March 8, 2019

 

California Department of Justice
ATTN: Privacy Regulations Coordinator
300 S. Spring St.
Los Angeles, CA 90013

Re: Comments on the CCPA

The Toy Association, Inc., on behalf of its members, appreciates the Attorney General’s effort to solicit input from stakeholders on the California Consumer Privacy Act (CCPA) (Cal. Civ. Code §§ 1798.100– 1798.199) in advance of its rulemaking initiative. By way of background, The Toy Association represents more than 1,100 businesses – toy manufacturers, importers and retailers, as well as toy inventors, designers and testing labs – all involved in bringing safe, fun and educational toys and games for children to market. The U.S. toy industry contributes an annual positive economic impact of $109.2 billion to the U.S. economy. The Toy Association and its members work with government officials, consumer groups, and industry leaders on ongoing programs to ensure safe play, both online and offline. The toy industry is deeply committed to privacy, security and product safety, and supports strong and effective standards to protect consumers. We support principles of transparency, notice, consumer choice, access, correction and deletion rights for consumers, and reasonable security, all part of the objectives of the CCPA.

Our members not only create toys that are physically safe for children to play with, but also engage with children, as well as parents, online. Protecting children and maintaining the trust of parents are the most vital concerns for the toy industry. Toy industry members are heavily regulated by an extensive set of preemptive laws, including the Children’s Online Privacy Protection Act of 1998 (COPPA) (15 U.S.C. §§ 6501–6506), and a variety of product safety laws, such as the Consumer Product Safety Act (CPSA) (codified at 15 U.S.C. §§ 2051-2089) and Federal Hazardous Substances Act (FHSA) (15 U.S.C. §§ 1261-1278), as modified by the Consumer Product Safety Improvement Act (CPSIA). Thus, the toy industry is uniquely qualified to comment on consumer privacy and data security issues raised by this new California law and potential conflicts with federal law in light of CCPA §1798.196 with a view to promoting more clarity.

Our comments focus on six key issues:

  • Preemption language of COPPA and the CCPA, and key inconsistencies between the CCPA and the COPPA statute and rule.
  • Key definitions, including “personal information” and “selling.”
  • Operational burdens of the CCPA, including the mandatory “Do Not Sell My Personal
  • Information” button and mandatory options for submitting access requests.
  • Covered businesses will include many very small companies operating in California.
  • Implications of a private right of action for security breaches.
  • Recognizing safe harbor programs.

The above does not represent a comprehensive list of all potential issues affecting our members.

Attachment A provides a matrix with an overview of our comments for convenient reference.

CCPA Recognizes the Preemptive Effect of COPPA

Section 1798.196 of the CCPA contains a general preemption section, stating:

This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the California Constitution.

Congress expressly created a national preemptive regime governing children’s privacy when it enacted COPPA in 1998, stating:

No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section.

See 15 U.S.C. §6502(d). Thus, although the CCPA does not expressly mention COPPA in the list of federal laws that preempt the CCPA at §1798.145, the CCPA recognizes the preemptive effect of COPPA.

While many Toy Association members deal exclusively with parents and adult purchasers, a significant number of our members offer digital experiences directed, primarily or secondarily, to children under 13. While our members are affected by the CCPA in all their operations, definitional inconsistencies between the CCPA and COPPA and new CCPA obligations are in conflict with COPPA and create confusion. The COPPA approach, which balances privacy harms with burdens to consumers and businesses, provide some useful guidance to consider in implementing the CCPA.

Key CCPA Definitions Conflict with COPPA

When Congress enacted COPPA, it established a national legal framework for children’s privacy that reflects a common-sense harms-based approach. In other words, COPPA seeks to balance privacy risks to children under 13 for certain types of data collection, use and sharing with a recognition of business needs and consumer convenience through its definitions, exceptions, and “sliding scale” approach to parental consent. The CCPA’s broad definitions of “personal information” and “sale” risk undermining privacy-safe practices authorized under COPPA. The apparent requirement that a business obtain parental consent any time a business engages in the “sale” of “personal information,” for example, conflicts with COPPA due to the overbroad definition of both terms. Likewise, imposing an opt-in consent process on businesses who “sell” information concerning individuals 13 – 16 would impose unnecessary limits on necessary and useful business operations that COPPA recognizes do not require parental consent when the data involves children under 13. Concepts from the approach in COPPA might be usefully applied to advance the CCPA objectives in protecting the privacy of teens 13 – 16.

