenting some of the biggest risks. “In these sectors, children’s personal data is being used and shared, to bombard them with content and personalised service features.” The blog warned that the ICO will be proactive in supporting these industries to comply with the Code and, where necessary, to make use of its investigatory powers.

The ICO approved the first certification schemes to help organizations demonstrate compliance and instill trust from consumers. Controllers and processors who handle the personal data of children can now undergo an audit by the Age Check Certification Scheme (ACCS) for age-appropriate design. The system is similar to the Safe Harbor offering under the Children’s Online Privacy Protection Act (COPPA) in the US. However, while companies that obtain Safe Harbor certification are essentially insulated from action by the Federal Trade Commission (FTC), the ICO will only take the certification into account as part of any subsequent investigation.

The ICO also released design guidance for developers to show them how to apply some of the Code’s standards in practice. The resources focus on how to ensure services create transparency, and they include practical tools to map out needs, risks and behaviors to help design compliant experiences.

The Children’s Code is continuing to impact the landscape, including social media platforms, which have made major updates to protect minors. In addition to sweeping changes announced last month, Instagram announced that it will now require all users to enter a birthdate, and TikTok added more educational resources for parents. Even industry leaders in safety have been inspired to expand offerings as we saw with LEGO’s launch of new online safety tools.

Here is a summary of changes announced in recent weeks:

New Mexico Attorney General is most active defender of kids’ privacy

Last month, Google and New Mexico’s Attorney General, Hector Balderas, quietly disclosed that they had reached a settlement in the 2018 lawsuit filed by the state, accusing the company’s named monetization partners (AdMob and MoPub among others) of enabling the collection of personal data from young children in breach of COPPA. Terms of the settlement were not disclosed.

Meanwhile, Balderas and Google continue to battle over claims that Google’s educational products violate federal children’s privacy law. In 2020, Balderas alleged that G Suite for Education apps and Chromebooks collect data from students without their parents’ permission. Balderas recently appealed the U.S. District Court’s dismissal.

In Balderas’ latest crusade, he accuses Rovio Entertainment, developer of Angry Birds, of illegally collecting and selling personal data from children under the age of 13. The complaint says Rovio “aggressively” targeted children for financial gain through the sale of virtual and physical goods related to the app. The suit also contends that Rovio shares this data with third parties for targeted advertising. The state makes the case that these practices violate both COPPA and New Mexico’s Unfair Practices Act. It alleges that Rovio’s privacy policy “misleadingly” stated that Angry Birds apps are not directed to kids, even though the developer (and dozens of partners) appeared to have actual knowledge of children being present on the service. This case illustrates that even apps popular with adults must still comply with COPPA if they are clearly attractive to children.

China adopted its first comprehensive privacy law; makes headlines cutting gameplay for kids

China adopted its first comprehensive data protection law, the Personal Information Protection Law (PIPL), which will take effect on 1 November. The latest version includes a reclassification of children’s data as sensitive personal data.

The adoption of PIPL occurs in the wake of the Chinese government’s enhanced scrutiny of technology’s impact on minors. New rules now restrict kids’ video game usage to just 3 hours on weekends. Although China appears to be associating time spent gaming with addiction, the World Health Organization interestingly suggests that gaming addiction disorders aren’t about time but rather the attitude and intensity a person brings to the gaming. ByteDance also announced that children in China will only have access to its Chinese version of TikTok, known as Douyin, for 40 minutes a day.

In an effort to enforce the new rules, Chinese regulators summoned Tencent, NetEase, and other gaming companies to remind them of the restrictions, while the South China Morning Post reported Beijing had temporarily frozen the approval process for new games to be released. Share prices dropped shortly after news of the summons.

The FTC takes the spotlight

It has become increasingly clear that prioritizing consumer privacy and reining in Big Tech will be a big focus of the Biden-Harris administration. Earlier this month, House Democrats proposed to award the FTC $1 billion to set up a bureau dedicated to improving data security and privacy. If they are successful, the FTC would be able to triple its workforce dedicated to privacy. The Chamber of Commerce has expressed its opposition.

