The APRA integrates children's privacy into broader consumer privacy programs, requiring companies to obtain affirmative consent for transferring minors' sensitive data.
The American Privacy Rights Act (APRA) is legislation that aims to reshape how companies handle the data of minors. Approved by a House subcommittee, APRA combines proposed updates to the Children’s Online Privacy Protection Act (COPPA) and a comprehensive privacy bill discussion draft.
Understanding American Privacy Rights Act
APRA forces companies to take a more higher-level approach to their compliance programs. Rather than treating children’s privacy as a standalone issue under COPPA, companies must now consider how kids and teens’ privacy fits into their broader consumer privacy programs. This shift requires practitioners and privacy professionals to rethink their strategies and adapt to a more integrated framework.
Sensitive Covered Data
One of the most significant ramifications of APRA is its inclusion of information about children under the rubric of “sensitive covered data.” Companies need affirmative consent to transfer any sensitive data related to children to third parties. Furthermore, these third parties can only process, retain, or transfer the data for the specific purpose for which consent was granted.
Preemption and State Laws
APRA preempts state privacy laws that cover the same requirements. However, it expressly does not preempt state data breach notification laws and state privacy laws related to employee, student, and health care privacy. This balance is meant to harmonize the balance between federal standards and existing state-level protections.
The Impact Of APRA on Kids’ Data Creates Confusion
APRA’s approach introduces complexity for companies. They must now navigate a landscape where children’s privacy is intertwined with broader privacy considerations. Compliance programs need to account for both COPPA-specific requirements and the comprehensive provisions of APRA.
Companies may struggle to align their practices with the new framework. Questions arise: How do we handle children’s data within our existing privacy programs? What additional safeguards are necessary? The lack of clear guidelines can lead to confusion and missteps.
“As far as compliance goes it opens up whole new problem for age information and age assurance,” said Amy Lawrence, Chief Privacy Officer and Head of Legal at SuperAwesome Inc. “How do you deal with a strict bar of processing a minor’s IP address? You would have to know everyone’s age.”
Educational institutions face unique challenges. Schools collect vast amounts of student data, including sensitive information. APRA’s provisions impact how schools handle this data, necessitating better coordination between educational policies and privacy compliance.
Compliance Issues With Kids Data Will Increase
The evolving landscape may require continuous adjustments to legal privacy professionals' expertise.
“APRA doesn’t do a great job of setting out a knowledge standard for a covered minor. Now it’s just anything directed to a child—which it creates the back and forth of what is considered as directed to a child,” Lawrence said before adding “I guess the FTC has to tell us.”
The American Privacy Rights Act represents a step toward enhancing children’s privacy. While it introduces complexity, it also encourages a more comprehensive approach. It reshapes compliance practices, challenges educational institutions, and demands vigilance from privacy professionals. As the bill progresses, stakeholders must collaborate to strike the right balance between protection and innovation.