Key Takeaways

  • Age Range Expansion: COPPA may soon cover minors up to age 16, significantly broadening its scope and impact on digital advertising. 
  • Broader PII Definition: Personally Identifiable Information now includes persistent identifiers, images, and voice recordings, expanding compliance requirements. 
  • Consent Processes: Different consent requirements for under-13s (parental consent) and 13-16 year-olds (potential self-consent), affect user engagement strategies. 
  • Retargeting Restrictions: KOSPA may prohibit retargeting of all minors, dramatically impacting current advertising practices. 
  • Compliance Urgency: Recent large fines (e.g., Epic Games' $520 million) underscore the critical importance of COPPA compliance for businesses.

Children's online safety is rapidly becoming a critical focus for lawmakers, presenting both challenges and opportunities for digital platforms, publishers, and advertisers. 

It’s probably not news to you that the digital landscape is evolving, fast. And if we want to keep kids safe online, legislation like COPPA needs to evolve along with it. And that’s exactly what’s happening. The Kids Online Safety and Privacy Act (KOSPA) recently passed the US Senate and currently sits before the House of Representatives

KOSPA combines two related pieces of legislation (at least one of which will sound familiar): 

The new legislation would expand protections to teenagers up to and including age 16, introduce a duty of care provision for platforms used by minors, and place new restrictions on targeted advertising.

As a result, publishers and advertisers looking to reach younger audiences find themselves at a crossroads. 

So, what's a digital platform to do? We're glad you asked. 

Keep scrolling to review the full transcript of our recent Playwire Live event featuring Paul Chenier, EVP of Global Sales at Playwire, Noah Forster, CXO at Playwire, and Akhil Bhardwaj, kidSAFE Seal Program Manager of Safety and Privacy Audit Specialist, as they dive into the implications of COPPA 2.0 and where they believe the industry is heading in light of these new regulations.

Prefer watching to reading? Listen into the full discussion here:

 

The Basics: What Is COPPA 2.0?

Paul: While COPPA is something everyone in the advertising and publishing space understands and knows about, I think there's a fair amount of confusion. I see it every day when I talk to advertisers and publishers, even people who are on the edge of experts.

Akhil: COPPA is a federal regulation in the United States—The Children’s Online Privacy Protection Act. 2024 is the first time we've seen a legislative amendment to COPPA since its inception in 1998. That's why this is big news.

The amendment – which is KOSPA (The Kids Online Safety and Privacy Act); you'll hear about it a lot in this call – has already passed the Senate, and it's likely to come up before the House next week [September 2024]. So whether or not it passes the House and becomes law post-presidential assent is speculative at the moment, but we will know either way in the next two months [before the end of 2024].

There’s so much confusion about COPPA because we keep hearing these numbers—COPPA 2.0 and 3.0—from the media. But often, what they’re really talking about is the underlying rules. 

Under the law, the FTC regulates this space through rules that they amend from time to time. This is distinct from the legislative amendment we’re seeing now. Under the FTC, there have, in fact, been multiple iterations of those rules that have come up. The FTC updated COPPA in 1000, and again in 2013. Then, in 2019, another amendment process was started. That’s what the media is referring to when they say COPPA 3.0. 

However, the legislation currently before the House of Representatives is COPPA 2.0.

So that's what's being referred to in the media as COPPA 3.0, even though Coppa 2.0 is what is currently before the House. We have these two parallel processes that are going on together, but that is generally the regulatory landscape for kids' privacy online. 

-- Article Continues Below --

New call-to-action

Read the Guide to COPPA Laws

Understanding Personally Identifiable Information (PII) and Consent

Paul: COPPA is the law of the land, and advertisers and publishers have to be aware of it. It deals with the collection of personally identifiable information. If you do collect that information on minors under the age of 13 specifically, there are massive consequences and implications. 

So why don't we start there? What is PII? What is consent? Can an advertiser, marketer, or publisher collect information if they have received consent to do it? What does that process look like, and what are the implications? Is it a real fine? Is it a scary fine? Is it just the boogeyman coming for you?

Akhil: COPPA and its implications are very real. To put it into context, the last COPPA-related fine that's top of mind for everybody is going to be Epic Games. They’re the creators of Fortnite, and were fined $520 million. And then a refund payment was triggered by the FTC as part of the settlement, which was an additional $230 million. So this is very real, and it is business critical for everybody to understand it and to be compliant with it. 

