Search results for: COPPA

Online privacy and safety of children and teens are hot legislative topics this year. In a companion post we provide an update of federal and state legislative efforts to fundamentally change how online content and advertising are delivered to children and teens. We have previously discussed legislation in California and Connecticut to require assessments of online privacy impacts on minors. In this post we focus on proposed regulatory and legislative changes to the 1998 Children’s Online Privacy Protection Act (COPPA) (effective in 2000) and its corresponding regulations (COPPA Rule), which were last updated in 2013.

Continue Reading Federal Children’s Privacy Requirements to Be Updated and Expanded

Last week, the Attorney General for California filed a notice of appeal to overturn a federal court ruling that the state’s Age-Appropriate Design Code Act (“CAADCA”) likely violates the First Amendment.  The appeal will put the constitutionality of California’s act before the Court of Appeals for the Ninth Circuit.

Following unanimous votes by the California legislature and signature by the Governor, California enacted the CAADCA in September 2022 as a measure purportedly “aimed at protecting the wellbeing, data, and privacy of children using online platforms.”  Industry group NetChoice soon turned to federal court and sought an injunction seeking to prevent the law from being enforced on the grounds that it violates the First Amendment and the dormant Commerce Clause of the United States Constitution and is preempted by other federal statutes addressing online child safety, including the Children’s Online Privacy Protection Act (“COPPA”).  Last month, the court granted a preliminary injunction in favor of NetChoice, holding that CAADCA likely violates the First Amendment.  Specifically, the court reasoned that the law regulates expression by limiting the use and sharing of (personal) information and that California’s justifications did not rise to the level required to regulate expression under the U.S. Constitution.

Privacy World is following this appeal and will be here to keep you in the loop.  Stay tuned.

2022 was another year of high activity and significant developments in the realm of artificial intelligence (“AI”) and biometric privacy related matters, including in regard to issues arising under the Illinois Biometric Information Privacy Act (“BIPA”) and others.  This continues to be one of the most frequently litigated areas of privacy law, with several notable rulings and emerging patterns of new activity by the plaintiffs’ bar.  Following up on Privacy World’s Q2 and Q3 2022 Artificial Intelligence & Biometric Privacy Quarterly Newsletters, be sure to read on for a recap of key developments and insight as to where 2023 may be headed.

Continue Reading Privacy World 2022 Year in Review: Biometrics and AI

The Federal Trade Commission (FTC) has released a staff reportBringing Dark Patterns to Light, which discusses misleading and manipulative design practices—dark patterns—in web and mobile apps. These design choices take advantage of users’ cognitive biases to influence their behavior and prevent them from making fully informed decisions about their data and purchases. Dark patterns are employed to get users to surrender their personal information, unwittingly sign up for services, and purchase products they do not intend to purchase. The consequences of dark patterns have been increasingly noticed in the regulatory and legislative sphere, both in the United States and Europe

Continue Reading Dark Patterns under the Regulatory Spotlight Again

For years now, California has led the way by setting the standard for privacy and data protection regulation in the United States. Recently— and as calls for greater controls over the addictive nature of social media grow louder—legislators in the Golden State have moved closer toward enacting a new, first-of-its-kind privacy law that would prohibit the development and utilization of “addictive” features by social media platforms. At the same time, state legislators also advanced a second bill that would put in place stringent online privacy protections for minors.

Businesses should monitor the progress of these bills closely, as their enactment—combined with an increased focus on children’s privacy by both federal lawmakers and the Federal Trade Commission (“FTC”)—may have a ripple effect in other states and municipalities, with legislators following close behind to enact similar children’s online privacy laws.

