The "Online Eraser" law

The "Online Eraser" law

Starting January 1, 2015, California's brand new "Online Eraser" took effect.

The "Online Eraser" law allows minors (under 18 years of age) in California to take down content or information that they posted themselves as registered users on a website, online service, online application or mobile application (collectively known as online service).

This means that you, as operator of a website or mobile application, have to provide a mechanism for minors to remove the content or information that they have posted on your service.

If your websites or mobile apps are directed towards minors, it's time to update your Privacy Policy agreement to comply with the "Online Eraser".

The law also imposes advertising and marketing restrictions on website and mobile apps owners directed to minors or operated with actual knowledge that minors are using the service.

Products and services that are not allowed to be purchased by minors by law cannot be marketed or advertised to them. Examples of these kind of products:

  • Alcohol
  • Firearms
  • Gambling
  • Tobacco products
  • Ultraviolet tanning services
  • And more

Content eraser (Senate Bill 568) was signed into law on September 23, 2013, through the efforts of California Governor Jeremy Brown.

How does Online Eraser law affect you

As an operator of a website or mobile app, the new "Online Eraser" law will affect you under these 2 circumstances:

  1. If your service is directed to minors
  2. You have actual knowledge that a minor is using your website or application

Directed to minors is defined by the statute as "created for the purpose of reaching an audience that is predominantly comprised of minors, and is not intended for a more general audience comprised of adults."

However, your website or mobile app is not directed to minors purely because you link or refer to another service that is directed to minors.

Business owners can become aware of user age if they are voluntarily disclosed by the user, or if their website or mobile apps collect birth dates for birthday-related promotions or to screen users before sign up.

Website and mobiles app that do not allow minors to post content or information in the first place are not covered by the law.

Logo of Yelp

Yelp previously got in trouble with the Children's Online Privacy Protection Act (or COPPA) for failing to block users in California who are below 13 years of age.

But how was Yelp supposed to know if it had users below 13? The website collected birth dates from users before sign up so it would have been easy to identify underaged users.

On the bright side, Yelp can now easily notify users between 13 to 17 years of age about the "Online Eraser" mechanism by employing the same method it used to comply with COPPA.

Exemptions

A business has the right to uphold content under the following circumstances:

  1. Content is required to be maintained by federal or state law.
  2. Minor was paid for the content posted.
  3. Content or information was stored, republished or reposted by third party.
  4. Minor does not follow proper instruction on how to request the removal of content.
  5. Operator anonymizes content or info posted by minor so they cannot be individually identified.

Ambiguities

It's possible for a portion of a website or mobile to be directed to minors if it satisfies the 2 criteria cited above regardless if other parts of the service are geared towards adults.

However, the statute does not clarify on what it means to "reach an audience predominantly of minors" or how to consider the operator's deliberate intent to reach a general audience of adults.

The "Online Eraser" law states that "directed to minors" means "created for the purpose of reaching an audience that is predominantly comprised of minors, and is not intended for a more general audience comprised of adults."

And then it contradicts itself by saying service "shall not be deemed to be directed at minors solely because it refers or links to an Internet Web site, online service, online application, or mobile application directed to minors using information location tools, including a directory, index, reference, pointer, or hypertext link."

The statute also fails to clarify who is considered "a registered user". It also doesn't specify if the removal right continues to be applicable when material was originally posted by a minor who is now 18 years or older, and if the minor no longer resides in the state of California.

Remember, if you collect personally identifiable information (PII) from your users, you should consider:

  • If you have users that are 13 years old, block these users or comply with COPPA
  • If you have users that are between 13 and 17 years old, notify these users about the Online Eraser law

How to comply with Online Eraser law

This law applies to your website/mobile app if:

  1. The website or mobile app is directed towards minors, or
  2. The website or mobile app is used by minors and you have actual knowledge of this

Minors are defined for purposes of the Eraser Law as anyone under the age of 18 who resides in California.

It doesn't matter whether your website or mobile app is based or located in California. Simply having minors from California use your website or mobile app makes this law apply to you. You should assume that minors from California will be using your website or mobile app due to the limitless location possibilities of people using the internet.

This law is an amendment to CalOPPA, which is California's state-specific version of the Children's Online Privacy Protection Act ("COPPA"), and has two main directives:

  1. Any minor in the state of California now has the right to request that any information or content that the minor has posted on a website or mobile app be removed
  2. New advertising restrictions are put in place for websites and mobile apps

Step 1 - Removing information

To comply with the first directive, the following must be done by all websites and mobile apps that deal with California minors:

  1. Provide notice to registered minors about the Eraser Law.

    When users register to use your website or mobile app, put something in place so you'll know if a user is a minor. Ask for a birthday, or make a user check a box that verifies that the user is 18 years of age or older.

    Verification: Enter Your Birthday

    When minor registers to use your website or mobile app, send notice to the minor about the existence of the Eraser Law and that your website or mobile app is abiding by this law. A good way to send notice is to send an email directly to the email address the minor uses to register to use your website or mobile app.

