The Week (& 1/2) in Child and Student Privacy

Welcome to my newsletter! You can subscribe to my newsletter on?Revue?(via Twitter),?LinkedIn, or access a tracking-free version* on PIPC.tech.

This week's newsletter is coming a little late due to the fantastic Student Data Privacy Consortium conference. I was honored to give a keynote about how child privacy legal developments are or may impact student privacy. If you're interested, my slides are available here.

This has been a big week for new legislation and regulations. Few news outlets have reported on the child or student privacy implications of these bills, so the newsletter is in a slightly different format this week.

What I'm Reading

The California Age-Appropriate Design Code Act Passes Out of Committee

The bill was passed out of committee with amendments and re-referred to the Assembly Appropriations Committee on the 25th, and read a second time and amended on the 26th. Some of the most interesting amendments:

• Change: The bill now limits its coverage to online services, products, or features (previously covered any good, service, or product) likely to be accessed by a child.
• Change: The definition of "likely to be accessed by a child" is now "reasonable to expect, based on the nature of the content, the associated marketing, the online context, or academic or internal research [this is new] that the service, product, or feature would be accessed by children."
• Cut: The requirement that businesses consider the best interests of children (IMO, probably a good thing, since government views could easily vary from parental views of what "best interests" means, and this bill has no parental consent mechanism).
• New: Businesses' Data Protection Impact Assessment must now be provided to California's privacy agency within 12 months of the Act's implementation and reviewed every 24 months or before any new features are offered to the public.
• Change: The requirements that businesses not use children's personal information or use dark patterns in a way that is "demonstrably harmful" has been changed to not allowing use if the "business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child."
• New: A ban on profiling children by default has been added.
• Change: Businesses can now share or sell the personal information of children if it is necessary to provide the online service, product, or feature (but what is allowed here is limited in multiple other parts of the bill).
• New: Businesses may not use personal information collected or processed to establish age or an age range for any other purpose, or retain that information longer than necessary to establish age, and age assurance "shall be proportionate to the risks and data practice of a service, product, or feature."

CT Consumer Privacy Law Passes Senate

The Connecticut Senate voted to pass their comprehensive consumer privacy law (it still has to receive a House vote), which includes a number of new child privacy protections that are fairly similar to the protections that have passed in other states:

• The definition of "sensitive data" includes "personal data collected from a known child," as defined by COPPA (under 13). Note that this clause has the same limitation as COPPA - it only covers information from a child, not information about a child. However, there are protections given to consumers generally for data that "concerns" them, which would presumably also apply to data concerning a child. When controllers process sensitive data, they must conduct and document a data protection assessment.
• Parents can exercise any rights granted to consumers on their child's behalf.
• Controllers cannot process a teen's (between age 13 and 16) personal data for targeted advertising or sell their data without consent when the controller has actual knowledge of and willfully disregards the teen's age.
• Personal data regulated by FERPA is explicitly excluded from the bill.
• The bill states that "controllers and processors that comply with the verifiable parental consent requirements of COPPA shall be deemed compliant with any obligation to obtain parental consent."
• A General Assembly committee is created to examine, among other issues, 1) possible additional legislation that could expand COPPA and 2) "any means available to verify the age of a child who creates a social media account."

The Digital Services Act

The European Parliament, Council and Commission reached a deal on the Digital Services Act (DSA) on April 23rd. The regulation has broad implications for online platforms, including requiring that "platforms accessible to minors will have to take specific measures to protect them, including by fully banning targeted advertising." Privacy advocates are particularly excited about required algorithmic audits.

Once formally adopted by the Parliament and Council, the DSA will be published in the Official Journal of the European Union and enter into force twenty days after its publication. It will apply 15 months after it is entered into force, or in January 2024, whichever is later. However, the obligations for very large online platforms kick in earlier.

MD SB325 Approved by Governor

Maryland's Governor approved their amended student privacy law governing companies. Companies should check out the changes to the definition of "operator" (more companies are now covered!), "covered information," and "persistent unique identifier."

Resources Worth Your Time

TeenAge Privacy Program Roadmap

What Happened: BBB released their TeenAge Privacy Program (TAPP) Roadmap, "designed to help companies develop digital products and services that consider and respond to the heightened potential of risks and harms to teenage consumers, and to ensure that businesses collect and manage teen data responsibly."

Why You Should Care: Nearly all the new child privacy proposals (and some of the passed laws) expand child privacy protections to teens.

Upcoming Events

*?except for Google fonts and Gstatic. Revue and LinkedIn also automatically track when people click on links, but I only receive aggregate information about the number of people who have clicked on a specific link.