U.S. Congress is very close to passing reforms to youth privacy and safety standards for the first time in decades.
But as they say, close only counts in horseshoes and hand grenades.
Both the Kids Online Safety Act and the Children and Teens’ Online Privacy Protection Act, also known as COPPA 2.0, passed out of the House Committee on Energy and Commerce this week. It makes both pieces of legislation eligible for consideration by the full House and potential floor votes.
As both were first passed by the Senate in July, it is only House legislators and President Joe Biden who could stand in the way of their final passage.
The KOSA faces major difficulties, including House Republican leadership which were reportedly unimpressed by the current text as well as continued pushback on the bill from some civil society groups. There are also disagreements from multiple fronts on ongoing modifications to major components of the bill, including its duty of care standard.
The COPPA 2.0 is much less controversial. It makes numerous changes to the existing COPPA statute, while extending it to provide certain privacy protections for teens under the age of 17.
The House's version of the COPPA 2.0 made a handful of changes to the text passed by the Senate, including to some of the most discussed aspects of the COPPA. However, the changes seem calculated more toward final passage and concurrence from the Senate than other recent markups we have seen. After all, the bill's Senate sponsors praised the passage of the House version out of committee.
The knowledge standard in the COPPA has been a contentious issue since its inception.
The current law kicks in when websites are directed to children or have "actual knowledge" that a user is a child. There have been many rounds of controversy about the current standard, going back to the original enactment of the bill.
Critics argue it incentivizes companies to maintain willful blindness to the age of their users. It is one of the most commented on components of the COPPA Rule each time the Federal Trade Commission updates it, though the agency has declined to attempt to change a standard that is so clearly established via legislation.
Recent state-level youth privacy and safety laws have experimented with a wide range of new knowledge standards, but no strong consensus has emerged.
The Senate-approved version of the COPPA 2.0 used a formulation that has been popping up frequently in recent years, though it does not match any enacted state legislation: "actual knowledge or knowledge fairly implied on the basis of objective circumstances."
Instead, the House adopted a novel approach. It borrows from the structure of the proposed American Privacy Rights Act, which would apply different standards to different types of companies including heightened restrictions for large social media platforms. Similarly, the House version of the COPPA 2.0 embraces a three-tiered knowledge standard.
For most companies, actual knowledge would remain the rule.
For a "high-impact social media company," the updated COPPA would kick in if the company "knew or should have known that a user is a child or teen."
And for other companies that meet a gross annual revenue threshold of USD200 million and collect the information of more than 200,000 individuals, the law would apply if the company "knew or acted in willful disregard of the fact that the individual is a child or teen."
For most companies the House version thus represents a less aggressive update to the existing operational standard, while embracing a more aggressive standard for only certain companies.
Other changes between the House and Senate versions are largely ministerial and clarifying amendments.
The multi-tier approach with a focus on "high impact" social media comes on the same week that the Federal Trade Commission released its report on the data practices of social media and video streaming services, which includes numerous legislative recommendations for enhancing the standards for teen privacy and safety as applied to these companies.
The staff report is likely to be majorly influential in the policy conversation around youth privacy. It is based on the 6(b) study initiated by the FTC in 2020, which analyzed the practices of nine companies who control 13 platforms popular at the time. As usual with such reports, the FTC does not explain which findings apply to which companies.
Instead, a close read can reveal not only areas where there are large disparities in privacy and safety practices, but also areas where the FTC is disappointed in the practices of every company, at least as they existed in 2020. For example, in three places in the report, the agency lists practices that not a single company satisfactorily demonstrated — a warning shot about the privacy best practices.
- "No company provided a comprehensive list of all third-party entities that they shared personal information with."
- On the subject of contracts for such third-party sharing, the FTC noted that "no company described any audit or other ongoing diligence to ensure that those entities receiving the information were complying with any governing use restrictions in its contracts or terms of service."
- "No company tracked all of a user's changes or updates to privacy settings, or requests related to porting, access, accuracy, and deletion."
- And company reported that the intended user age, or those allowed to create accounts, had to be over the age of 18.
The report is riddled with such examples of regulatory disappointment, though all the others apply to only a subset of the reviewed companies.
The FTC was also critical about the risks of harms to teen users. Staff repeatedly refer to the COPPA as a baseline — a minimum set of standards that companies should consider exceeding.
There is some irony in the timing of this renewed attention on teens.
This week also brought news that Meta was revamping teen privacy, safety and wellness settings on Instagram. Much have changed in the best practices for teen privacy and safety since 2020, but this shows no sign of slowing the pace of regulatory scrutiny.
For this term, most of legislative horseshoes have already been pitched, but the final inning has not yet begun. Even with widespread support for COPPA updates, there remain dwindling days in the session to pass a privacy law. Even with the best chance of passage, the odds are long.
Please send feedback, updates and disappointed regulatory footnotes to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director in Washington, D.C., for the IAPP.