Continue Reading California Moves Closer to Enacting More Stringent Online Privacy Protections for Children

Last week, the Federal Trade Commission (“FTC”) held an open meeting focused on issues related to children’s privacy and those pertaining to the use of endorsements and testimonials in advertising. In the meeting, the FTC adopted a new policy statement targeting data collection practices in educational technology. Further, the FTC proposed amendments to the Guides Concerning the Use of Endorsements and Testimonials in Advertising (“Endorsement Guides”) which would target child-directed marketing. Of note, one of the amendments would recognize that children may react to advertising practices differently than adults and thus advertising practices directed towards children may be treated differently by the FTC compared to those practices directed towards adults. Continue Reading FTC Targets Children’s Privacy and Stealth Advertising Directed at Children

The Federal Trade Commission (“FTC”) announced its next open meeting will focus on issues related to children’s privacy and those pertaining to the use of endorsements and testimonials in advertising. Continue Reading FTC to Discuss Children’s Privacy, Endorsement Guides at Next (Virtual) Open Commission Meeting: May 19, 2022, 1PM ET

As readers of CPW know, the Federal Trade Commission (“FTC”) has made it clear that privacy and security will be top-of-mind issues for the Commission for the foreseeable future. Recently, the FTC announced its settlement with WW International, Inc.—formerly known as Weight Watchers (“Weight Watchers”)—over claims the company violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting children’s personal information without providing notice or obtaining parental consent.

The settlement requires the company to pay a $1.5 million penalty, delete personal information that was improperly collected from children, and destroy any models or algorithms developed with the use of that data. Importantly, the settlement illustrates the FTC’s increased focus on children’s privacy, as well as the Commission’s increased reliance on the disgorgement remedy in privacy and security enforcement actions—including in the AI context.

I.     Factual Background & FTC Allegations

By way of background, COPPA requires that websites, apps, and online services that are child-oriented or knowingly collect personal information from children notify parents and obtain their consent before collecting, using, or disclosing personal information from children under 13. It was passed in 1998 amid rising concerns regarding children’s privacy online. Unlike other some other federal regulatory regimes, both the FTC and state attorneys general have concurrent jurisdiction to enforce COPPA (meaning as a practical matter private entities are subject to potential regulator scrutiny at both the state and federal level for alleged COPPA violations).

Weight Watchers marketed a health and wellness app and website to both adults and children that allowed users to track their food intake, activity, and weight. The app also collected personal information, including names, email addresses, and birth dates. Up until late 2019, users could sign up for the app by indicating (1) they were a parent registering their child or (2) a child over the age of 13 signing up for themselves.

The non-neutral age gate that was presented by Weight Watchers at registration indicated to younger users that they could sign up without a parent by falsely claiming they were at least 13. Not only that, hundreds of users who signed up for the app did, in fact, circumvent the age gate by creating an account and later revising their profiles to reflect their true age. Despite this, these users were still permitted to access the app without parental involvement. Further, while the company implemented a new age gate in late 2019 that removed any reference to being “at least 13” and indicated that individuals under the age of 13 needed parental permission to use the app, Weight Watchers’ screening mechanism still failed to ensure that users who selected the parent signup option were truly parents—and not children attempting to bypass the age restriction.

According to the FTC, Weight Watchers violated COPPA as a result of its failure to provide a mechanism to prevent children from using the parent registration option to bypass the age restriction, as well as COPPA’s notice and data retention provisions.

II.     The Settlement Terms and Key Takeaways

The Weight Watchers settlement is comprised of three primary components, all of which carry significant implications for potential FTC enforcement actions going forward.

  • First, the company must pay a $1.5 million penalty.
  • Second, the company must destroy all personal information that was collected in a manner that failed to comply with COPPA.
  • Finally, the company must destroy all models or algorithms developed in whole or in part using improperly collected personal information 

     A.     FTC’s Continued Focus on Children’s Privacy 

There are three major takeaways from the Weight Watchers settlement. The first pertains to the FTC’s increased activity in the children’s privacy space. The Weight Watchers settlement comes on the heels of several other FTC enforcement actions against companies who ran afoul of COPPA. In December 2021, advertising platform OpenX Technologies agreed to pay a $2 million penalty to resolve similar FTC allegations that it collected children’s personal information without parental consent. And in July of last year, online coloring book app Kuuhuub agreed to a $3 million penalty to settle COPPA allegations as well.