Broadly speaking, PII is anything that can identify a human person. In this case, COPPA so far has dealt with users only up to the age of 13, preteen users. But the amendment before the House would expand the scope for COPPA to all users under 17. And that has significant impacts on how publishers and advertisers deal with the properties that they're advertising. On hosting ads particularly, because, you know, there's some amount of gray area sometimes. 

If you considered something to be child directed, but it also targets teenagers, you could get away with saying, hey, the majority of our audience was teens. This is not a great way to deal with COPPA compliance, but it is an approach that a lot of publishers have taken in the past.

That gray area significantly reduces once the teenagers, that is, users up to 16 also come within the copper web. 

Paul: So there's going to be a much bigger boat with many more people in it. But who has to worry about COPPA compliance? What kind of publisher and advertiser needs to worry about this? I know there's the obvious question of: is it kid directed? Are there cartoon characters? Who needs to worry about COPPA compliance to start?

Akhil: COPPA lays this out pretty clearly. COPPA says that it applies to kid directed products, which so far has meant products directed to users under 13. And the FTC has, over time, built what is called the totality of circumstances test, which is a broad analysis of who is targeted by a product:

  • Who the actual audience is 
  • What kind of merchandise is being sold offline
  • How different app stores list the product
  • The kinds of characters that are seen in the product

As the name suggests, this test uses the totality of circumstances to determine whether or not a particular product is child directed. If you are child-directed, COPPA applies to you.

But that is not to say that there aren't products that have children on them, but are not meant, but are not exclusively directed for children.That's the flip side to child directed products in the COPPA classification. If you're a general audience product. For example, the New York Times is meant for a general audience. Just because there also happen to be some children on it does not make it a child directed product.

Paul: If you've got a website or a tv show or you're a publisher and it's very clear that you are looking to appeal to kids with the totality of circumstances – cartoon-looking figures, you sell toys, etc. – you need to be aware of COPPA . 

Now, let's talk about PII. I always thought PII would be like cookies on the browser, a phone number, or an email. But PII is actually a lot more than that, right? What is personally identifiable?

Akhil: All sorts of persistent identifiers are personally identifiable. A child’s voice, images, videos. So any product that's collecting, even, say, an image of a child, perhaps as a display image for my user ID on an app, that amounts to collection of personally identifiable information. And in order to collect that and to be able to display it to third party users, you need verifiable parental consent.

Paul: There are definitely apps, and, I mean, there's kid stars out there. Sometimes these kids push their picture into a system that makes it look cartoon-like. That's still PII. So, what does consent look like for those parents?

Akhil: This is one of those situations where the difference between the COPPA rule and the COPPA law makes a big impact. The law in itself does not say that parental consent must be obtained in a specific manner. But the FTC came up with guidelines through the COPPA rule, where they gave examples of what verifiable parental consent could look like. 

Broadly, you have a consent language that's on screen. And at the same time, you must verify that the person who is granting that consent is a parent by either collecting an identity – like a government issued ID – or by tagging it with a payment.

That is, in fact the most commonly used form of parental consent, because the FTC recognizes that credit cards or online payment information is something that resides exclusively with adults. It’s understood that if you are making a payment, you are receiving some sort of a statement of that in your financials, and therefore you can be assessed as an adult. 

I do want to quickly plug in that we're seeing newer forms of parental consent as technology evolves as well. For example, we're now seeing video based consent where there are services that analyze spatial telemetry data to determine what is an estimated age of the person who is on screen. This is a form of parental consent that is still with the FTC for approval. So I wouldn't say that this is completely in the clear at the moment, but it is something that we expect to go through.

-- Article Continues Below --

New call-to-action

Review The Complete COPPA Resource Center

How Playwire and kidSAFE Approach COPPA Compliance

Paul: Ultimately, it's a very high bar, which is why I would say 99% of publishers out there choose, probably wisely, to simply not collect PII. They look to create a service that is kid-safe, that is kid-directed, and that creates value for kids in the ecosystem. That’s a lot of the partners we work with at Playwire. 

Let me start there. 

Noah, in your role as Playwire CXO, a big part of what you do is to vet partners to make sure we remain COPPA compliant, and ensure that the campaigns that we build and deploy on behalf of our advertisers are safe and effective. What do we do to ensure that we're deploying COPPA compliant campaigns for our partners?