    Provide information in the body of the email, and also provide a link to your Privacy Policy agreement where further details about rights of minors and general privacy information can be accessed by the minor.

  2. Provide clear and thorough instructions to minors about the information removal process.

    When you provide notice to the registered minor about the existence of the Eraser law, you should also include detailed step-by-step information on how the minor can request to have information or content removed or how the minor can remove this information or content herself.

    This information about your removal process should also be made available in your Privacy Policy.

  3. Provide actual means for information posted by minors to be removed or anonymized.

    You can't just say you'll remove the information or content. You need a game plan and a system put in place. Remember to consider your interactions and Terms of Service agreement with any third parties who may be affected by the removal of information or content or who may have to play a role in the removal.

    Note that instead of removing information or content, you can instead anonymize it so that absolutely no identifiable information is visible that will connect the minor with the content.

    You are also not required to permanently delete the information from your servers or systems. The information simply must just be not visible or identifiable to the public or anyone viewing or using the website or mobile app.

  4. Provide notice that removal may not actually remove everything.

    All you can do is remove the content from your website or mobile app. If someone has a screenshot of the information when it was posted, or if a million people had already seen the content, there is nothing you can do about this.

    Make it clear to minors using your website or service that they should be cautious when posting any information or content because the Eraser law isn't a full fix, and damage may already be done by the time the content is removed. Encourage minors to think twice before posting anything that may later be regretted.

Exceptions

There are a few exceptions to the requirement of removing information posted by a minor. An operator of a website or mobile app is not required to remove content or information posted by a minor in the following circumstances:

  1. If any federal or state laws are in place that requires the maintaining of the posted content or information
  2. If the minor did not actually post the content himself
  3. If there is absolutely no way that the minor who posted content can be identified due to anonymization techniques in place on the website or mobile app
  4. If the minor does not correctly follow the instructions provided for how to request material be removed
  5. If the minor had been compensated financially or received any other benefit or consideration for posting the content or information that is now being requested to be removed

Step 2 - Update Privacy Policy

Put a specific section for minors in your Privacy Policy agreement. You can make this section easily noticeable by giving it a separate header section that lets minors know that section applies to them.

That's where you can include all of the information you provided in the notice to the minors, including how to request content be removed, and what exactly the Eraser law means.

Below is an example of how Facebook separates information for minors into its own easy to notice section within the main Privacy Policy.

Facebook Minors Privacy Policy

Step 3 - Restrict advertising

If your website or mobile app is directed towards minors, or if your website or mobile app is used by minors and you have actual knowledge of this, new prohibitions on advertising are now in place.

Products that cannot legally be purchased by minors cannot be advertised or marketed on such websites or mobile apps.

Examples of such products include alcoholic beverages, firearms, and ammunition, tattoos, tanning beds, tobacco products, lottery tickets, drug paraphernalia, dietary supplements that contain ephedrine, aerosol paint containers, or obscene matter such as pornography.

The products can be sold on the site, but they cannot be used in marketing or advertising that is primarily an advertisement to promote such products or services. Having a section of your site that sells alcohol is ok, but having banner ads promoting drinking beer on a site that sell books is not ok.

Websites and mobile apps, as well as third-party services, are not allowed to collect data from minors for use in custom advertising for any of those products or services.

Restrictions for third-parties

Third parties must also comply with this advertising limitation once notice is given to them that a website or mobile app they advertise on is directed towards minors.

Give notice in writing to any third parties who advertise on your site.

Summary

These are the steps:

  1. Update your Privacy Policy agreement and give notice.

    Update your legal agreement to include information for minors.

    Let minors know that they can have their content deleted or anonymized. Give them clear and thorough instructions on how to request this be done or how they can do it themselves. Remind minors that while information can be removed, it may not be possible to completely remove the information and that there still may be unwanted effects.

  2. Have a method of execution

    Decide how your business, website, or mobile app will work internally when a removal request is received.

    Decide if you will delete or anonymize data. Will you remove the data from everywhere (such as your storage servers, etc.), or only where it is viewable by the public? Who on your team, or which department, will be responsible for handling these removal requests and verifying they have been completed?

  3. Alert third parties.

    If you work with third parties who provide services or do advertising on your website or mobile app, let them know in writing that your website or mobile app is either directed towards minors or that you know that minors are registered on and using your website or mobile app.

    This will ensure that the third parties are put on notice that they must follow certain advertising requirements and gives you legal recourse if a third party violates a privacy law directed towards minors through your website or mobile app.

  4. Make an effort.

    If you even think that minors may be on your website or mobile app, or using your services, follow the steps in this article to update your Privacy Policy with a section for minors, and restrict any advertising done by you or a third party to products and services not illegal for minors to purchase.

    Making an effort to keep your site safe for any minors who may use it is a great way to stay compliant if you aren't certain about who uses your site.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.