Bytesize Legal Update - FTC COPPA Proposals & Age Assurance
James: [00:00:00] Hi, I'm James,
Lorna: And I'm Lorna.
James: and we're both technology and data specialists at FieldFisher. Shortly before the end of the year, we saw the FTC announce that it'll be overhauling COPPA, Today, we're looking at the legal position on age assurance around the world,
Frequent podcast listeners will be aware that the UK's Online Safety Act has now received royal assent, whilst the EU's Digital Services Act is now applicable for the largest platforms and will be applicable for the smallest ones next month.
The U. S. clearly wants to bring itself into line with some of these trends that we're seeing worldwide with the FTC's announcement about its plans to overhaul COPPA - and interested stakeholders have until 11th March to respond. So Lorna, thanks for joining us. So what is the FTC proposing? What are the main changes? and what does all this have to do with age assurance?
Lorna: Thank you, James. first of all, these [00:01:00] are only proposals and the 60 day consultation period is now running. Given that it has been more than 10 years since COPPA was last amended, it's likely we will be seeing a number of changes. The proposed overhaul looks to make the provisions of COPPA more strict, for example, requiring separate opt in for targeted advertising, limiting nudge techniques for children online, and a general strengthening of data security requirements.
These aspects do align with what's happening in the UK and EU, but the biggest difference is the age requirements. COPPA will still only apply to children under 13, whilst in the UK, EU and elsewhere, the definition of a child is an individual under 18,
James: Right. So it's more important than ever that businesses understand the age of the users that they're [00:02:00] offering their services to. That makes sense. Before we dive in then, would you maybe be able to just make sure we're all on the same page with what we're talking about when we say age assurance? Is there a difference when we're talking about age assurance and age verification?
Lorna: certainly James, so age assurance for children. Anyone not overly familiar with assisting or supervising children online is a way in which companies can provide age appropriate services. Similarly, companies providing alcohol online or pornography can ensure that users are the appropriate age for which those services can be provided in their jurisdiction such as 18 plus in the UK.
Age assurance is often an umbrella term for the different methods which offer varying levels of certainty in relation to the age or age range of online users. So [00:03:00] age estimation, which is the process of estimating the user's age or age range, for example, uses algorithms and artificial intelligence. Age verification is where proof of the user's age or age range is established via records of data, such as hard identifiers, which includes formal The ID documents such as a passport.
Age verification provides a higher degree of certainty in determining the age of the user. Strictly speaking, age assurance does not include methods such as users entering their date of birth. birth. This is referred to as self declaration or ticking a box to confirm an age. These methods can be used, but generally in conjunction with others, if that is the most appropriate method for the type of service the business is [00:04:00] offering and the data that it's processing.
The ICO, for example, advises that self declaration by itself is only used for the lowest risk data processing.
James: Right. And with fines in the Digital Services Act and Online Safety Act exceeding those we've seen under the GDPR, as well as this general increased focus on prioritizing children, this is clearly a key area that companies are going to want to be focusing on.
So, before we move on to what's changing, Lorna, can you just bring us up to speed on what the current requirements in this area are?
Lorna: Sure - So it might first just be worth highlighting that the requirements for age assurance mechanisms online and the available technology are still maturing.
James: Oh, I see what you did there.
Lorna: So, for some time, online services have been required to identify when they are dealing with children in a variety of contexts. As we mentioned at the [00:05:00] outset, COPPA was one of the leading pieces of legislation which required website operators to obtain verifiable parental consent for children under the age of 13.
Similarly, in 2018, the GDPR introduced the concept of digital age of consent under Article 8. This requires data controllers to make reasonable efforts to verify consent is being given by an adult with parental responsibility where they are processing the personal data of a child under 18 or in fact up to 16 according to member state law.
The difficulty with this derogation under the GDPR is for those operating across the EU, there is a patchwork of ages from 13 to 18. With respect to COPPA, age [00:06:00] assurance has traditionally always been assessed according to a risk based approach in proportion with the intended purposes, for example, sending an email to the parent has often being considered sufficient where the data was used for internal purposes only, and not shared with third parties.
However, as we have heard, it looks like things are going to be changing under COPPA equally under the GDPR, the obligation has been explicitly limited to the caveat take into consideration available technology, including state of the art. The available technology, though, is now growing in sophistication, and regulators are requiring that companies have a thorough understanding of who their users are.
With news headlines of underage users accessing social media and certain games, [00:07:00] there's a significant pressure on businesses to get this right.
James: I see. And so in terms of these growing technologies that you mention, what do you think are some of the most important developments that businesses need to be looking at right now?
Lorna: Well, certainly, you know, be considering the better tools and technology. In recent years we've seen the development of quite a few more sophisticated tools that will enable the support of more stringent requirements to authenticate the Age of the user. So there's been a shift from age verification to age estimation tools.
