KidAware Bulletin – January 2020
New YouTube rules go into effect; US politicians look to extend COPPA; TikTok sued & settles over kids’ privacy; CCPA kicks in for all with kids’ audiences in California; FTC’s COPPA consultation period finally ends; other news.
YouTube rolls out new policies impacting kids’ channels
From January 6th YouTube stopped serving personalized ads on kids’ content, and disabled a host of features that make use of personal data, including comments and notifications. The changes put into effect the company’s $170m settlement with the FTC for violating COPPA. The impact on content creators is potentially wide-ranging and has been controversial. For kids’ advertisers, it simply means that YouTube is now part of the compliant ad ecosystem, where only contextual advertising is permitted.
For a full break-down of what it means, see our blog post.
US lawmakers introduce PROTECT Kids Act, seeking to extend COPPA
In early January, a bipartisan group of Representatives introduced the too-cleverly named Preventing Real Online Threats Endangering Children Today (PROTECT) Kids Act. Among other changes, the bill would increase the age below which parental consent is required before collecting personal data from 13 to 16. It also expands the definition of personal data to include biometrics and requires operators to make it easy for parents to request deletion of their kids’ data.
This effort follows a number of initiatives to introduce further federal protections for kids, including a measure proposed in the Senate in 2019 to extend privacy protections to children up to age 15, and enforce an “eraser button” for parents. While it’s unclear whether any measure has enough cross-party support to become law, it highlights the urgency with which lawmakers are seeking to address perceived gaps in kids’ data protections. Some of these gaps are being filed by new state laws (such as California’s CCPA—see below), raising fears of legal fragmentation creating compliance headaches for companies and platforms.
TikTok breaks speed record in settling kids’ privacy lawsuit
The parent company of short-form video app TikTok, Bytedance, was sued in December by a group of parents concerned about the data privacy of their kids, and—in an unusual development—promptly settled the case. The Verge reported the original lawsuit, which claimed that TikTok failed to obtain parental consent before collecting, processing and selling the personal data of children. The lawsuit followed TikTok’s settlement in March 2019 with the FTC for breaches of COPPA, and echoed a similar case filed in October against YouTube and Google.
While the YouTube lawsuit and others are still working their way through the courts, Bytedance apparently did not want to take any chances. Within 24 hours, the company had settled the lawsuit privately, reportedly for about $1.1m. The rapid reaction comes at a tricky time for the massively popular app, with increasing pressure from U.S. politicians to review the app’s ties to the Chinese government. It may well encourage further class action lawsuits in relation to kids’ privacy when digital platforms are believed to be breaching COPPA.
CCPA comes into effect Jan 1st—are you ready?
America’s most stringent data privacy rules came into effect on the first day of 2020. The California Consumer Privacy Act (CCPA) gives state residents stronger data privacy protections, including the right to opt out of data collection, to know what data is being collected about them, and to request deletion of that data.
Most importantly for anyone operating in the kids or youth market, it extends COPPA-style protections to residents between 13 and 15. Any publishers or advertisers engaging with that audience may no longer ‘sell’ their personal data (including technical identifiers such as IP address, device ID or geolocation) unless they have the user’s explicit, opt-in consent. Note that the definition of ‘sell’ is very broad and very likely includes sharing that type of data with partners who are helping you monetise your content, or deliver your ad campaign.
Some aspects of the CCPA are challenging to implement and will impose additional costs on companies. But this law is also likely only the tip of the data privacy iceberg, as many states are looking to emulate California and pass new rules to protect the privacy of their residents. The CCPA is also being seen as a potential blueprint for new efforts at crafting federal data privacy legislation. The reaction of tech platforms has been varied. Google announced new features that allow its client websites to block personalised ads in the state, while Microsoft has decided to embrace the pro-privacy positioning by implementing CCPA’s standard throughout the US.
If your site or app, or your ad campaigns, are likely to reach more than 50,000 Californians, you must comply with the CCPA. You can read our full summary of what publishers need to do here.
FTC finally closes COPPA consultation period
After two deadline extensions, on Dec 9th the FTC finally closed the consultation period for its review of the COPPA Rule. With hundreds of thousands of comment submissions, the process broke a number of records and inadvertently made COPPA a household name among YouTube creators, albeit not for the right reasons.
