On September 23, 2013, California Governor Jerry Brown signed a bill that adds a chapter on “Privacy Rights for California Minors in the Digital World” to the California Online Privacy Protection Act (“CalOPPA”).1 The new measure will prohibit certain online marketing or advertising to minors (defined as anyone under age 18), and will require operators of websites, mobile apps, and other online services to honor requests by minors who are registered users to remove content posted by the minor. This development, as well as recent statements from the FTC and other enforcement agencies, confirms once again that child privacy is a key area of concern and a potential target for enforcement.
The new provisions signed into law this week by Governor Brown, which will take effect January 1, 2015, prohibit online marketing or advertising of certain products to minors, including alcoholic beverages and firearms. This restriction will also apply to an advertising service notified by an operator that the site, service, or application is directed to minors (in which case the notifying operator “shall be deemed in compliance” with this provision). The new law will also prohibit an operator from marketing or advertising such products when the operator has “actual knowledge” that a minor is using the site, if the marketing or advertising is “specifically directed to that minor” based on information such as the minor’s profile, activity, address, or specific location. Operators will be required to provide minors who are registered users with notice and instructions explaining their right to remove content they posted to the site, and to honor requests for removal. This requirement does not appear to apply where a requesting minor is not a registered user of the site. The new law also enumerates several circumstances in which an operator will not be required to erase or eliminate information, including when the information is anonymized or was posted to the site by a third party.
In addition to state laws such as CalOPPA, the federal Children’s Online Privacy Protection Act (“COPPA”) imposes other requirements for operators of commercial websites and online services, including mobile apps. Among other things, entities covered by COPPA must generally provide direct notice to parents and obtain verifiable parental consent before collecting personal information from children, as well as provide parents access to their child’s personal information and the right to request deletion of personal information.
Some of the concepts addressed in the amendments to CalOPPA – including whether a site is directed to children and whether an operator has “actual knowledge” that a user is a minor – are similar to concepts addressed by the Federal Trade Commission in its FAQs regarding COPPA.5 However, it is important to carefully review both laws and the aforementioned FAQs, as the two laws apply these concepts in different ways.
Businesses should also carefully review their privacy policies and practices — as well as those of third parties such as ad networks and plug-ins — to ensure compliance with CalOPPA, COPPA and other applicable privacy laws.
1 The Online Privacy Protection Act of 2003, Cal. Bus & Prof. Code § 22575 et. seq. (2004).