On September 15th, California Governor Gavin Newsom signed into law a bill modeled after the UK Age Appropriate Design Code which aims to protect children’s privacy online and regulates companies that collect and process minors’ personal information. The Children’s Online Privacy Protection Act (COPPA) is the closest federal counterpart, with the implementing rule last revised in 2013. While both aim to protect children’s privacy, they have different philosophies about how to do so which will result in different compliance obligations for companies. The chart below compares key aspects of COPPA to the CA AADC.
|Goal||To put parents in control of what information is collected from their kids online||To protect the wellbeing, data, and privacy of children using online platforms by requiring businesses to act in the “best interests of the child”|
|Effective Date||COPPA was passed by Congress in 1998. The Federal trade Commission last updated the COPPA Rule by the FTC in 2013.||Most of the law goes into effect on July 1, 2024. The Children’s Data Protection Working Group will be established as part of the law to deliver a report to the Legislature, by January 2024, on the best practices for implementation.|
|Scope||COPPA covers operators of online services directed to children U13 that collect, use, or disclose personal information from children and operators of online services with actual knowledge that they are collecting, using, or disclosing personal information from children U13.||The law applies to any business that provides an online service likely to be accessed by children U18. “Likely to be accessed by children'' means that it is reasonable to expect based on certain indicators (e.g., audience composition, advertising, and design elements) that the online service would be accessed by children U18.|
|Advertising to Children||Although COPPA does not prohibit advertising to children, it prohibits the collection of personal information (including cookies and other persistent identifiers) from children U13 without verifiable parental consent. The intention behind this prohibition is to stop behavioral advertising, retargeting and profiling of children under 13. Contextual advertising is permissible under COPPA.||While the law does not prohibit advertising to children, it does prohibit using children’s personal information in a way that is materially detrimental to a child’s physical health, mental health or well-being. It prohibits profiling a child (i.e., behavioral advertising) by default unless the business has appropriate safeguards in place to protect children and profiling is necessary for providing the product or service. Contextual advertising is permissible under the law.|
|Age Estimation||COPPA does not require operators to ask the age of users. However, general audience operators may choose to screen for age. A site directed to children must treat all users as children. This means, for the most part, operators of child directed sites may not screen for age. MIxed audience sites which target children as only a portion of the audience may age screen, but may not block children from participating.||The law does not require age gates, but a likely effect of the law is that more online services will either age gate or collect additional information to estimate the age range of users. The law prohibits the use of any such personal information collected for these purposes to be used for any other purpose, and it can only be retained for as long as needed to estimate age.|
|Data Protection Impact Assessment (DPIA)||COPPA does not require operators to create and maintain DPIAs.||Prior to offering new online services that are likely to be accessed by children, a business must complete a DPIA and maintain documentation of the assessment for as long as the online service is likely to be accessed. DPIA is defined as “a systematic survey to assess and mitigate risks that arise from the data management practices of the business to children who are reasonably likely to access the online service, product, or feature at issue that arises from the provision of that online service, product, or feature."|
|Default Settings||COPPA does not specifically require privacy protective default settings for children. However, it is a best practice encouraged by the rule since operators must get verifiable parental consent before collecting personal information from children.||Default privacy settings for children must offer a high level of privacy unless the business can demonstrate a compelling reason for why a different setting would be in the best interests of the children.|
|Limitations on Collecting, Selling or Sharing Geolocation Information||Geolocation information sufficient to identify street name and name of city or town is personal information under COPPA. Operators must obtain verifiable parental consent before collecting, selling or sharing geolocation information of children.||Businesses cannot collect precise geolocation regarding a child without providing an obvious sign to the child for the duration of the collection or collect, sell or share precise geolocation information regarding children by default unless strictly necessary for the business to provide the online service and only while it is necessary to do so.|
|Penalties||A court can hold operators who violate COPPA liable for civil penalties of up to $46,517 per violation. The determination of the appropriate civil penalty will vary on a case-by-case basis based on a number of factors.||The law penalizes companies $2,500 per affected child for each negligent violation and $7,500 per affected child for each intentional violation.|
Learn more about Pixalate’s COPPA Compliance Technology and our COPPA Methodology to assess child-directed apps and their potential risks.
Disclaimer: The content of this page reflects Pixalate’s opinions with respect to the factors that Pixalate believes can be useful to the digital media industry. Any proprietary data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that - opinion, not facts or guarantees.
Per the MRC, “'Fraud' is not intended to represent fraud as defined in various laws, statutes and ordinances or as conventionally used in U.S. Court or other legal proceedings, but rather a custom definition strictly for advertising measurement purposes. Also per the MRC, “‘Invalid Traffic’ is defined generally as traffic that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in measurement counts. Among the reasons why ad traffic may be deemed invalid is it is a result of non-human traffic (spiders, bots, etc.), or activity designed to produce fraudulent traffic.”