President Biden announced that he will nominate Alvaro Bedoya for a seat on the Federal Trade Commission. Bedoya is an online privacy expert and critic of Big Tech. If confirmed by the Senate, he is expected to take an aggressive stance on the large technology companies. Bedoya would replace Rohit Chopra, who is leaving the FTC to head up the Consumer Financial Protection Bureau. This potentially leaves the Commission deadlocked between two Republicans and two Democrats for a period of time, while the Senate considers Bedoya’s nomination.

Senators Markey (D-Mass.) and Blumenthal (D-Conn) also recently called upon the FTC in a letter to FTC Chair Lina Khan to do more to protect consumers’ privacy.

The lawmakers wrote that “Consumers deserve strong and enforceable privacy safeguards in the digital economy – opening a rulemaking would be a powerful step toward addressing this long overdue need.”

Big Tech continues to come under scrutiny for privacy violations

In a long-awaited and controversial ruling, Ireland’s Data Protection Commission (DPC) fined WhatsApp a record €225 million for breaching the GDPR. The announcement came after an unseemly tussle among European privacy regulators that had to be settled by the European Data Protection Board (EDPB). The DPC had concluded its investigation in 2020 and proposed a €50m fine, but this met with opposition from eight other European data protection authorities as being too small. The dispute was referred to the EDPB, which ruled that the decision should be amended with the higher fine.

The DPC’s 266-page ruling said WhatsApp violated the GDPR’s transparency requirement and only provided 41% of prescribed information to users, impacting an “extremely high” number of people. The regulator ordered the platform to update its privacy policy to include how personal information is collected and used and how WhatsApp shares that data with Facebook. Making the updates will be a challenge since it has already been criticized for being overly complicated and unwieldy. WhatsApp swiftly appealed the decision, claiming the fine is disproportionate and (employing an unusual legal tactic) that the ruling should be set aside in its entirety for violating the company’s constitutional property rights.

Elsewhere in the EU, TikTok has found itself embroiled in new lawsuits in the Netherlands. Dutch advocacy groups have filed a children’s privacy claim against TikTok. This is the same group that filed a €1.5bn lawsuit against TikTok back in June and is now seeking €2 billion. A second suit was filed by another Dutch non-profit, seeking to force TikTok to compensate users €6 billion for “harvesting and auctioning sensitive user data” in violation of GDPR. The Irish regulator has also opened a probe into how TikTok handles children’s data and transfers of data to China.

TikTok is also continuing to make headlines in the US. Senators demanded TikTok reveal how it plans to collect biometric data. In addition, a Wall Street Journal report shows how TikTok serves up sex & drugs to minors and a $1.1M class action settlement awaits final approval from a judge.

Finally, Facebook made headlines as the Wall Street Journal continues to publish a series of articles based on internal documents shared by a whistleblower. The latest reveals that Facebook had commissioned internal research, which showed the detrimental mental-health impact Instagram has on teen girls and other users. Lawmakers are now demanding answers from the company on why it did not act on its own research. Meanwhile, months after a group of 40 state attorneys general wrote to the company to urge it to abandon its plans to create a version of Instagram for kids, Facebook announced its decision to park the project while focusing on further investment in teen safety on the main Instagram app.

What else mattered:

Common Sense Media issued a new report, revealing that most streaming apps and devices do not meet minimum privacy standards recommended for kids. After examining the top ten streaming apps and the top five streaming devices, the report found that nearly all of them were sharing children’s data for advertising purposes in contravention of kids’ data privacy laws. The research also showed that neither the creation of child profiles nor paying for premium service improved privacy protections.
In the first order of its kind, the FTC voted unanimously to ban spyware maker SpyFone from the surveillance industry. SpyFone was accused of harvesting mobile data of thousands of people and creating “stalkerware” under the guise of parental control. The product collected and shared data on people’s physical movements and phone use and in general lacked basic security.
A new study from Precise TV and Giraffe Insights shows that kids can recall ads seen on YouTube twice as well as those seen on traditional broadcast TV. The study also revealed that 35% of kids access content exclusively through YouTube, social media, gaming and on demand platforms meaning that brands that don’t have a digital strategy could be missing up to one third of their audience.
Toys “R” Us is back … again. Thanks to Macy’s, the beloved toy store will be featured as a store-within-a-store at 400 of its department stores and on its website. This is the second attempt to resuscitate the Toys “R” Us’ brand and this time Macy’s is hoping to use Toys “R” Us’ brand recognition to compete with the likes of Target and Walmart.