In an increasingly nebulous and expansive digital world, protecting the privacy of young people online remains a top concern among parents.
According to a survey from Trusted Future, a non-profit dedicated to enhancing digital trust, most parents (92%) view technology as an important part of their children’s future; however, they also recognize the value of protecting their children’s personal data. In fact, 63% believe privacy protections should be a top priority for Congress.
Over the past year, numerous bills have been introduced, at least partly in response to parents’ concerns over their children's mental health and privacy. This legislative surge indicates that increased oversight is likely coming; however, data privacy laws protecting children are nothing new. Let’s explore the current regulatory landscape and the technology solutions enabling businesses to comply with existing global laws while preparing for those on the horizon.
Global laws for collecting and processing data from minors
Below are a few of the most prominent examples of global laws enforcing data collection and processing limitations.
The Children’s Online Privacy Protection Act (COPPA)
COPPA is a US federal law from 1998 that requires any website collecting information about children under 13 to make the information available to the child’s parents upon request. To comply with COPPA, companies must post a clear and comprehensive privacy policy online; provide parents with direct notice, the choice to prohibit the disclosure of data to third parties , and the option to prohibit further use or collection of data; take reasonable steps to maintain the confidentiality and security of collected data, retain children’s information only so long as it is required and delete it after use, and not encourage children to provide more information than is necessary. Sites must also obtain consent from parents before collecting their children’s information.
The General Data Protection Regulation (GDPR)
The GDPR is a set of data privacy laws for any company that does business in the EU and/or the European Economic Area — or collects data or information about individuals in those regions. It was enacted in 2018 and serves as a model for other privacy laws worldwide.
Under this law, businesses are required to safeguard:
- Personally identifiable information (PII) such as names, contact numbers, email addresses, and addresses
- Other personal information including political party affiliation, ethnic origin, sexual orientation, and religious ideology
- Health data such as physician notes about a patient, test results, and genetic history
- Biometric data including fingerprints, facial patterns, and voice
- Web data such as IP addresses, browsing activity, and credit card information
The GDPR establishes standards for data transparency, purpose limitations, storage limitations, and data minimization and works to ensure accuracy, accountability, integrity, and confidentiality.
Under the law, children’s data has specific protections. The law sets 16 as the age of consent to process personal data for most online services, and anyone younger must have parent or guardian consent. Member states have the ability to set the age of consent below 16 but no less than 13. Belgium, for example, made the age of privacy consent 13, Spain set it at 14, and France made it 15. Companies must also make reasonable efforts to check that consent is valid. This may involve implementing age verification measures.
California Consumer Privacy Act (CCPA)
The CCPA, which went into effect in 2020, is the California equivalent of the GDPR. It impacts for-profit businesses that operate in California and meet other thresholds (see thresholds here).
According to the law, companies are considered “operating in the state” if they are organized or commercially located in California, have sales in California that exceed set amounts, or engage in any transaction for the purpose of financial gain within the state.
Under the law, consumers have the right to request what information is being collected, the categories of third parties where data is shared, and the purpose of data collection prior to or at the time of collection. Consumers can also opt out of data sharing and request that their data be deleted without facing service limitations or price differentiators. Businesses must comply with consumer requests unless they impair the ability to provide core services.
The law also requires businesses to confirm that users are over 16 and prohibits selling the PII of anyone under 16 unless the individuals have given their consent. Moreover, for children under 13, a parent or legal guardian must authorize any sale of PII.
California Privacy Rights Act (CPRA)
The CPRA is a data protection law that enhances the privacy rights of California residents. It’s considered an amended version of the CCPA and went into effect on January 1, 2023.
Unlike the CCPA, the CPRA applies to all organizations that collect the personal information of California consumers (and meet certain criteria) — not just those that collect it for commercial purposes. Under this law, organizations must give consumers control over not just whether their data is sold but also whether it is shared.
The CPRA also expands the legal actions consumers can take against businesses that fail to comply with data security standards. For example, it permits lawsuits based on a business’s lack of security measures to protect user login credentials.