We've seen some of the bigger names in this arena, such as Yoti and Super Awesome, for example, recently apply to the US FTC alongside the Entertainment Software Ratings Board, which is the US equivalent to PEGI in Europe to have the privacy protective [00:08:00] facial age estimation technology recognized as an acceptable parental consent mechanism under COPPA.
As explained by the Age Verification Providers Association. These kinds of technology have the advantage of not needing to retain any information about an individual as the result is immediate and the facial image can be instantly deleted. YOTI also participated in the ICO sandbox, which enabled it to engage with the regulator and benefit from the regulators expertise and advice on mitigating risks and implementing data protection by design.
Whether one age estimation, assurance or verification system will be endorsed by regulators remains to be seen. However, with industry standards like an ISO code on age assurance systems and [00:09:00] industry bodies continuing to progress in this area, Together with regulators becoming more familiar with how to measure these technologies, we can expect that they will only become more accurate and commonplace.
However, to date, there's no one perfect solution and businesses need to adapt to what is available.
James: Yeah, it sounds like the technology on age assurance and individual's age is just improving all the time. But there's still some work to be done before it comes to age, especially with respect to children age 13+ which I know was highlighted in the study which Ofcom and the ICO jointly requested.
Lorna: Yes, indeed. And this is particularly around the 13 plus or identifying who is over 18, given that so many of the online, social media platforms and games, it's a very crucial age. And in many ways, this is often the most challenging.[00:10:00] age to assure, but which is so important due to those terms of use and the regulation around that age.
And as mentioned, you know, Ofcom and the ICO in the UK are continuing to research on what is the best solution here.
James: Yeah, so it sounds like although we've got these improvements all the time, people are still going to need to sort of keep an eye out and keep up to date. So what does this mean then for businesses operating services that have child users? We understand that regulators want businesses to know the age of their customers and we've heard that legislation like the DSA and the OSA are going to be more stringent about this. And that's not even mentioning the age appropriate design code and all those similar equivalents that seem to be proliferating.
But you mentioned, Lorna, that it sounds like there are going to be quite a few of these services out there. So what would you suggest that companies need to be looking for if they're trying to engage a third party age estimation service?
Lorna: Well, firstly, it [00:11:00] might not always be appropriate for all businesses to implement a third party age estimation service. So, before engaging, it's important for the business to assess, document, and be able to evidence that the age assurance mechanism that they have selected is suitable for the categories of data that they are processing and the purposes for which they're processing that data.
For accountability purposes, the company also needs to be able to demonstrate that their chosen mechanism works in practice. Consideration also needs to be given to Ofcom's age verification guidance for the UK market when it becomes available later This year, as well as requirements from the EU, US and other jurisdictions in which the business is operating.
It's inevitable we're going to see a lot more activity in this area[00:12:00] and given the need to regularly monitor the state of the art, as well as be able to demonstrate that the mechanism you adopt works in practice for your business. It is an area that the business needs to proactively manage and monitor.
Age assurance requirements online are most definitely maturing, and together with other measures, they can provide a safer online environment for children, which is the objective of governments, civil society, and businesses themselves.
James: Absolutely. Well, thanks, Lorna. I think that's almost all we have time for. But just before we wrap up, Lorna, would you maybe be able to give our listeners just a rundown of some of the key points and takeaways that they need to think about in this area?
Lorna: Yes, of course, James. So I think the first point is to focus on your user base and determine whether children are likely to access your service, where children are using your service, then you need to be [00:13:00] confident that you understand the age and age range of those child users. Secondly, as with. any data protection matter, how high is the risk profile of the data you're collecting?
The higher the risk, the more robust the age assurance mechanism you will need. It's important to understand that civil society and regulators are extremely active in this area and will create avatars of a child profile to determine how compliant your age assurance methods are. So it would be good to get in before them and test your own systems.
Lastly, as the Digital Services Act becomes Applicable for smaller operators next month in the EU and we prepare for Ofcom's children's code consultation expected in spring this year. Businesses will need to make changes to address these developments and ensure [00:14:00] that their platforms are safe for children online as well as the data that they are collecting.
Agreed position, certainly from government, to ensure safety online is to have an effective age assurance mechanism in place that is proved and tested.
James: Thanks, Lorna. That's really helpful. And thank you for joining us on this latest episode of FieldFisher's Bite Size Legal Podcast, your source for concise legal updates on the key legal developments in technology and data protection law. If you have any questions about today's update, don't hesitate to reach out to us, and if you found it useful, do make sure to give us a like or review on Apple Podcasts, Spotify, or whatever your podcast channel of choice may be.
Thanks for taking the time to listen, and we'll see you next time.