Sweeping and controversial children’s digital privacy bills head to full Senate

Two bills designed to bolster children’s privacy and safety online advanced in the Senate on Thursday after months of infighting between children’s advocacy organizations and technology civil rights groups over what the latter see as problematic freedom of speech and privacy concerns in the legislation.

Despite the mixed views, the Commerce, Science and Transportation Committee voted to advance the bills, known as the Kids Online Safety Act (KOSA) and the Children and Teens Online Privacy Protection Act (COPPA 2.0). The latter updates an original COPPA bill passed in 1998, which is considered the first and only major federal privacy legislation.

Committee Chair Sen. Maria Cantwell (D-WA) cheered both bills’ success, saying of COPPA 2.0 that children and teens can be “overwhelmed with the complexities of online content that is manipulated and targeted at them.” She said the bill strengthens protections and closes loopholes while ensuring data of children under age 17 is protected more rigorously.

President Joe Biden, who discussed the need for stricter children’s privacy laws in his State of the Union address, urged the committee to approve the bills earlier this week, but there are questions about their potential to become law, particularly since there are no House versions.

COPPA 2.0 changes the existing law to require online services to stop collecting data from kids under age 17 (raised from under age 13). KOSA is far more sweeping and requires platforms to filter content directed to users under age 17 in the name of preventing, for example, suicide and anorexia.

While celebrating the passage of KOSA, Cantwell acknowledged the profound concerns in the free speech and technology civil rights communities about how the bill would block vital LGBTQ content from older teens. Acknowledging the advocates’ concerns, Cantwell said, “we will continue to work with them.”

KOSA, the more politically charged of the two bills, is supported by a range of children’s privacy groups and larger organizations devoted to childrens’ mental health, including Common Sense Media, the American Psychological Association, Fairplay and the American Academy of Pediatrics.

A letter to senators signed by more than 200 groups pointed to troubling statistics that advocates say are directly tied to the broad freedom of access children have to online content and the uncontrolled and often profit-driven behavior of companies pumping it out to them.

The letter highlighted that depression rates in teens doubled from 2009 to 2019 and cited a similar doubling of eating disorder emergency room admissions for teen girls from 2019 to now.

More than 90,000 pro-eating disorder accounts with 20 million followers appear on Instagram, the letter said, with Meta earning an estimated $230 million annually from such accounts. “After numerous hearings and abundant research findings, the evidence is clear of the potential harms social media platforms can have on the brain development and mental health of our nation’s youth, including hazardous substance use, eating disorders, and self-harm,” they wrote.

The founder and CEO of Common Sense Media, which focuses on children’s privacy and safety online, echoed the letter’s assertions Thursday and highlighted the outdatedness of current laws governing children’s use of technology, saying the bipartisan group of sponsors were “doing their part to bring tech policy into the 21st century.”

The push against KOSA

A large number of freedom of expression and data privacy groups, including the Electronic Frontier Foundation, the Center for Democracy and Technology (CDT) and the ACLU, have lobbied hard against KOSA in particular, saying the costs it imposes to address children’s online safety are too high.

KOSA would mandate parental consent when children under age 13 create online accounts and require providers to give the parents of these children the ability to change privacy settings. As a result, advocates say, children will be forced to tell their parents which sites they visit.

They point to the bill’s inclusion of a so-called duty of care provision, which they say creates an obligation for online service providers to prevent harms to minors under age 17. But in doing so the bill’s broad language will effectively block a wide range of important information, including about mental and reproductive health, LGBTQ issues, and substance use dependency support, they say.

The requirement to “prevent” harm is extreme, advocates say, and will lead to extensive and often ineffective content filtering.

The bill also will likely trigger an overreaction from online content providers who Emma Llansó, director of the free expression project at CDT, said will block far more content than necessary because of liability concerns.

Llansó also criticized how the bill would give civil enforcement power to uphold the law to states’ attorney generals, many of whom she said have extreme views on reproductive care and LGBTQ rights.

At a time when many states are already seeking to block information about gender affirming and reproductive health care, she said, the bill “puts the most vulnerable young people at a really serious disadvantage, facing harassment and consistent targeting of their speech or the speech of people who might be resources or lifelines for them.”

KOSA inserts itself into the parent-child relationship while ignoring minors’ privacy and constitutional and human rights to access information, according to Cody Venzke, who is senior policy counsel for surveillance, privacy, and technology at the ACLU.

“KOSA has created a blunt technological veto over minors’ right to learn, explore, and speak,” Venzke said.

Advocates also have argued that age verification requirements in both bills would undermine adult and children’s privacy. In a recent blog post CDT policy analyst Aliya Bhatia wrote that because KOSA proposes having online services “limit by default” minors’ ability to communicate with other users — a provision that can’t realistically be applied to adults — it will be impossible to separate adults and children without asking for identification, which could include birth certificates or even facial scans.

Way overdue?

The large number of children’s health organizations pushing KOSA say years of failure by social media companies to protect children and adolescents from harmful effects is what prompted the bill’s “duty of care.” The bill’s provision for substantial parental controls will create a far safer digital environment, they say.

Citing the 90,000 Instagram accounts promoting eating disorders, Common Sense Media’s Technology Policy Counsel Irene Ly said currently many platforms are sitting idly by continuing to “profit off of a bubble like that.”

Ly acknowledged that content filtering isn’t perfect, but said KOSA can be refined over time. In the meantime, she said, under the new law policymakers will learn more about how online providers’ algorithms work, which they can leverage to better protect kids.

COPPA’s privacy concerns

Many advocates worry the COPPA 2.0 bill would undermine privacy for substantially more people because it will be less clear who is a child when data collection bans apply to users as old as 16. As a result, age verification will be required from a larger number of people, they say.

With users under age 13, content filtering is easier to do, advocates say, with the CDT blog citing “Dora the Explorer vs. a sports drink website.” But 16-year-olds use most of the internet making age verification much more sweeping and problematic.

Eric Null, who is co-director of the privacy and data project at CDT, said, as with KOSA, COPPA 2.0’s imposition of an implicit society-wide need for identification could quite possibly lead to platforms requiring photos of all users’ faces.

The CDT blog says the bill is poorly designed, pointing to how the bill’s “verifiable parental consent mechanisms” in some cases allow any adult to provide consent, which would make the law easy to circumvent and meaningless.

“A big issue from our perspective is that when you raise that age limit, the number of websites that have to verify the age of all their users basically skyrockets,” Null said.

_Correction: A previous version of this article misstated the age which KOSA would mandate parental consent — it would apply for children under 13. It also referenced language that had been removed on Thursday through an amendment. _