The CPRA introduces several key changes related to the processing of minors’ data. For example, after a minor initially declines consent to sell or share their personal information, businesses must wait 12 months to ask for consent again. Businesses will be automatically fined $7,500 for any violations involving the personal information of children under 16, which adds specificity to regulatory fines included in the CCPA, which levied anywhere from $2500-$7500 per violation, whether they were related to minors or not.
Colorado Privacy Act (CPA)
The CPA, which went into effect in 2023, is part of Colorado’s Consumer Protection Act. It provides consumers with rights over their personal data, including the right to delete and correct it and the right to opt out of its sale and use for targeted advertising.
The CPA includes specific regulations protecting minors under the age of 13. For example, a parent or guardian must provide opt-in consent before a business can collect and process their data for “any processing purpose other than the purpose disclosed at the time the minor's personal data is collected or a purpose reasonably necessary for the disclosed processing purpose.”
Virginia Consumer Data Protection Act (VCDPA)
The VCDPA, which became effective in 2023, protects Virginia residents' personal data. It governs the collection and processing of consumer data and requires controllers to give consumers the right to access their data and request that businesses delete their personal information.
Under the rule, “sensitive data” is subject to additional requirements. For example, controllers cannot process sensitive data without obtaining the consumer’s consent. Sensitive data includes:
- Data concerning a person’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
- Genetic or biometric data for the purposes of uniquely identifying that person
- Precise geolocation data
- Personal data collected from a “known child,” which is defined as someone under 13
Brazil General Data Protection Act or Lei Geral de Proteção de Dados (LGPD)
The LGPD maintains rules for how companies in Brazil, processing data in Brazil, processing data of individuals located in Brazil, or processing activity aimed at offering provision of goods or services in Brazil, must collect, handle, store, and share personal data.
Under LGPD, businesses must obtain parental consent before processing the data of children unless the collectin of their data is necessary to contact their parents, guardians, or legal representatives. These businesses must provide information about the requested data in a clear and accessible manner and specify the purpose and use of the data collected. Businesses must also make “reasonable efforts” using available technology to verify that the consent was provided by a parent or legal guardian.
Optimize your age verification system for compliance
Regulations governing the collection and use of minor data are dynamic and vary across regions and jurisdictions. For this reason, it’s critical that companies implement flexible age verification systems that can adapt quickly as regulations change, new regulations emerge, and your business expands.
Look for an age verification solution that enables multiple forms and methods of age verification such as government ID checks and selfie verification. For example, Persona’s age verification system provides configurable building blocks for teams to create their ideal end-to-end identity flow and choose from a robust library of verification methods.
Many regulations also require specific security protections for PII, especially for minors. Your age verification system can meet basic requirements by storing data for a limited amount of time, encrypting data, and limiting data access to only those whose job functions require it.
Ensure your age verification accounts for user experience
Age verification technologies range from simple to complex. It’s important to find the right balance of friction to prevent underage users from slipping through the cracks while still ensuring ease of use for your target customer. If your age verification process is too basic, minors can go through it undetected, leading to potential compliance issues. However, if your age verification is too complex and cumbersome, users will drop out of onboarding or take their business elsewhere.
You’ll want to adopt age verification processes that prioritize simplicity, transparency, and accessibility. For example, Persona’s age verification system helps reduce user drop-off by guiding users through the verification process, leveraging auto-capture to minimize data entry errors, and allowing users to switch between devices. Persona’s age verification typically takes around 5 seconds for users to complete, enabling them to start using your services faster.
Your age verification system should also enable non-technical teams to make changes without engineering support so that compliance and user experience teams can iterate based on user dropoff and conversion rates. For instance, Persona offers a no-code solution that enables businesses to test different user flows and incrementally improve conversion rates over time or adapt to user preferences in new markets.
Lastly, the system should offer multiple verification methods and allow users to choose the most convenient option to enhance accessibility and accommodate diverse preferences and circumstances.
Simplify global expansion of age verification with Persona
Persona’s age verification system enables your business to comply with existing data privacy regulations while remaining flexible to legislative changes. Our platform is certified and compliant with industry standards, including GDPR and CCPA. With Persona, compliance teams can be assured that the latest security and privacy standards are met for successful entry into new markets.
Need flexible and compliant age verification? Contact us to learn more or get started for free.