We highlight below three key major inconsistencies between provisions of the CCPA and COPPA: the reference age of a “child,” the definition of “personal information,” and the definition of a “sale.” We also provide examples of how COPPA’s risk-based approach allows for privacy-safe interactions without burdening parents, children or businesses with consent obligations.

Who Is a Child

The CCPA and COPPA define “children” very differently. COPPA defines a “child” to include children “under 13” (see 15 U.S.C. §6501(1)). Congress established this age cut-off deliberately, recognizing that teens have their own sphere of privacy and parental consent models will never work effectively with the teen population. This reference age aligns with the definition of a child under the Consumer Product Safety Improvement Act, which refers to products designed and intended primarily for children 12 and younger. Thus, for both informational safety and physical product safety purposes – key issues for toy industry members - federal law recognizes that the at-risk population should be defined as under 13. The CCPA, in contrast, does not define “children” in the definitions section at §1798.140. Instead, §1798.120(d) prohibits a business with actual knowledge that a consumer is under 16, from “selling” (defined to include sharing) personal information of such individual absent consent of a parent or guardian for those under 13, or the individual’s opt-in consent, for those 13 – 16.

While the CCPA imposes a parental consent obligation on all information collected and “sold” when a business has “actual knowledge” that an individual is under 13, COPPA creates a framework under which online services primarily directed to children are obligated to assume that they are dealing with a child under 13. Businesses with actual knowledge that they are dealing with a child under 13 are also subject to COPPA.

We briefly discuss below how the CCPA’s approach to managing data from children and teens under §1798.120(d) conflicts with COPPA, and would impose unworkable and unnecessary operational restrictions on businesses without advancing privacy. From this standpoint, the CCPA’s overbroad definitions of “personal information” and “selling” must be reviewed together to understand those inconsistencies and the public policy and business implications as a result.

“Personal Information” and “Selling” Under the CCPA

COPPA, last amended by the Federal Trade Commission (FTC) in 2013 (78 Fed. Reg. 3,971 (Jan. 17, 2013)), has been in force for more than 20 years since enactment, and has been revised several times to reflect changes in the online landscape. The COPPA Rule, consistent with the harms-based approach established by Congress, excludes certain data collection and uses from the obligation to obtain parental mandating consent because risks to children versus burdens on parents and businesses do not warrant it. See 16 C.F.R. §312.5(c). The CCPA’s blanket obligation that businesses obtain parental consent before “selling” any type of personal information of children, as broadly defined in the CCPA, is at odds with COPPA.

The CCPA defines “personal information” at §1798.140(o)(1) to include a broad variety of data generally, including data traditionally considered to be anonymous, such as an alias, or an Internet Protocol (IP) address, as well as browsing history. Section 1798.140(o)(2) excludes from the broad definition of “personal information” only “publicly available” information. Yet COPPA permits the collection of certain information – including limited personal contact information, like an e-mail address - without parental consent in a number of circumstances. For example, operators can collect a child’s email address for certain purposes, and can ask a child to furnish a parent’s email address to contact a parent and obtain consent. COPPA recognizes that absent a vehicle to request some type of contact information about a parent from a child, there would be no way to provide notice to parents and start any necessary consent process. These COPPA-permitted types of data collection, use and sharing are not reflected in the CCPA.

Consistent with COPPA, an operator can also collect a user name (potentially an “alias” under the CCPA) and a password from a child under 13, and link it to a device identifier such as an IP address, to recognize a returning child visitor. This allows for some personalization with limited risk to a child’s privacy, without the need to collect any personal contact information or to obtain parental consent. The COPPA Rule recognizes that this type of limited data collection will allow businesses to enhance a child’s online experience by, for example, allowing a child to save game scores in an online game, and that this involves no risk to children that would require parental consent. Characterizing an “alias” as per se personal information thus is in conflict with COPPA. Likewise, an operator under COPPA can collect an IP address or other persistent identifiers used over time and across websites solely to support an online service’s internal operations without either obtaining parental consent or providing notice. 16 C.F.R. §312.5(c)(7). The FTC rejected the notion that parents should have to consent to the collection of this type of anonymous information to support its operations, as doing so would have forced companies to block child visitors and obtain parental consent before any type of interaction, preventing them from serving children in a privacy-safe way. It goes without saying that such collection and use fall outside parental access and deletion obligations. Notably, this exception does not cover data collected for online behavioral advertising purposes, which is strictly prohibited under COPPA absent parental consent.

