How New Child Data Privacy Protections Could Impact Financial Institutions

Known as one of the largest generations in human history, Generation Z accounts for approximately 2.47 billion people across the world. Along with that great size comes great influence – or $360 billion of spending power in 2021 to be exact. 


Due to its sheer size and spending power, this digitally native generation has initiated a significant shift in the finance industry, making the use of payment apps and mobile wallets mainstream. However, financial institutions looking to reach this younger demographic face a complex and ever-evolving regulatory landscape designed to protect children’s data. While regulations like the Children’s Online Privacy Protection Act (COPPA), General Data Protection Regulation (GDPR), and the Kids Online Safety Act (KOSA) are critical to protect children’s privacy, they can be overwhelming for banks and credit unions to keep up with. 


REGO’s Rick Lane – along with financial experts Will Furrer from Q2, Tristan Green from Cornerstone Advisors, and Syd Terry from the U.S. House of Representatives – recently led an American Banker webinar to identify changes in the U.S. legislature and how they might impact the future of finance. 


Strengthened Protection For Minors

Thanks to mainstream apps like CashApp and Venmo surging, we’re quickly moving toward a cashless society, putting security and privacy at the forefront of lawmakers’ minds. This is especially true when it comes to securing children’s data and privacy online. Many apps for younger generations simply target kids 13 years or older to maintain COPPA compliance, but some lawmakers wonder if 13 is still too young. With that in mind,  children’s privacy laws are among the most pressing issues on Capitol Hill, and lawmakers have proposed a bill known as “COPPA 2.0.” This bill will strengthen regulations for data collection and the protection of minors introduced by COPPA, including increasing the restricted age limit under COPPA from under 13 to 16 years old. COPPA 2.0 will also introduce a youth and marketing division at the FTC to crack down on the prevalent use of minors’ data within marketing practices. 


To prepare for this change, financial institutions and fintech companies will need to transition their websites and apps to comply with COPPA regulations, or partner with vendors who have these compliance measures already built in. These businesses will also have to produce disclaimers and acknowledgements of how they’re using consumer data. 


Data Minimization 

The majority of Americans feel in the dark about the way their data is collected and secured. In fact, 81% believe they have little or no control over their personal data once it’s shared. To avoid losing trust with their customers, banks and credit unions need to not rely solely on a notice and consent approach – where customers have little to no choice in how their personal data is managed – but to also incorporate a data minimization strategy. 


In a data minimization strategy, financial institutions determine what data is needed to create efficient and meaningful experiences for account holders – then, they only use the data necessary and disregard the rest. For example, when families use a REGO family digital wallet, banks would collect and use transactional data (e.g., purchases, deposits) to enhance the app experience, rather than using both personal and transactional data to serve the family ads for non-beneficial services or products associated with non-financial affiliates. Lawmakers hope to regulate this approach through the Gramm-Leach-Bliley Act and COPPA. 


The Risk for Banks and Credit Unions

Banks and credit unions who don’t abide by stronger regulation or shift to a data minimization scheme will face harsher punishments and risks under these new regulations – should they get approved. While COPPA compliance is nothing new for financial institutions, COPPA 2.0 will require stricter compliance and certification, leading to fines up to $52,120 per violation. Violations of these regulations include: 


– Not posting a clear, comprehensive privacy policy on your website or in your app

– Failing to provide direct notice to parents and obtain verifiable parental consent

– Not providing parents a choice of consenting to the collection of information

– Preventing parents from accessing and reviewing kids’ accounts

– Failing to prohibit the operator from sharing collected data with third parties unless disclose is integral to the site or service


Financial institutions hoping to capitalize on white space in the youth mobile payments industry must plan to prioritize children’s data and privacy protections to avoid heavy fines or punishments. 


Fortunately, they don’t have to do it alone. By partnering with family digital wallet solutions that are certified COPPA and GDPR compliant, financial institutions can build relationships with young customers without putting their business at risk. 

To learn more, watch REGO and American Banker’s webinar, How New Child Protections Could Impact Financial Institutions on demand today or schedule a demo with the REGO team.