USA Law and Practice Contributed by: Katelyn Patton, Frankfurt Kurnit Klein & Selz
• not conditioning a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity. A court can order civil penalties of up to USD53,088 per violation of COPPA. The amount may turn on sev - eral factors, including the egregiousness of the viola - tion, any previous violations, the number of children involved, the amount and type of personal information collected, and the size of the company. In January 2025, the FTC finalised updates to COP - PA regulations applicable to advertising. Changes include: • requiring separate parental consent for the dis - closure of children’s personal information to third parties; • narrowing exceptions to the parental consent requirement for internal operations, including con - version, measurement, and detecting fraud; and • permitting marketing materials as evidence of whether a site is directed at children. In September 2022, California enacted the Age-Appro - priate Design Code Act (AADC), which took effect in July 2024. The California AADC is a landmark privacy bill modelled on the UK’s Age-Appropriate Design Code Act that imposes certain requirements in relation to children’s data privacy. The California AADC applies broadly to businesses that provide online products and services that are “likely to be accessed” by a child. The California AADC was challenged by internet trade association NetChoice on constitutional grounds. In August 2024, the Ninth Circuit struck down the Cali - fornia AADC’s Data Protection Impact Assessment requirement as likely violating the First Amendment and remanded other provisions for further review. In March 2025, a district court broadened the injunc - tion to block enforcement of the entire law, and the California Attorney General appealed the decision the following month. As of September 2025, the AADC remains unenforceable while litigation continues, leav - ing its ultimate fate uncertain. Other states, including Maryland, Vermont and Nebraska, have passed their own versions of the
AADC ‒ often with narrowed Data Protection Impact Assessment obligations, modified express age esti - mation mandates, and restrictions on processing per - sonal data not reasonably necessary to provide an online product with which the child is “actively and knowingly engaged”. Businesses are also prohibited from collecting, sell - ing, sharing or retaining a child’s personal information where such data practices are not necessary for the online service or product. The prohibition on selling and sharing personal information may restrict the use of children’s personal information for the purpose of targeted advertising. Some states, including Califor - nia, have expanded the definition of “child” in these contexts to include teens up to the age of 17. 6.6 Other Rules Washington State enacted the Washington “My Health, My Data” Act, which took effect in March 2024. The “My Health, My Data” Act imposes sig - nificant restrictions on the use of “consumer health data” – defined broadly to include information that identifies a consumer’s past, present or future physi - cal or mental health status – by all entities (includ - ing non-profits) that do business in or directed at the state. Among other requirements, the “My Health, My Data” Act requires that any regulated entities maintain consumer health data privacy policies, obtain consent from consumers before collecting consumer health data, and obtain written authorisation from consum - ers before selling or offering to sell consumer health data (including in the context of targeted advertising). Similar laws have been enacted in Nevada and the District of Columbia. Given the difficulties of scal - ing the authorisation requirements to consumers of online businesses and the presence of a private right of action for violations of the law, these laws are likely to – in effect – completely or near-completely end the use of consumer health data for the purpose of tar - geted advertising. The FTC has further limited the use of consumer health data through regulation. In July 2024, amendments to the Health Breach Notification Rule took effect that expanded the definition of “breach of security” to now include any “unauthorised disclosure” of unsecured personal health records by health apps and similar
332 CHAMBERS.COM
Powered by FlippingBook