Under the COPPA Rule, IP addresses and other information can be collected and shared to support the internal operations of a website or online service so long as the information collected for such purposes is not used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose. 16 C.F.R. §312.2. Support for internal operations means those activities necessary to:

(a) maintain or analyze the functioning of the website or online service;

(b) perform network communications;

(c) authenticate users of, or personalize the content on, the website or online service;

(d) serve contextual advertising on the website or online service or cap the frequency of advertising;

(e) protect the security or integrity of the user, website, or online service;

(f) ensure legal or regulatory compliance; or

(g) fulfill a request of a child as permitted by these guidelines.

The FTC also specified when it updated the COPPA Rule in 2013 that support for internal operations also includes activities such as intellectual property protection, payment and delivery functions, spam protection, optimization, statistical reporting, or de-bugging. See 78 Fed. Reg. at 3,981.

Collection and sharing of this type of information is essential to provide services and manage business operations, and COPPA recognizes that imposing a parental consent obligation for such uses would burden businesses and parents without advancing children’s privacy. Consistency in approaches is therefore vital.

Conflicts between COPPA and the CCPA are exacerbated by the CCPA’s definition of “sale.” The CCPA establishes that a business does not “sell” personal information under certain circumstances, but those circumstances are confusingly described at §1798.140(t)(2)(C):

(C) The business uses or shares with a service provider information of a consumer that is necessary to perform a business purposes [sic] if two conditions are met: services that the service provider performs on the business’ behalf, provided that the service provider also does not sell the personal information.

(i) The business has provided notice that information being used or shared in its terms and conditions consistent with Section 1798.135.

(ii) The service provider does not further collect, sell or use the personal information of the consumer except as necessary to perform the business purpose.

The inartful wording in the CCPA definition creates confusion and potential conflicts with COPPA. The language also appears inconsistent with the exemption from the obligation to delete personal information upon a consumer’s request in §1798.150(d).

Most online services – whether or not they are directed to children - cannot function without collecting and sharing a variety of data that helps support internal operations. The COPPA Rule exceptions thus recognize that for businesses to function, they must be allowed to collect and share certain types of data without parental consent. This allows businesses that offer child-directed online services to offer those services to children in a privacy-safe manner that gives businesses the flexibility to responsibly manage online operations.

Requiring that businesses must obtain the opt-in consent from teens 13 – 16 before a California business can share any type of “personal information” used to support operations and functionality fails the risk balancing test that undergirds the COPPA “support for internal operations” exception. Imposing such an obligation risks undermining customer service and consumer convenience without materially enhancing teen privacy. The common-sense approach of the COPPA Rule thus can usefully be applied not only to children’s data, but to collection and sharing of all similar data from teens subject to the CCPA. However, this requires addressing the confusing and inconsistent statutory language.

The CCPA’s Operational Burdens

Definitional Inconsistencies Add to Burdens

Operational compliance burdens imposed by the CCPA are exacerbated by inconsistencies in the Act’s definitions and obligations. For example, §1798.140(o) excludes from the definition of “personal information” only “publicly available” information. However, a business does not “sell” personal information under circumstances that are confusingly described in §1798.140(t)(2)(C), as noted above, and is not obligated to delete personal information under §1798.104(d) under circumstances that seem to reflect, at least in part, activities that would constitute “support for internal operations” under COPPA. It appears that the drafters may have intended to cover activities that qualify for the COPPA exemption for “support for internal operations,” but the inartful wording creates confusion and potential conflict. Likewise, defining a “service provider” in §1798.140(v) to only include an entity that operates under a written contract fails to recognize the widespread use of online agreements or other arrangements through which information might be shared to support internal operations.

Section 1798.125 of the CCPA prohibits discrimination against a consumer who exercises any of the rights set forth in the Act, including “denying goods or services to the consumer.” However, COPPA acknowledges that there are circumstances where a firm may terminate a child’s access to services if a parent refuses or withdraws consent. 16 C.F.R.§312.6(c). In fact, if a parent withdraws consent for an activity that requires verifiable consent, the business could not allow the child to continue to participate. This is not discrimination, but represents another conflict between the CCPA and COPPA.

Home Page Button Is Burdensome

Another example of a significant burden is the requirement for a “Do Not Sell My Personal Information” button at the home page of a website. Notably, child-directed online services are strictly limited from “selling” a child’s personal information to third parties for behavioral advertising or other purposes absent parental consent. Thus, this California-specific requirement is not applicable to child- directed online services and represents another inconsistency with COPPA. More generally, our members are concerned that requiring yet another California-specific link at a company’s home page (on top of obligations to provide a link to California privacy rights and California Transparency in Supply Chains Act disclosures) is burdensome. Those burdens will become even greater if other states adopt similar state-specific requirements.

