Legislators struggle to regulate children’s data online.
Almost a decade before the release of the first iPhone, Congress passed what now remains the only federal law regulating the collection of children’s data on the internet.
Although the Children’s Online Privacy Protection Act of 1998 (COPPA) imposes a set of specific requirements on certain websites, these requirements have struggled to keep pace with the rapid development of social media and internet culture since the turn of the century. In response, bipartisan groups of lawmakers have recently started pushing for passage of new legislation to protect children’s data online.
COPPA’s substantive protections include restrictions on the types of online marketing that can be targeted toward children and requirements that website operators post a privacy policy whenever data are being collected. COPPA also necessitates that websites obtain verifiable parental consent for the collection and use of any children’s data.
COPPA does not, however, explicitly outline how parental consent for the collection of children’s personal information can or should be obtained. To address this gap, the Federal Trade Commission, the regulating body for COPPA, published guidance in 2013 suggesting that websites should clearly display downloadable consent forms and require parents to use credit cards or government-issued identification to authenticate their age and identity.
Despite these efforts to clarify and bolster existing protections, some experts contend that COPPA provides only limited protection. Katharina Kopp, the Director of Policy for the Center for Digital Democracy, reportedly notes that COPPA leaves children to be “unscrupulously exploited and taken advantage of by pervasive data-driven digital marketing and entertainment systems.”
“Exploitative data practices” and “predatory marketing tactics” have disproportionately targeted Black children, argues Jade Magnus Ogunnaike of the racial justice advocacy group, Color of Change, further alleging that Facebook, for example, knowingly advertised harmful products, including diet pills and alcohol, to such children. She suggests that new regulations are needed to prohibit the use of targeted advertisements based on race or socioeconomic status.
Federal regulations established under COPPA are also limited in that they apply only to websites and online services that are either directed toward children under the age of 13 or that knowingly collect data from such children. This leaves older children and teens without relevant federal protections, even though they may be at greater risk of data exploitation given the heightened use of the internet by this age demographic.
Over 90 percent of American parents currently believe that existing privacy rules should be extended to include teenagers as well as younger children.
Facing strong public support for protecting children’s interests online more effectively, lawmakers have proposed a pair of bipartisan bills. The first bill, the Children and Teens’ Online Privacy Protection Act, would directly expand COPPA’s existing protections to all children up to the age of 16. The bill would also create an online “eraser button” rule, by which companies would be required to allow users to delete personal information collected from children and teens.
The second bill, the Kids Online Safety Act (KOSA), would require website operators to establish safeguards to protect children’s data and create new tools to enable parents to monitor their children’s online presence. The bill would also mandate the disclosure of datasets and other “black box algorithms” to advance research on the safety and well-being of minors online.
Despite the sponsoring lawmakers’ concerted efforts to include both pieces of legislation in the fiscal year 2023 funding plan, the plan’s final text excluded both bills. The lawmakers have tended to blame the technology industry’s lobbying prowess for the bills’ failures. Senator Richard Blumenthal, one of the legislators behind KOSA, tweeted that “Big Tech’s behemoth sway stymied our efforts” through “millions of dollars spent on misinformation defending corporate greed.”
But the bills also faced opposition outside of the Big Tech industry, with an assortment of human rights advocacy groups, including the Center for Democracy & Technology and the American Civil Liberties Union, contending that KOSA would ultimately endanger children’s safety, despite the stated intentions of the legislation.
A letter signed by over 90 advocacy organizations declared that KOSA would be weaponized by political actors to “over-moderate” vulnerable young people’s access to critical resources concerning reproductive healthcare, abortion, sex education, LGBT support, mental health services, and more. The letter also expressed alarm that KOSA would over-burden schools’ ability to use education technology to improve students’ learning experiences.
Self-described right-leaning organizations have published additional concerns unaddressed in the letter. The Director of Technology and Innovation Policy at the American Action Forum, for example, described KOSA as posing potential problems for free speech online.
In the future, Congress may be likely to take up one or both of the two bills for reconsideration, especially as new reports continue to reveal the dangers of children’s internet usage. But passing legislation that updates federal regulations governing children’s online data will not be easy given competing concerns over highly contentious issues, including free speech, content moderation, and child safety.
