Lawyers and regulators agree: Err on the side of caution when collecting underage children's data.

Although the Children's Online Privacy Protection Act is currently the only U.S. law specifically addressing the collection of children's personally identifiable information for marketing purposes, data privacy regulations that extend identical protections to children and adults are spreading.

The greater focus on children's data regulation comes after the Federal Trade Commission allegedly opened an investigation into YouTube over its practice of collecting children's data, and Amazon was hit with a plaintiffs class action alleging its Echo Dot Kid's device illegally records children without prior parental consent.

Odia Kagan, a Fox Rothschild partner and chair of its General Data Protection Regulation compliance and international privacy group, said beyond the U.S., international regulators are loudly proclaiming children's privacy to be a top concern.

Kagan highlighted that France's data authority, the National Commission of Computing and Freedoms, listed in its annual activity report minors' data as one of its top two concerns for 2019. Likewise, Ireland's Data Protection Commission assembled a campaign targeting children and their parents to better understand youngsters' data privacy rights.

In the European Union, the GDPR extends to children, requiring companies collecting and processing their data to follow extra requirements. 

Kagan explained that these requirements include parental consent for collection and clear data collection notices. Plus, companies will have to deploy a data protection impact assessment whenever a child's data is processed. These assessments are normally required for data processing likely to result in a high risk to individuals.

A DPIA describes the nature, scope, context and purpose of the processing; assess necessity and compliance measures; identifies and assess risk to individuals and other risk measurements, according to the U.K.'s Information Commissioner's Office.

Those specifications make collecting children's data a highly watched endeavor by EU regulators, Kagan said. “For kids whenever possible, don't [collect the data] unless you really need it.”

Bob Braun of Jeffer Mangels Butler & Mitchell echoed that advice. With underage U.S. children, which COPPA defines as someone 13 or younger, and minors younger than 18, he said “to be doubly careful” when collecting their data and “err on the side of requesting parental consent.”

While COPPA  was enacted by Congress in 1998, Braun said the upcoming California Consumer Privacy Act's parental consent requirements will force more companies to “wake up” to the challenges of collecting parental consent.

“How they collect and store data, how it gets in and out of the company, figuring that out is necessary to know how you get consent,” he said.

Still, while companies look for a parental consent solutions, Braun noted the CCPA also provides a straightforward approach to a data subject's ability to prevent the transfer or selling of data after the original collector files bankruptcy or dissolves.

Under the CCPA, while the individual couldn't dictate how a company uses the data internally, they can prevent the selling or transferring of their data externally. Without the CCPA's protections, the privacy permissions of an acquiring company would apply, Braun said.

Outside of California's CCPA, if a defunct or bankrupt company had no privacy contract between data sellers, the circumstances to sell the data would still have to be reviewed to ensure it doesn't violate bankruptcy law, he said.