Noah: We take this in several different trenches. We look at: 

  • the inventory itself,
  • the campaign setup,
  • the technology, and
  • the creative

First and foremost, Playwire works with trusted premium web and app publishers and streaming platforms (OTT and CTV publishers) who have great content and who take kids’  safety seriously. We're their premier and often exclusive sales team for COPPA,. And we work with them to ensure that the appropriate category blocks are in place, so that child directed ads only run on content that's deemed safe and appropriate for kids. 

Any and all sensitive categories are blocked, or aren't present on the platform in the first place. From a kid-safe campaigns perspective, all of Playwire's technologies are COPPA-compliant.

We also work closely with kidSAFE, and do thorough auditing. They do thorough auditing of us as well. 

For compliance, we disable all user data collection, interest-based ads, retargeting, etc. That's the technology layer. 

We can go in depth about campaign setup just a little bit. Playwire ensures that all deal IDs, tags, PMPs are checked and validated. In the case of programmatic private marketplace deals, we connect with our advertiser partners to kind of guide them to leverage DMPs with compliant technologies to ensure that campaigns can actually scale while reaching the kids audiences that they're looking for. 

And there are some steps we take beyond COPPA compliance. Good practices that we take with kids.

Paul: As marketers, as publishers of content, we have to hold ourselves to a higher standard. In addition to ensuring we're protecting our advertising and our publisher partners, at the same time, we have to ensure we’re thinking about the audience and the content they see. 

We develop 70% of all of the creative for our partners. What steps do we take to make sure, even if it's not the law, that we're developing content for our kids that makes sense?

Noah:  As you said, 70% of the kids' creative ad campaigns we run here at Playwire are made by Playwire Studios. That's Playwire's very own in-house creative team. Beyond the law, we also take steps to ensure that the ad content itself is safe and appropriate for kids. 

These are things like: 

  • Avoiding misleading messaging or product presentation
  • Making sure that disclosure and messaging are clear
  • Taking into account the audience’s level of language skills
  • Ensuring the message is clear to the child, where appropriate
  • Avoiding undue sales pressure and messaging
  • If there’s an industry rating that applies to the product, making sure it’s prominently displayed

We do this for all of our kid-focused creative. And even when we're not the ones making the creative. We look for this. We have a manual audit process in place.

Paul: Speaking of that audit, we're constantly working with partners who are new to the kids marketing space. That's some of the value we provide as experts with 17+ years doing this – letting them know that we're going to protect them. We're almost like an insurance policy. Which brings me to kidSAFE. I would love to hear about the organization, what you do specifically, and why you matter in the ad tech ecosystem.

Akhil: At kidSAFE, we wear two hats. The first hat is that of a consultant. As a product developer, we are your best friend to ensure that you're developing in a compliant manner in terms of privacy, security, as well as safety. We're going to consult with you on what best practices you should be following. 

Some of our members come to us right at the beginning of development, before they're even at the storyboarding stage, and we help develop a product from that stage onwards to launch and then beyond. 

And then there's others who come to us with an existing product, when there's changes in the law or when they just want to get compliant. 

The other hat we wear, even with Playwire, is that of a COPPA safe harbor. The FTC, as the regulator in this space, recognizes safe harbors  – and this is provided for in the COPPA law. This means that if we have audited you and certified you at a COPPA level and you hold our seal, you are protected from regulatory enforcement by the FTC for privacy issues.

In the case of any inadvertent issues that  arise, the regulator, which is the FTC, is going to come to us at kidSAFE for an explanation. And that can make a huge difference both in terms of the financial implications and publicity or unwanted attention for your brand..

Paul: The kidSAFE seal is a big deal; we go through a lot to get it. And I say it's like an insurance policy because when people see that seal, they know that Playwire is continually committed to kids' safety online. 

In addition to that, you mentioned that you guys are constantly auditing. Because you're putting your name out there. And I think it just speaks to the depth of safeguards that we have in place, with safe harbor, to make sure everyone's protected. 

And when I say everyone, it's all the stakeholders, it's certainly our advertising partners, it's the publishers who don't want to take on a $30,000 per-infraction charge. But again, it's the kids and making sure that we're protecting them online. 

What’s Next? The Future of COPPA and KOSPA

Paul: We talked about COPPA and its implications, what playwire does to help. We talked about kidSAFe, which is obviously arguably the most important cog in the wheel in the COPPA ecosystem. Let's talk about COPPA 2.0 and 3.0, and KOSPA. It's very likely to be something marketers and publishers have to think about. So let's talk about that. 