YouTube creators flooded the site after being encouraged to so, first by a change.org petition created by a YouTuber, then by YouTube itself. They in turn were reacting not to the FTC’s official questions, but to the impact of YouTube’s earlier settlement with the FTC for COPPA violations, which require it to stop collecting personal data from kids’ content on the platform.
YouTube’s policy changes are unrelated to the FTC’s regular review of the COPPA Rule, and will not be impacted in the near-term by the amendment process.
The consultation included a public workshop held in October, and is mostly focused on how to modernise the law to take account of new digital touchpoints with kids (such as voice) and new categories of personal data (like biometrics or set-top box data). The FTC is also looking for ways to close loopholes in the law that allow the continued transmission of personal data, and to improve the ways it defines content ‘made for kids’, both to cover more digital experiences kids are likely to use, and to reduce uncertainty around family-friendly content that appeals to both kids and adults.
This is a process that will likely take a year or more, so don’t expect any near-term changes to the law (sorry, YouTubers).
In Other News
You watch TV. Your TV watches back. (Washington Post, 18 Sep 2019)
We missed this one in our last bulletin, but it reflects a growing realisation by consumers (and regulators) that our TVs and streaming platforms are collecting a ton of personal data, including logging everything we watch. Increasingly that data is being traded in order to further profile users and deliver targeted advertising. Because there are so many delivery mechanisms for streaming, it is in many cases unclear which laws apply when it comes to consumer consent for using such personal data. Watch this space for regulatory developments.
FTC enforces COPPA Rule in Retina-X settlement (IAPP, 5 Nov 2019)
The FTC announced a settlement with the maker of ‘stalking apps’ that encouraged parents to surreptitiously track the location of their kids and teens. The case was prosecuted under COPPA because installation of the apps led to the collection of personal data from children, and that data in turn was not securely stored. When hackers broke into the company’s databases, kids’ data was exposed, triggering the investigation.
Webinar: Proliferation of kids privacy regulations (YouTube, 18 Nov 2019)
We hosted a webinar together with the WFA to discuss how the latest regulatory trends are transforming online marketing to children and younger audiences, and to review data privacy developments around the world impacting kids’ brands.
UK’s data regulator again warns ad tech over GDPR compliance (Digiday, 20 Nov 2019)
The UK’s data protection authority, the ICO, continues to fire warning shots into the digital ad industry about the compliance of the RTB ecosystem. It hosted a workshop in November, followed by a blog post by Simon McDougall in December, making clear it does not consider the industry’s current approach to ‘sensitive category data’ and its use of contracts to govern the sharing of data to be compliant with GDPR.
CCPA Update: AdTech Options to Avoid a “Sale” and What Google Has to Say About It (Kelly Drye, 24 Nov 2019)
Useful analysis by a law firm on Google’s response to CCPA and the difficult question of whether—under the law—sharing a user’s personal data with a service provider constitutes a ‘sale’ (subject to restrictions) or not. One to share with your legal counsel advising you on CCPA compliance.
FTC Faces Push to Study Ads Targeting Children (The Wall Street Journal [paywall], 5 Dec 2019)
In a letter to the FTC, the American Academy of Pediatrics and 30 other groups asked the agency to conduct a review of kids’ digital advertising, focusing specifically on personal information advertisers collect from kids, including data from cross-device tracking, machine learning, virtual reality and real-time measurement.
Facebook: We don’t need your consent! (noyb website, Dec 2019)
Europe’s favourite privacy crusader, Austrian lawyer Max Schrems, comments on ongoing legal proceedings about Facebook’s data collection practices. He criticizes Facebook’s position that it processes users’ personal data under “performance of a contract” (rather than consent), on the basis that it when users sign up to the platform they are in effect entering into such a contract.
10 kids digital media predictions for 2020 (and what to do about them) (SuperAwesome blog, 14 Jan 2020)
Our CEO Dylan Collins peers into the future of kidtech and compliance and makes his annual predictions of things to come. Who will be fined next? What data privacy law will top GDPR-K? What will happen to YouTube kids content? Whither TikTok? Only one way to find out…
