U.S. Senate Approves Legislation to Protect Youth Online

With children spending more time online than ever, parents are not the only ones taking careful interest in their kids’ privacy. After over 25 years since the passage of the Children’s Online Privacy Protection Act (COPPA), the federal government has embarked on a significant step in demonstrating that children’s privacy and online safety is a priority. In a bipartisan vote of 91 to 3, the U.S. Senate recently passed two bills aimed at protecting youth online: the Children and Teens’ Online Privacy Protection Act (aka COPPA 2.0) and the Kids Online Safety Act (KOSA).

The bills are in line with a growing trend to create greater protections specifically for children’s and teens’ privacy, both in the U.S. and internationally. For example, U.S. states such as California and Maryland have passed legislation regulating the privacy of minors. In Europe, the EUs’ Digital Services Act[1] and the UK’s Online Safety Act[2], which became effective last year, enhance online protections for individuals under the age of 18. The Singapore DPA also recently published guidelines for companies to follow when processing data of individuals below 21. 

We recommend that businesses closely monitor legislative developments and anticipate whether any products or services may trigger obligations under KOSA and COPPA 2.0 should the bills pass in the House. Further, regardless of whether federal legislation succeeds in the coming years, the increased legislative and regulatory focus on children’s online safety call for implementation of a privacy-by-design approach that should be inherent in all development and operational activities that impact minors.

Key features of COPPA 2.0 and KOSA are summarized below:

The Children and Teens’ Online Protection Act (COPPA 2.0)

COPPA 2.0 amends COPPA to extend existing protections and place stricter controls on the online collection, use, and disclosure of personal information.

• Scope of Entities Covered: COPPA 2.0 applies not only to websites and online services, but also to online applications, mobile applications, and connected devices. It also broadens the definition of covered services to include services that are “used or reasonably likely to be used by children or teens” in addition to services directed to children and teens, and the law removes from its scope entities that have “actual knowledge” of having collected data from children, found in the existing version of COPPA.
• Age of Protection: COPPA 2.0 expands certain existing COPPA protections to teens, defined as individuals over the age of 12 and under the age of 17.
• Verifiable Consent: The bill maintains the requirement to obtain verifiable consent from parents to collect data from children under 13, but would allow covered businesses to obtain consent from teens themselves – instead of from their parents – before collecting their information.
• Prohibition on Targeted Marketing: COPPA 2.0 makes it unlawful to collect, use, or disclose to third parties, personal information collected from children and teens for targeted advertising purposes. The original version of COPPA does not include such a prohibition.
• Right to Erasure: The bill introduces the right for children and teens to request the deletion of content that has been submitted to the service, made publicly available through the service, and that contains or displays their personal information.
• Fair Information Practices: Covered businesses must adhere to principles such as data minimization, purpose specification, data quality, and transparency.
• Digital Marketing Bill of Rights for Teens: COPPA 2.0 establishes a digital marketing bill of rights for minors, requiring businesses to comply with these rights as a condition to collecting personal information from children and teens.
• FTC Mandates: The bill requires the FTC to submit a report regarding mobile and online applications’ compliance with the act. COPPA 2.0 would also establish a Youth Marketing and Privacy Division at the FTC.

The Kids Online Safety Act (KOSA)

KOSA creates new obligations for companies to mitigate potential harms to minors online. KOSA was a legislative response to concerns that certain online services had a negative impact on teenagers. The act aims to prevent online harms by placing more responsibility on platforms to ensure children’s Internet safety.

• Scope of Entities Covered: KOSA applies to all online services, including nonprofits, regardless of size, that are “reasonably likely to be used” by a minor under the age of 17.
• Duty of Care: Online platforms must “take reasonable measures in the design and operation of any product, service, or feature” to prevent and mitigate harms such as cyberbullying, sexual exploitation, and addictive behaviors.
• Safeguards for Minors: Online platforms are required to provide minors with tools to control their online experience, including the ability to restrict others from communicating with them on the platform, limit third parties from viewing their personal data, opt out of personalized recommendation systems, and restrict the sharing of their geolocation data. KOSA requires that platforms enable restrictive privacy settings for minors by default. Minors must also be provided with the option to utilize time management tools and to delete their accounts and any personal data collected by the platform.
• Parental Control: KOSA requires that platforms offer “easy-to-use” tools for parents to control their children’s account settings and privacy safeguards, restrict purchases and financial transactions, and monitor the online activity of their children. Platforms would also be required to provide parents and minors with the ability to submit reports of harms to minors and to establish internal procedures for responding to such reports in a reasonable and timely manner.
• Notice & Consent: Platforms must provide conspicuous notice of their policies and procedures with respect to their collection and use of minors’ personal data, how minors and parents can access safeguards and tools, and whether the platforms make personalized recommendation systems available that pose a heightened risk of harm to minors. For minors under the age of 13, KOSA further requires that platforms provide additional information to parents and obtain verifiable parental consent for the collection of data pursuant to COPPA.
• For platforms that use algorithmic recommendation systems, additional disclosures would be required, including how the system is used by the platform and how it processes minors’ personal data, and how parents and minors can opt out.
• Advertising Disclosures: Platforms that engage in advertising to minors must provide information and labels regarding the products being advertised, provide information on why the ads are directed to specific minors, and identify if particular content is an advertisement.
• Transparency Reports: KOSA mandates annual, independent third-party audits of the platform’s operations, detailing foreseeable risks of harms to minors and the platform’s efforts to prevent and mitigate such risks.
• Independent Research: The bill requires the FTC to work with the National Academy of Sciences to conduct independent research into the effects of online platforms on minors’ mental health and safety. It also sets guidelines for platforms conducting their own market research involving minors.

Like COPPA and COPPA 2.0, KOSA would be enforced by the FTC and state attorneys general, with significant penalties for non-compliance.

What’s Next

The bills have not been scheduled for a vote in the House and their chances for success are uncertain. Importantly, KOSA has drawn extensive criticism due to potential constitutional challenges, namely that, because the bill regulates content (e.g., limiting minors’ access to “harmful” speech), the legislation potentially violates the 1st Amendment. To a lesser extent, critics also argue that COPPA 2.0 presents constitutional susceptibilities that are similar to the ones in KOSA. Other criticism of the bills includes arguments that they will increase compliance costs and will likely lead to even more data collection as many services may utilize age-verification technology to comply with the laws or to restrict children’s access to their services. As both bills face an uphill climb in the House, the likelihood that KOSA and COPPA 2.0 will be enacted remains unclear, but the Senate’s overwhelming support signals that lawmakers will remain focused on children’s privacy and online safety.

[1] See MoFo client alert for additional details about the Digital Services Act.

[2] See MoFo client alert for more information about the Online Safety Act.