This fall, scrutiny has increased on children’s privacy with the FTC and New York Attorney General’s announcement of the largest fine ever for violations of the Children’s Online Privacy Protection Act (“COPPA”), followed by FTC public workshops on updating the COPPA Rule. Combined with increased requirements for the sale of teen personal information under the California Consumer Privacy Act (“CCPA”), and calls for triple fines for children’s privacy violations under a potential CCPA 2.0 referendum for 2020, children’s privacy has come to the forefront of privacy risks.
On 22 August 2019, the Cyberspace Administration of China (CAC) announced the implementation of the Online Protection of Children’s Personal Data Regulation (儿童个人信息网络保护规定), (“the Regulation”) which came into force on 1 October 2019. The Regulation comprises a list of rules which seek to ensure the safety of children’s personal data and promote a healthy upbringing for children.
This constitutes the latest step in China’s drive to sophisticate its data protection regime and adds to legislation under the framework of the Cybersecurity Law, implemented in 2017. It contains similarities to the Children’s Online Privacy Protection Act (COPPA) in the U.S. and the GDPR in the EU.
As there is no official English translation of the Regulation, this article summarises its key points.
On February 27, 2019, the Federal Trade Commission (“FTC”) announced a record-setting $5.7 million civil penalty against makers of the popular free video creation and sharing app, Musical.ly (now known as TikTok), for violations of U.S. children’s privacy rules. This is the largest civil penalty the FTC has issued concerning violations of the Children’s Online Privacy Protection Act (“COPPA”).
When the GDPR came into effect on May 25, 2018, several European Member States had yet to put in place further implementing legislation. And while the data protection world watches and eagerly digests each new interpretive guidance from data protection authorities, Member State legislation provides additional interpretive tones of harmony or discord in data protection across Europe. After much delay and almost seven months after the EU’s General Data Protection Regulation (“GDPR”) came into force, the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”) – which implements the GDPR in Spain – entered into force on 7 December 2018. (more…)
With the midterm election out of the way, legislators on Capitol Hill and in state capitols are getting ready to consider the future of data privacy regulation in 2019 and consumer and industry groups continue to weigh in on the ongoing debate. The debate has begun to move from principles and frameworks to drafting of legislative language.
* This article originally appeared in Law360 on September 27, 2018.
On September 5, 2018, the new Belgian Data Protection Act implementing the GDPR (the Belgian Act) was published and entered into force. Despite the GDPR being an EU regulation that directly applies to all EU Member States, several provisions of the GDPR explicitly allow, and even require, Member States to enact legislation which implements the law. Member States were expected to have this legislation in place by May 25, 2018, but the majority of Member States (including Belgium) did not meet the deadline. Since December 2017, however, Belgium has had in place a law implementing many of the more procedural provisions of the GDPR, namely the Act on the Establishment of the Supervisory Authority (the SA Act). The SA Act lays down the structure, powers and competence of the new Belgian Supervisory Authority, and also includes rules of procedure applicable to administrative proceedings before the Authority. (more…)
On January 8, the FTC announced a settlement with VTech (a maker of electronic children’s toys) for violations of COPPA, adding to the regulatory activity mounting in the last few years around the Internet of Toys. The company agreed to pay $650,000 to settle allegations that its Kid Connect app and its Learning Lodge platform collected personal information from almost 3,000,000 children without providing direct notice and obtaining their parent or guardian’s consent. (more…)
In a statement of intent published on 7 August 2017, the UK Government has committed to updating and strengthening data protection laws through a new Data Protection Bill (the “Bill”). The Bill will incorporate the new EU General Data Protection Regulation (the “GDPR”) into UK law.
According to the UK’s Minister of State for Digital, Matt Hancock, the Bill will “give [the UK] one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.” (more…)
On April 26, the US District Court in Seattle granted the FTC’s motion for summary judgment against Amazon for providing allegedly inadequate parental controls to limit their children’s in-app purchases. Case No. C14-1038-JCC. The FTC alleged that the company’s failure to require more robust password re-entry meant that many in-app purchases by children resulted in unauthorized charges to the parents.