Relatedly, during his State of the Union address President Joe Biden urged Congress to strengthen children’s privacy protections and clamp down on companies that improperly collect children’s personal information.

Taken together, companies that market their online products or services to children—or otherwise collect children’s personal information—are well-advised to review their compliance with COPPA’s requirements to mitigate the heightened legal risk posed by the FTC’s increased emphasis on children’s privacy.

     B.     Utilization of Disgorgement Remedy

The second major takeaway pertains to the requirement that Weight Watchers destroy any models or algorithms developed through the use of personal information that was improperly collected from minors in violation of COPPA.

Importantly, the Weight Watchers matter marks the first time that the FTC has utilized this enforcement tool—known as disgorgement—in a COPPA case. This is part of a larger shift by the FTC to prioritize “meaningful disgorgement” as a remedy in privacy and security and enforcement actions. Disgorgement was first used by the FTC in its first enforcement action specifically targeting improper facial recognition practices with photo developer Everalbum, Inc. As part of the settlement, Everalbum was forced to delete not only all photos and other user data that had been improperly collected and/or retained, but also all facial recognition algorithms that were developed with Everalbum’s ill-gotten data.

Shortly after the Everalbum settlement—during remarks at the 2021 Future of Privacy Forum—the FTC’s then-Acting Chairwoman, Rebecca Kelly Slaughter, noted that where companies unlawfully collect and/or use consumers’ personal information, the FTC would seek disgorgement of both the improperly collected data, as well as any benefits from that data—pointing to Everalbum as an example of how the FTC could leverage disgorgement in privacy and security matters.

     C.     Algorithmic Disgorgement As New Normal In Near Future?

Third, the Weight Watchers settlement not only represents a continuation of the disgorgement remedy trend in FTC enforcement actions, but also indicates that algorithmic disgorgement may soon become a standard component in future FTC settlements. This may have a particularly outsized impact on developers of artificial intelligence and related technologies which rely heavily on the development of advanced algorithms.

This settlement is yet another example of the FTC’s focus on the impact AI can have in relation to consumer privacy and related issues.  In December the FTC issued a notice (“Notice”) that it was “considering initiating a rulemaking under Section 18 of the FTC Act to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”

There are a range of privacy, cybersecurity and AI issues that the FTC may seek to regulate as previewed by its Notice, should internal disagreement at the agency not stall this effort in 2022.  For instance, as seen in an April 2021 release the FTC has increasingly cautioned that AI may be utilized and “inadvertently introduce[e] bias or other unfair outcomes” to medicine, finance, business operations, media, and other sectors.  In addition, the FTC declared algorithmic and biometric bias as a focus of enforcement in resolutions passed in Fall 2021.

For more on this, stay tuned.  CPW will be there to keep you in the loop.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conduct business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

Prior Legislative History

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

Update as of March 3, 2022

On March 3, 2022, the Utah Senate passed the House Amendments to SB 227, and returned SB 227 to the House for signature of the Speaker.  The amended version of SB 227 passed with 22 Yay votes, 0 Nay votes, and 4 absentees. This means that the bill has passed the concurrence process. Once the bill is signed by the Speaker, it moves on to the ‘enrolling process,’ and then afterwards will be delivered to the Governor, in accordance with the Utah legislative process

What’s Next

In Utah, if a chamber passes a bill with amendments, the “the bill is sent back to originating [chamber] for concurrence of the amendment.”  Here, SB 227 passed in the Senate (where it was first introduced), then passed in the House with amendments, and afterwards was sent back to the Senate for concurrence.

If the Senate accepts the House amendments, SB 227 will be delivered to the Governor for action.  The Governor has 20 days from adjournment to (1) sign (or not sign the bill), after which the bill becomes law; or (2) veto the bill, in which case the bill does not become a law unless the Governor’s veto is overridden by the legislature.

Utah is inching closer to passing the Utah Consumer Privacy Act.  CPW will be here to keep you in the loop.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conducts business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

What’s Next

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

It remains to be seen how the 2022 version of the Utah Consumer Privacy Act will fare in the Utah House, but CPW will be here to keep you in the loop.