With KOSPA, the new amendment, it would go up to 16 years of age. And anybody who's got kids knows there's a big difference between a six year old and a 16 year old, or even between a nine and eleven year old. So are the exact same rules going to be applied to the older audience?

Akhil: No, they aren't. This is not law yet, so there may be changes to what comes out from the House once it does, and if it does. But the way the bill looks right now, users between the ages of 13 and 16 are going to be given the ability to consent on their own behalf. For kids, you need verifiable parental consent. But for these teenagers, they're going to be able to receive the notice and grant consent on their own behalf.

So we do see this playing out slightly differently than the way that the kids’ marketplaces, particularly for the advertising space, have played out so far. We could end up seeing a lot of publishers trying to get upfront consent from these teenage users to accept some amount of advertising – not just contextual advertising, which is what is currently allowed by COPPA. 

At the same time, there is currently a clause in KOSPA, which outright disallows retargeting of any minor, which includes users up to the age of 17. So the Senate's actually been smart about this. They preempted the fact that once you're going to allow the kids to consent for themselves, they're just going to be able to consent to retargeting more easily or fall prey to that sort of a tactic.

Paul: We kind of thought about the great cookie apocalypse of a few years ago, which was that people had to accept them. And that was quite easy. But it sounds like the bar is not going to be quite as high for teenagers as it is for kids. No parental consent required. But it won't just be “accept all,” correct? There will be some level of verification that you are a human being. And so it's not going to be easy. 

But I think your point about even those who do – a percentage certainly will consent to having their information and data used probably in exchange for services, not generally for more ads, if we're being honest – but it's still going to create a lot of problems for advertisers who have relied on data to reach that tween audience to date. 

Ultimately, it's going to become more arduous to use data to target tween audiences on the Internet or in app, which is probably going to change the complexion of how a lot of advertisers approach their markets – again, the difference between a 13 year old and a 23 year old. Massive difference. But it will become very difficult to use data to retarget between those audiences going forward. That's the output of KOSPA if it does become law of the land. 

Akhil: Yes, I would agree with that. And there is going to be an update to the COPPA rule, irrespective of whether it comes from the legislature or the FTC. What I alluded to earlier, the update to the COPPA rule that has been in the works since 2019? It's due, and it's definitely going to happen. 

At the moment, the rules don't deal with biometric identifiers. So facial telemetry, gait data analysis of voice samples, all of that is becoming a lot more relevant now given that there's been advancements in tech. Irrespective of where the updates come from, they're gonna come, and soon. 

So, yes, there is a question of whether or not COPPA gets expanded to users up to the age of 16. That is a change that can only come through a legislative enactment. But either way, the rules around COPPA are certainly going to be made more attuned to the kind of services that we are seeing online today. 

Because the last update was in 2013 when the Internet looked very different than what it looks like today.

Paul: Exactly. And I think, reading between the lines, there is a lot of collection and sharing of video online of teens and tweens. And the government is looking to get ahead of it – to understand how that information is used, how it should be used, and continue to think about it, like they did with COPPA. How do we protect our younger audiences? How do we make sure that this information is not used to reverse engineer their identity, to influence them, to persuade them in ways that probably are not proper? 

This will become a major topic in the next six to eight months. And the implications for marketers and publishers are significant. 

I wouldn't recommend waking up in six months and trying to adapt. Start future proofing your business and start thinking about how you're going to adapt, and how to ensure that content created for younger audiences really passes the sniff test of who we are as a society and a culture here in the US.

Before I send it off, Akhil, was there anything else that you wanted to add? Any parting thoughts?

Akhil: I do want to echo what you said. These changes are relevant to both the supply and demand side in the advertising space. If you're somebody who has a product where you're allowing advertising to kids, you need to start thinking about who your audience is right now and the kinds of consents that you need to get in place to continue to be able to monetize your product at the same time, advertisers. At the end of the day, a provider like Playwire is a mediator, right?

You could do advertising in a DIY manner, but there is so much that's changing in the law that is evolving very quickly in these last six months – not just with state amendments, but also in the federal space right now. It certainly does help to have either safe harbor protection if you're a publisher, or the protection of somebody like Playwire who's developing these creatives for you.

Noah: I couldn't have said it better myself. I encourage any brand who's interested in reaching kids’ audiences safely and compliantly to reach out. Let us tell you more about why you should be working with Playwire.

New call-to-action