After the cork popped on Data Privacy Day and President Joe Biden’s op-ed emphasized the need for “serious federal protections for Americans’ privacy,” there was optimism that his 2023 State of the Union address might provide a clear path forward on a comprehensive federal privacy and security law. However, President Biden did not illuminate a path forward other than his previous disparaging talking points about “Big Tech” and promises to “protect children’s privacy.” However, a comprehensive federal data privacy and security law, which has had bipartisan support, is a solution to protect all Americans’ data while satisfying Biden’s and some Congressmembers’ interest in protecting children’s data privacy.  

The bipartisanship on data privacy and security is not surprising—such laws are popular amongst most Americans on both sides of the political spectrum. According to a recent poll, over half of the voters support a federal data privacy law; and over 9 million Californians voted to amend the California Consumer Privacy Act (CCPA) in 2020 to enhance data privacy and security protections. Further, the tech industry understands that data privacy protection for consumers is economically advantageous.  

The Push for Children’s Privacy in the Senate

On February 14, the Senate Judiciary Committee held a hearing on “Protecting Our Children Online,” which focused on children’s privacy and safety. U.S. Sens. Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.) rallied around their Kids Online Safety Act (KOSA), which was first introduced in 2022 and has been reintroduced this year. KOSA is an attempt to improve online data privacy for kids, but some say it could cause unintended consequences. It also contains broader online child safety measures where there is not complete agreement on the methods and liability prescribed. Any child-specific privacy law, like KOSA, will be best suited to be built on top of an existing comprehensive federal data privacy and security framework, not before it. Likewise, it is best to keep a comprehensive federal data privacy and security law focused on privacy and security instead of simultaneously incorporating broader measures like KOSA envisions. 

Another federal bill, the Children and Teens’ Online Privacy Protection Act (COPPA 2.0), is expected to be reintroduced this year by Sens. Bill Cassidy (R-La.) and Ed Markey (D-Mass.). COPPA 2.0 would update the 1998 Children’s Online Privacy Protection Act to increase the age of consent for data collection from 13 to 16, ban targeted advertising to children and further expand the Federal Trade Commission’s (FTC) rulemaking authority. This bill, like KOSA, advanced out of the Senate Commerce Committee in the 117th Congress. However, concerns over potential FTC overreach and members’ focus on passing a comprehensive bill that would also include provisions protecting children’s privacy meant that it never saw floor action.

Understanding privacy’s mass popularity, why is there a strong push for children’s privacy legislation rather than a comprehensive federal privacy and security law? The simple answer is that passing legislation is complex—it takes time, effort and compromise. Perhaps children provide the emotional impetus to initiate legislation—after all, we have seen similar moral panics throughout history. Centuries ago, novels were harming youth’s ability to differentiate fact from fiction; and only decades ago, video game arcades in suburban pizza parlors were “stealing the innocence of our children;” and currently, the crosshairs are on social media and “Big Tech.” To be clear, this is not to insinuate that concerns about children’s online privacy and activities are invalid. The harms associated with a lack of data privacy and security are very real—not just for children, but everyone. That is why we need a comprehensive law.

The Push for a Comprehensive Federal Privacy and Security Bill in the House

Key members of the House Energy and Commerce Committee and Senate Innovation, Data, and Commerce Subcommittee continue to support comprehensive federal data privacy and security legislation, including Reps. Cathy McMorris Rodgers (R-Wash.) and Frank Pallone Jr. (D-N.J.), who both rebuffed the notion that only kids’ data privacy should be protected. The American Data Privacy and Protection Act (ADPPA) had provisions aimed at protecting kids’ privacy data and security, such as target advertising bans on children younger than 17 years, enhanced limitations on sharing children’s personal information with third parties, a dedicated Youth Privacy and Marketing Division at the FTC and increased oversight of COPPA safe harbors.

The House Energy and Commerce Committee’s Innovation, Data, and Commerce Subcommittee has held two hearings this year focused on privacy. On February 1, the hearing focused on the United States’ competitiveness and global technological leadership, particularly data privacy and security. On March 1, building on the previous discussions, the hearing examined how personal data is treated and handled in today’s digital ecosystem, the dangers facing the United States if congressional inaction continues, and the path forward.

Both hearings illuminated the overwhelming, bipartisan support for a comprehensive federal privacy and cybersecurity bill. But the question remains: how might such a bill look in the 118th Congress, compared to how the ADPPA looked in the 117th Congress. Too much legislative tinkering, such as loosening or restricting private right of action or preemption, might impede the progress that has been made and decrease bipartisan and bicameral support.

The political reality is that if a kid-only data privacy legislation is passed, the political motivation to complete a comprehensive data privacy and security law likely vanishes. All Americans should have data privacy and security protections regardless of their age or where they live. After all, not only do privacy harms cause devastating consequences—but privacy protections, as Justice Louis Brandeis suggested, are essential for free thought and expression, a precondition for Americans to exercise their First Amendment rights. 

More Cyber Policy

Stay in the know. Sign up for R Street’s Newsletters today.