Even as data privacy becomes an increasingly salient regulatory priority in the US, legislation remains fragmented, making it difficult for companies to stay in compliance with sensitive rules such as those concerning children’s privacy. Instead, argues Sourcepoint chief privacy counsel Julie Rubash, organizations would do well to bake children’s privacy into their strategies and operations from the get-go.
As digital privacy becomes a more pressing priority across the political landscape, legislators are shifting their attention to some of the most vulnerable internet users: children.
The federal government is imploring big tech to be more accountable for child privacy. President Biden made this priority clear in March during his State of the Union address, when he told Congress that it’s “time to strengthen privacy protections, ban targeted advertising to children [and] demand tech companies stop collecting personal data on our children.”
Part of this effort could include updating existing privacy laws, such as the Children’s Online Privacy Protection Act (COPPA), legislation passed in 1998 that outlines the personal information that websites can collect on kids under the age of 13. While COPPA was transformative when it was passed, a lot has changed in digital advertising, data ethics and data storage since then. There are also efforts under way to expand the scope of COPPA to protect the data privacy of youths over the age of 13.
In an age where some 95% of US children have access to the internet at home – and, per a study by Common Sense Media, a majority have smartphones in middle school – the digital world is now the new playground. To keep it safe, technology companies, marketers and advertisers need to reinvent their approach to engaging with users online.
The good news is that, with the right tools and strategies in place, it’s possible to preserve the internet as a space where children can socialize, learn and play – all without having to worry about potentially age-inappropriate targeting activities from advertisers.
The United States’ patchwork of privacy regulations
To be sure, the US is making strides in privacy; California, Virginia, Colorado and Utah already have comprehensive privacy laws on the books, and Connecticut is following suit. All such policies address children’s privacy, either as part of the definition of “sensitive data,” through a consent requirement or by referring to COPPA; some language even goes beyond COPPA to encompass teens between the ages of 13 and 16.
However, the patchwork nature of these regulations leaves much to be desired, and children’s privacy compliance has yet to be sufficiently operationalized by the industry. Broadly speaking, advertisers lack visibility into whether the inventory they are targeting is directed to children, so it’s easy for kids to fall through the cracks and become subjected to programmatic algorithms and ad targeting.
However, as Biden has indicated, privacy regulations for children are now receiving greater attention at the federal level. The US Federal Trade Commission (FTC) is currently determining whether to prioritize the enforcement of COPPA in educational technology – an issue that’s more urgent than ever in light of the pandemic and increased remote learning.
As digital privacy for children takes center stage, participants in digital advertising would be wise to take a proactive approach to prepare for the privacy-fueled future. And publishers aren’t the only ones subject to enforcement. For example, the advertising platform OpenX was forced to pay $2m to settle the FTC’s allegations that it collected the information of children under 13 without proper consent.
If companies across the industry want to avoid similar repercussions, they need to start prioritizing children’s data privacy today.
How to build a safer internet for children
To protect children online, companies need to re-architect the internet and rebuild their advertising strategies with youngsters’ welfare in mind. Here are some ways to make that happen.
1. Don’t collect data from children
First and foremost, brands need to avoid collecting data from websites directed to children that don’t employ appropriate age-gating (where permitted) or obtain appropriate consent. One way to do this is by monitoring and filtering out inventory that includes activities, language and images that are likely to attract children.
For properties where an age gate may be legally permitted, brands may work with publishers that prompt users to confirm their age before letting them access a digital property. In most cases, a simple, “Yes, I’m at least 13,” or a property that gives users the chance to keep trying until they get it right won’t cut it.
2. Understand how media inventory suppliers approach data protection
Brands also need to assess the media inventory suppliers they work with to ensure they are protecting customer data. By doing due diligence to make sure they are only giving business to publishers that prioritize privacy, advertisers can encourage publishers and website owners to re-adjust their strategies and build a privacy-first approach into the foundation of their own operations.
3. Adjust your strategy depending on different markets, campaigns and brands
Since privacy laws are fluid, brands need processes that enable them to customize and future-proof their approach. Luckily, it’s possible to set up scalable processes that allow the creation of custom rules for different markets, campaigns and brands. By looking at technological solutions as an alternative, brands could conceivably target adults with a specific campaign while ensuring the same ads aren’t served to minors. Plus, the right tools also allow marketers to add new standards – for example, in the event a new US privacy law is enacted – to ensure compliance with upcoming regulations.
The time to prioritize child privacy is now
Due to a confluence of factors – including the political climate and the now Democratic-majority FTC – companies would be wise to see the writing on the wall and modernize their strategies today. The sooner advertisers and technology companies prepare for this inevitable future, the sooner they’ll be in a position to thrive when privacy rules the internet.
Julie Rubash is chief privacy counsel at Sourcepoint.