For more than 25 years, children in the U.S. have been shielded by the Children's Online Privacy Protection Act. Over time, COPPA has been modernized by cycles of regulations from the U.S. Federal Trade Commission, which this year proposed another update to its COPPA Rule.
The result is a complex framework of protections and restrictions around children’s data, curated over time to meet kids' evolving privacy needs in the connected world. But gaps have remained. Not only do family advocates agree on this point, but so does the FTC. At various points in its history, including in its most recent proposed rule, the agency has lamented its inability to adjust COPPA beyond the bounds of the original law.
One such boundary is the scope of protected ages under the law.
For years, policymakers have talked about raising the age of COPPA in some manner to provide protections for teens as well as children. At the same time, privacy best practices for teens have been evolving through industry action and international regulations, like the U.K.'s groundbreaking Children's Code.
The FTC has made clear that teens are a top priority for the agency, deploying all its policy and enforcement tools to respond to the unique privacy challenges of this demographic. In targeted enforcement actions, like the consent order against Epic Games, the FTC has worked to shape norms around teen privacy and advertising.
In workshops and staff guidance, like last year's Protecting Kids from Stealth Advertising in Digital Media, the agency has driven the point home. And in its Advance Notice of Proposed Rulemaking on Commercial Surveillance and Data Security, the FTC included numerous questions about the privacy and health of kids and teens in the modern digital world. The next step in this rulemaking process is expected soon.
Of course, policymakers have also been working to modernize online protections for kids and teens. At the state level, the wave of age-appropriate design codes, first started by California's currently enjoined law, has continued this year with a dizzying area of new proposals. Most recently, Maryland passed its own version of an AADC.
Meanwhile, leaders in Congress have never stopped proposing and refining policies for teen privacy. Sen. Ed Markey, D-Mass., sponsor of the original COPPA, has led the charge for teen privacy with his Children and Teen's Online Privacy Protection Act, which also includes tweaks to COPPA's protections for kids. The bill has become known colloquially as COPPA 2.0.
After years of discussion, COPPA 2.0 gained serious momentum on Capitol Hill this term. Last summer, the bill advanced unanimously out of the Senate Commerce, Science and Transportation Committee, meaning it could be considered by the full Senate at any time.
It now features 15 total co-sponsors in the Senate, including three Republicans. Last month, a companion bill was finally introduced in the House by Reps. Kathy Castor, D-Fla., and Tim Walberg, R-Mich., both of whom serve on the Subcommittee on Innovation, Data and Commerce of the House Energy and Commerce Committee.
At its core, COPPA 2.0 focuses on a handful of changes. Most profoundly, it would expand COPPA's consent requirements to cover teens. Under COPPA, parents of children under age 13 have been empowered to provide their consent for data collection through online services that are directed to children, or that have actual knowledge that children use their service. Under COPPA 2.0, teens would be able to provide their own consent.
Another major change would be the expansion of the COPPA knowledge standard. In addition to "actual knowledge," digital services would be required to comply with COPPA 2.0 if they have "knowledge fairly implied on the basis of objective circumstances that a user is a child or teen." The bill would also ban targeted advertising to minors and require a mechanism for minors to request deletion of their personal information, a so-called "eraser button."
Confusingly, as of this week there is also another bill known as "COPPA 2.0" — or at least a section of a bill. When the House Energy and Commerce Committee introduced an updated discussion draft of the American Privacy Rights Act, it had a new Title II added to the end. This was not unexpected, as the original APRA, first revealed last month, had eliminated the minor-focused provisions of its predecessor bills in a manner that suggested a plan to negotiate them later.
For a full visual review of the edits in the second public draft of the APRA, see IAPP's unofficial comparison.
Intriguingly, Title II of the APRA has been modified to substantially change the proposal. It is still designed to amend the existing COPPA statute, but it would not extend the law’s protections to cover teens. And rather than expanding the knowledge standard, it would eliminate it altogether, removing the second prong of COPPA's application so the law would only cover services directed to children.
Of course, these adjustments must be considered alongside the APRA itself, which treats all personal data of individuals under 17 as sensitive data, bans targeted advertising to minors and includes age-appropriate considerations in its privacy-by-design provision. As currently drafted, this would subject the personal data of kids and teens to two limiting factors.
First, the data of covered minors would be subject to the general data minimization requirements of the APRA. As currently drafted, data could not be processed for any purpose "beyond what is necessary, proportionate and limited" to "provide or maintain a specific product or service requested by the individual" or a nonadvertising communication to the individual "reasonably anticipated within the context of the relationship."
Next, like other sensitive data, minors' personal data could only be transferred — that is, shared with a third party — with the "affirmative express consent of the individual to whom such data pertains."
The interplay between the proposed amendments to COPPA and the draft APRA create tensions that will need to be addressed in future drafts. For example, would organizations be expected to seek consent from kids themselves under the APRA in addition to verified parental consent under COPPA, in order to share kids' data with third parties?
At the markup yesterday, as reported by my colleague Joe Duball, Reps. Castor and Walberg voiced major objections to Title II of the APRA. At the same time, family advocates are, to put it nicely, not pleased. In a statement signed by the Center for Digital Democracy, Common Sense Media and Fairplay, the groups lodge three general complaints with the updated discussion draft:
"The new APRA discussion draft purports to include COPPA 2.0 (as Title II) but does not live up to the standalone COPPA 2.0 legislation introduced in the House last month, and supported on a bipartisan, bicameral basis, in terms of protections for children and teens. Furthermore, the youth provisions in APRA’s discussion draft appear impossible to implement without additional clarifications. Lastly, in addition to these highly significant shortcomings, we are also concerned that Title II of the new APRA draft may actually weaken current privacy protections for children, by limiting coverage of sites and services."
It was only after registering their reluctance, and hearing repeated promises from Rep. Cathy McMorris Rodgers, R-Wash., to continue working on fixing the APRA as it makes its way through the full Energy and Commerce Committee, that all subcommittee members agreed to move the discussion draft forward without amendment.
Notably, the Kids Online Safety Act also advanced out of the subcommittee yesterday. If this online design and platform safety bill continues to move forward, it adds further complexity to the contours around the end-game for youth privacy after 2024.
There is no doubt that the committee members intend to work hard to create a final text of the APRA — including COPPA 2.0 — that addresses their wide array of concerns. The question is: what will this final text actually mean for the existing COPPA framework and for the future of privacy for kids and teens?
Please send feedback, updates and eraser buttons to cobun@iapp.org.