A view from DC: Policymakers battle over knowledge standards

Last Tuesday, even as the smells of pre-baking pies were already solidifying expectations of Thanksgiving in my house, the rumor mill in Washington started to swirl. It was said that something was coming, and we probably should clear our plans for the evening.

The good news: after a lengthy delay related to the government shutdown, the U.S. House Committee on Energy and Commerce was set to release its much-anticipated package of legislative proposals covering the online safety and privacy of minors. Over the weeks leading up to the release, the package had swollen from a rumored baker's dozen bills to a final total of 19 proposals. The bad news, our families would likely now be regaled by stories of chatbot harms and social media bans during their turkey feast. But they probably expect nothing less by now.

Sure enough, by Tuesday evening we had in hand the full legislative package to review and analyze. Two thirds of the bills are brand new, including some with delightfully creative backronyms like the SPY Kids Act (Stop Profiling Youth and Kids) the SAFE Bots Act (Safeguarding Adolescents from Exploitative Bots) and the SCREEN Act (Shielding Children's Retinas from Egregious Exposure on the Net).

Although at least eight of the bills have bipartisan support, it was the lack of a Democrat sponsor on one bill that immediately drew commentators’ attention. The Children and Teens' Online Privacy Protection Act, which everyone affectionately calls "COPPA 2.0," had been reintroduced with two Republican co-sponsors, Rep. Tim Walberg, R-Mich., and Rep. Laurel Lee, R-Fla. 

Another Florida representative was conspicuously absent. Rep. Kathy Castor, D-Fla., has long been the primary Democrat sponsor of COPPA 2.0 in the House. Her newfound opposition to the bill as currently drafted, perhaps intermingled with her anger over the removal of the duty of care standard from the House version of the Kids Online Safety Act, appears to be strong enough to have convinced any other Democrat not to sign onto the draft. This week, Castor released a statement deriding the new version of the bill as "riddled with loopholes," without specifying which loopholes caused her to walk away from the table.

At the subcommittee hearing to discuss the 19 bills, Castor was more forthcoming about her substantive concerns with the new proposal. In short, it all seems to come down to the knowledge standard.

As introduced, the standard by which companies will be measured as to whether they know a user is a child does differ somewhat from any prior draft of COPPA 2.0. The Senate version — reintroduced without amendment this year after it was passed by the full Senate last year — would strengthen COPPA's existing "actual knowledge" standard, also covering "knowledge fairly implied on the basis of objective circumstances." Although actual knowledge has become a well-defined standard over the course of decades of enforcement, it has also been widely criticized by advocates and academics as too lenient to effectively protect children's privacy across the web.

As first introduced in the House last year with bipartisan support, the original House version would have copied the Senate language with regard to knowledge. But the version of the bill approved by the Energy and Commerce Committee in September last year was swapped in the final days with an amendment that had more resemblance to this newly introduced 2025 version. It adopted a tiered knowledge standard, applying different thresholds to different types of companies. 

At the time, some Democrats expressed reservations about the House amendments, including Ranking Member Frank Pallone, D-N.J., who pledged to work to propose fixes to address his concerns as the bill moved forward in the full chamber.

At that time, Rep. Castor appeared to be firmly on board with the bipartisan version of the bill, saying in her remarks before the vote that she was glad COPPA 2.0 was "generally intact from the Senate version that was voted 91-3, so hopefully we won't get into detailed debate too much on this." She also noted approvingly at the time that the bill "revises the current law's knowledge standard to close a loophole that allows platforms to ignore kids online." However, Castor had previously expressed concerns when similar language first appeared earlier last year when a version of COPPA 2.0 was attached as Title II to the American Privacy Rights Act. Perhaps the tweaks between those versions of the bill were enough to assuage her concerns at the time, or perhaps the opportunity to finally pass the legislation was enough to overcome any lingering concerns.

In the end, despite this support from Castor, there were warning signs that the bipartisan consensus was eroding. The votes to move KOSA and COPPA 2.0 to the full House were conducted as voice votes, without recording individual support or opposition, so it is unclear how many remained skeptical of the final drafts.

The changes in the current version of COPPA 2.0, visible in this unofficial comparison, are largely ministerial, with a few exceptions. The Future of Privacy Forum's Daniel Hales analyzed the other adjustments, but the core difference between the Senate and House versions of the bill remains the knowledge standard.

As I mentioned, the updated standard is at least slightly different from what we've seen before. The previous tiered standard in the final 2024 House version included three distinct knowledge thresholds. 

High-impact social media companies, a concept borrowed from the doomed APRA, would be considered to have knowledge of minors on their platform if "the operator knew or should have known that a user is a child or teen."  Other large companies — with more than USD200 million in revenue and 200,000 users — would have knowledge if "the operator knew or acted in willful disregard of the fact that the individual is a child or teen." And for everyone else, the standard would have remained at the "actual knowledge" level.

Notably, neither of the enhanced standards from the prior version directly reflect the Senate's continued use of "knowledge fairly implied on the basis of objective circumstances."

The 2025 House version eschews the middle knowledge tier, meaning companies large and small would remain at the current actual knowledge threshold — though of course expanded from COPPA to apply to both children and teens — unless they qualify as high-impact social media companies. But the standard for social media companies has also shifted. Under the new draft, such companies would meet the knowledge threshold if they "willfully disregarded information that would lead a reasonable and prudent person to determine that a user is a child or teen."

Together, these changes appear to be the primary sticking point for Castor and other Democrats, setting aside the aggressive preemption language in the bill which Republicans have quietly signaled is open for discussion.

Meanwhile, the landscape of knowledge standards at the state level grows ever more complicated, with a wide spectrum of statutory language falling in all directions around the thresholds described above. FPF published an incredibly useful resource explaining the proliferation of these standards.

As policymakers look to provide meaningful protections for teenagers and rein in a patchwork of state standards, there remains a glimmer of hope that they can return to the table on COPPA 2.0. But the prospects of the bill’s passage if it remains a partisan initiative dwindle to slim to none. After all, it is not just Democrats who are not fully satisfied by the current language. Conservative advocates have expressed their own concerns, including embracing more of a parents-rights centered framework instead of empowering teens.

Please send feedback, updates and actual knowledge to cobun@iapp.org. 

Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director, Washington, D.C., for the IAPP.