Laws and regulations reflect and promote societal values. The rapidly evolving legal and regulatory scrutiny around the processing (e.g., collection, use, storage, and sale) of children’s data is a direct response to consumer sentiment in support of increased privacy protections for children – who are most vulnerable to harm and privacy compromise during their online activities. President Biden’s State of the Union Address was clear – “It’s time to strengthen privacy protections, ban targeted advertising to children, [and] demand tech companies stop collecting personal data on our children.” This sentiment was reaffirmed by the FTC’s recent adoption of a policy statement that underscores the need for education tech providers to fully comply with all provisions of the Children’s Online Privacy Protection Act (“COPPA”), with President Biden applauding the FTC, stating children and families “shouldn’t be forced to accept tracking and surveillance.”
Most recently, the California Age-Appropriate Design Code Act (“AB 2273”), signed into law by California Governor Newsom on September 15, 2022 and set to take effect on July 1, 2024, represents the potential birth of a new wave of national privacy regulations focused on children’s privacy. States like California, through regulations such as the California Consumer Privacy Act (“CCPA”), have paved the way towards stricter restrictions on the processing of children’s data. The CCPA, Virginia Consumer Data Protection Act (“VCDPA”) and Colorado Consumer Privacy Act (“CPA”), among other state privacy regulations, impose requirements that mirror, or are supplemental to, those provided under the COPPA. In particular, the CCPA requires businesses having “actual knowledge” that they collect or maintain minors’ personal information (“PI”) to establish a process through which minors and/or their parents (depending on the minor’s age) may provide their verifiable affirmative consent to the sale of the minor’s PI.
AB 2273 and regulations like it, however, show there is plenty of room to make privacy regulations significantly more restrictive than businesses have understood them to be. For instance, AB 2273 appears to broadly include within its scope “a good, service or product feature likely to be accessed by a child.” This is a significant change from the CCPA and COPPA, which obligate businesses to establish the requisite consent and comply with other requirements only if they have “actual knowledge” that children’s data is being collected and processed.
California is not the first to enact such requirements. In principle and substance, AB 2273, has further similarities to the U.K. Age-Appropriate Design Code (“Children’s Code”) that are particularly impactful to business. In addition to not having an element of “actual knowledge,” both the Children’s Code and AB 2273 impose a “duty of care” standard whereby businesses having an interest in California are prohibited from: using children’s PI in ways that may harm the physical health, mental health or well-being of a child; using dark patterns or web designs that influence users to make certain choices; and collecting or retaining a product user’s personal information if the business does not know the user’s age. Furthermore, both emphasize consideration for the “best interests” of children, in a manner that prioritizes “the privacy, safety and well-being of children,” when designing and developing products, and require that businesses provide tools to help children exercise their privacy rights and report concerns. Taken together, the evolving regulations on children’s privacy are set to trigger a slew of obligations, processes and measures that covered businesses will need to undertake.
A new wave of regulations on children’s privacy could mean that companies operating at a national and international level may need to reconsider their policies on the processing of children’s PI, including how to empower parents with a robust customer service that ensures they know their rights and are able to act on their child’s behalf. Enterprises are facing unprecedented pressures not only to comply with developing regulations in this space, but to proactively get ahead by building strategies grounded in ethical considerations. Failure to adopt an upfront approach may leave businesses underprepared and lacking the resources needed to implement processes that would ensure full compliance.
The Children’s Data Protection Working Group, established as part of AB 2273, is expected to deliver a report on best practices for implementation to the Legislature by January 2024. In anticipation of this guidance and other incremental regulatory requirements to protect children’s privacy, companies should consider their readiness in three phases, as follows:
Phase 1: Current State Assessment – Determine the current tools and capabilities used by the organization to identify children’s personal information, understand what systems store children’s personal information and identify what data governance and controls are in place to limit the proliferation and use of children’s data.
Phase 2: Implementation of Remedial Measures – Based on the assessment results, prioritize high risk gaps (e.g., children’s privacy rights handling; parental authority and accessibility) leveraging the overall privacy program capabilities, including existing tools and processes.
Phase 3: Optimization of Children’s Privacy Program – Consider evolving children’s privacy regulations and solutions for enhanced provision of choices and preferences to build and sustain child/parent trust and enhance their overall customer experience.
How Accenture Can Help
Accenture is well positioned to partner with organizations in protecting children’s privacy. Below are some examples of how we can help accelerate the three phases described above and collaborate in developing solutions to address challenges posed:
- Facilitate data lifecycle management for children’s personal information, including automated data discovery, data classification, data lineage and mapping
- Review and assess existing privacy controls framework against children’s privacy regulatory requirements
- Integrate a Privacy by Design framework into existing and new products, services and systems that process children’s personal information
- Incorporate children’s privacy into a holistic and complementary program that leverages privacy capabilities already in place and account for ethical considerations in the collection and use of children’s information
We recommend that companies anticipate the impact to business operation and compliance posture of the evolving children’s privacy regulations. If you think Accenture could help in this compliance undertaking, please feel free to contact the authors of this article.