The California Consumer Privacy Act of 2018 (“CCPA”), which takes effect January 1, 2020, prohibits businesses from selling the personal information of California residents under the age of 16 without their opt-in consent (or the consent of their parent or guardian for residents under the age of 13). A “sale” is defined broadly to include – subject to certain exceptions – almost any disclosure of personal information, if “for monetary or other valuable consideration.”
This prohibition applies if a business has “actual knowledge” that the California resident is under the age of 16. According to Section 1798.120(d), businesses that “willfully disregard” the age of a California resident “shall be deemed to have had actual knowledge of the [resident]’s age.”
Thus, businesses that “sell” personal information and that operate sites that reasonably might attract those under the age threshold face the prospect of potential violation if they fail to take at least some step to ascertain users’ age.
At the same time, by acquiring age information, businesses risk opening themselves up to increased liability under the longstanding federal Children’s Online Privacy Protection Act (“COPPA”).
COPPA places certain restrictions on the operators of websites and online services directed at children under the age of 13, as well as on general audience sites and online services where operators have “actual knowledge” that they are collecting information from children under 13. Unlike the CCPA, COPPA “does not require operators of general audience sites to investigate the ages of their site’s visitors.” See 1999 Statement of Basis and Purpose, 64 Fed. Reg. 59888, 59892.
As a result, before the CCPA takes effect, operators of general audience sites and online services that “sell” personal information are not required to verify the age of their customers – and COPPA does not apply to them unless they have “actual knowledge” that they have collected information from a child under 13 (for example, where “they later learn of a child’s age or grade from a concerned parent who has learned that his child is participating on the site or service”). After January 1, 2020, a business that – as a result of the CCPA – takes steps to check the age of its website visitors may acquire “actual knowledge” that some of those visitors are under 13, requiring it for the first time to take steps to comply with COPPA.
If a visitor who is a California resident indicates an age between 13 and 16, then the business is prohibited from selling that visitor’s personal information without opt-in consent under the CCPA. For visitors who indicate an age under 13, businesses also will be forced to comply with the full panoply of COPPA obligations. The implications of COPPA applicability are significant, particularly in the current era of increased FTC enforcement of the statute and record-breaking fines.
Businesses concerned at being found to have “willfully disregard[ed]” their CCPA age-related obligations must balance the corresponding COPPA-related downside of a robust age verification mechanism. When it comes to children, COPPA and the CCPA (likely inadvertently) combine to leave so-called “general-audience” businesses in search of an optimal “betwixt and between.”