CISR Proposes Teenage Privacy Program

CISR Proposes Teenage Privacy Program

Blog WilmerHale Privacy and Cybersecurity Law

On April 19, 2022, the Center for Industry Self-Regulation (CISR), a nonprofit foundation of BBB National Programs, introduced the TeenAge Privacy Program (TAPP), an emerging initiative that sets out to help companies develop a teen-centric approach to consumer privacy relating to teen online activity. The TAPP Roadmap for Considering Teen Privacy & Safety (the “Roadmap”) endeavors to help businesses develop products that consider teen privacy, consumption, and safety and mitigate the potential harms associated with teen privacy. For purposes of the Roadmap, teens are defined as consumers aged 13 to 17.

The CISR’s new teenage privacy framework is the latest example of how children’s online privacy is becoming an area of priority for privacy law. The California Consumer Privacy Act and the California Privacy Rights Act create specific obligations for businesses that process the personal information of children under the age of 16. Businesses that have previously operated in a largely unregulated space for children over the age of 13 now have to evaluate how these new laws and industry standards apply to their business. And, of course, the FTC has authority to enforce the Children’s Online Privacy Protection Act for children under the age of 13 and has been active on this issue.

Below are eight selected highlights from the Roadmap that businesses should consider concerning data privacy when designing teen-centric applications, products or services or when processing teen data:

  1. User Interface.
    • Develop a user interface that focuses on usability and creates both a user-friendly and age-appropriate experience so that teens and parents alike can easily navigate to privacy settings within the interface; and
    • Set the product’s or applications’ default settings such that data collection will be minimized. Collect only what is necessary for the delivery of the product.
  2. Advertising.
    • Before engaging in behavioral advertising, obtain opt-in consents from your users;
    • At the time of obtaining consent, provide notice to such users that the targeted ads are based on information collected from teen users and that the information collected may be shown across the different sites or devices the teen uses;
    • Do not base targeting content on a single criterion such as weight, body odor or hair loss that could be especially sensitive to teens, or that could amplify existing insecurities; and
    • Provide users with visibility to the information collected and how it is used to target teen consumers with ads. Teen users should be able to understand why they are seeing the ads that they are seeing.
  3. User-Generated Content.
    • For content that is user-generated, include user friendly flags allowing users to report harmful or illegal content;
    • Provide options to block, mute or pause other users, filter keywords and limit the number of visits to the teens’ own content;
    • Allow teens to remove unwanted reactions to their own content, including tagging by others; and
    • Give teens control over which users can contact them directly, in cases where direct messaging is enabled.
  4. Content Moderation.
    • Consider using community policy (or crowd-based) enforcement such as moderators;
    • Implement algorithmic content monitoring and allow for the suspension of harmful content automatically;
    • Remove or suspend users engaging in harmful conduct;
    • Ban prevented users from opening new accounts; and
    • Monitor for new detection avoidance behaviors, such as intentional misspelling (e.g., replacing letters with numbers) or other “code” words.
  5. Consent.
    • Implement clear disclosures when data collection exceeds what is necessary and include affirmative opt-in consents whenever possible.
  6. Location Data.
    • Disable geolocation data collection by default;
    • In the event that location data is collected, limit the collection of precise geolocation data collection and collect such information for the disclosed purpose only; and
    • Provide opt-in disclosures and serve reminders to the user that precise geolocation is being collected.
  7. Retention.
    • Consider shortening retention periods of teen personal information;
    • Consider also whether maintaining or storing teen information for an extended period of time would potentially result in bias or harm; and
    • Give teens control over their digital footprint providing easy-to-use mechanisms to delete their data.
  8. Sharing of Teen Data.
    • Empower teen users to stop sharing data when it is not essential for the product.

More from this series