Mandating Two Modes for Consumers to Submit Access and Deletion Requests is Burdensome

Toy industry members are subject to specific obligations under COPPA to verify that an individual requesting access to a child’s personal information is a parent. 16 C.F.R. §312.6. The CCPA does not clearly limit requests to access the data of children under 13 to a parent. COPPA does not specify the specific mode or method for a parent to exercise this right, which is left to the business, thus reflecting another area where the CCPA conflicts with COPPA. The CCPA requires covered businesses to offer both a toll-free number and a web option. This will be burdensome for businesses and conflicts with the approach under COPPA.

Impact on Small Businesses

The majority of The Toy Association’s 1100 members are small businesses. While over 600 of our members have offices in California, virtually all of our members will be affected by the CCPA due to its broad scope. Section 1798.140(c) establishes that any business that meets any one of several criteria is subject to the Act. It is unclear if §1798.140(c)(1)(A), which refers to businesses with revenues of $25 million or more, is intended to apply to businesses with that level of revenues from California operations or to total revenues. More significantly, the CCPA covers businesses that “sell,” alone or in combination, the personal information of 50,000 or more consumers, households, or devices. See §1798.140(c)(1)(B). Because device identifiers are defined as personal information, and “selling” includes sharing, including for ill-defined activities that fit COPPA’s definition of support for internal business operations, even if the drafters intended this threshold to apply only to California consumers, very small businesses are likely to be covered. For example, assuming that an average two-person household has a minimum of 6 devices (a computer, phone and tablet) – which, with the growth of connected devices is likely an underestimate - businesses reaching just 8,334 California households are likely to be covered by the requirements. Thus, the law will affect very small businesses indeed.

Additionally, the definition of “consumers” simply as California residents at §1798.140(g) could affect business operations that involve employees acting purely in an employee capacity. This could include employees principally handling machine to machine communications. For example, if an employee has to log into a machine to manage manufacturing operations (which would be necessary for company security and related reasons), the employee log-in appears to trigger CCPA requirements. Employee activities should be excluded from the CCPA.

Private Right of Action

Neither the preemptive COPPA framework nor the framework of preemptive federal laws governing the physical safety of toys allows for a private right of action. The CCPA creates a novel private right of action for security breaches. Moreover, the CCPA does not establish a statute of limitations for bringing such actions. The toy industry opposes a private right of action. While the right is currently limited to breaches of unencrypted sensitive information, and thus applies only to specific types of “sensitive” information defined elsewhere in California state law, we urge elimination of a private right of action.

Safe Harbors

COPPA imposes a general obligation that businesses “[e]stablish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information collected from children.” 16 C.F.R. § 312.3(e). The FTC has provided a variety of general business guides on security measures generally, and the National Institute for Standards and Technology (NIST) has issued a management framework for security that provides a flexible approach. Congress provided a framework to provide incentives for self-regulation when it enacted COPPA. 16 U.S.C. §6503. COPPA allows for establishment of safe harbor organizations. Complaints involving members of safe harbor organizations recognized by the FTC are referred to the safe harbor organization. This, rather than a private right of action, would be a better alternative to promote compliance. We urge the Attorney General to consider a process to recognize such programs. At a minimum, the Attorney General should provide examples of “reasonable security” of the covered sensitive data that would insulate companies from unnecessary litigation, recognizing that security continues to evolve and that a measure of flexibility is essential.

Other Issues

Other areas of concern exist as well.

For example, the CCPA may prevents marketers from offering loyalty programs, which is a key way in which brands build consumer relationships and affinity and offer discounts to consumers. As currently written, CCPA’s non-discrimination provision at §1798.125 appears to prohibit tiered pricing, discounts or coupons, which are commonly used to reward loyalty customers.

As noted above, in addition to concerns about the practical implications that exist with extending obligations to “households,” these definitions would appear to require a business to allow any member of a household to access information about everyone in the household. This may create a new series of privacy concerns about how to protect the rights of children, teens and adults from violations of privacy or abuse of information from other household members.

Finally, from a resource burden perspective clarity is needed around whether businesses must create individualized privacy policies for each consumer to disclose the “specific pieces of personal information the business has collected about that consumer” per §1798.110(a)(5).

Conclusion

The toy industry is second to none in its support for strong national consumer privacy and safety frameworks. We hope this submittal will assist the Attorney General as it studies the potential impact and implications of the CCPA on consumers and businesses. Please contact Ed Desmond at edesmond@toyassociation.org or Jennifer Gibbons at jgibbons@toyassociation.org if you would like additional information on our industry’s perspective.

Sincerely,
Steve Pasierb

Steve Pasierb
President & CEO
The Toy Association

Enclosure