The Push for Children’s Privacy and Online Safety
There have been waves of legislation introduced in the 118th Congress that attempt to improve children’s privacy and online safety. With the technological advancements in the last few decades, some argue that the Children’s Online Privacy Protection Act of 1998 (COPPA) has failed to achieve its goal of protecting the privacy of youth. And it is no surprise that members of Congress want to remedy that perceived problem, but how that is achieved is being debated on the Hill.
This post explores several pieces of legislation that deal with children’s privacy and online safety in different ways and to different degrees, including a broader bill, the Kids Online Safety Act (KOSA); the two bills which would amend the Children’s Online Privacy Protection Act of 1998 (COPPA): Children and Teens’ Online Privacy Protection Act (COPPA 2.0) and Protecting the Information of our Vulnerable Adolescents, Children, and Youth Act (Kids PRIVACY Act); and two bills that implicate end-to-end encryption (E2EE) technology: the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of 2023 and the Strengthening Transparency and Obligation to Protect Children Suffering from Abuse and Mistreatment Act of 2023 (STOP CSAM Act). While aiming to protect children is laudable, these bills could have unexpected consequences or have widespread impacts that go beyond their intended goal.
A Broad Approach: KOSA
U.S. Sens. Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.) have rallied around KOSA, which they first introduced in 2022 and reintroduced this year with modifications. Though KOSA attempts to improve children’s safety when using social media, some say the bill will do more harm than good, even with the new changes. It contains broader online child safety measures, like holding platforms liable if their designs or services do not mitigate complex societal issues like suicide, anxiety or substance abuse.
There are also questions regarding how KOSA could affect student learning outcomes. Under KOSA, parents could opt out of personalized recommendation systems. Several studies have shown the benefits of personalized learning, and many schools have implemented this technology to impact student learning outcomes. A better approach would be to pass a comprehensive federal data privacy and security law that has provisions specifically aimed at protecting children’s privacy and online safety.
The Amending COPPA Approach
Both Senate and House efforts are underway to amend COPPA, which overlaps but has key differences. COPPA provides safeguards for the privacy and personal information of children under 13 by placing restrictions on how online services and websites process their data, but many feel that COPPA’s coverage did not extend enough.
In the Senate, the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) has been reintroduced this year by Sens. Bill Cassidy (R-La.) and Ed Markey (D-Mass.). COPPA 2.0 would update COPPA to increase the age of consent for data collection from 13 to 16, ban targeted advertising to children and further expand the Federal Trade Commission’s (FTC) rulemaking authority.
In the House, Rep. Kathy Castor (R-Fla.) reintroduced the Kids PRIVACY Act, which like COPPA 2.0, would amend and expand the coverage of COPPA. The bill would increase age protection from anyone under 13 years to under 18. It would also ban ads that target minors and require opt-in consent for everyone under 18 years old, and establish a Youth Privacy and Marketing Division within the FTC focused on the privacy and marketing directed at children and teenagers. It also requires substantial data security provisions, like data minimization and specific security requirements, requiring that every 12 months, an operator must reevaluate and adjust their security practices in light of relevant technological changes, threats or vulnerabilities. However, both bills bring similar concerns over potential FTC overreach and Congress members losing focus on what is truly needed—a comprehensive federal data privacy and security bill that would also include provisions protecting children’s privacy.
The Counterintuitive Approach
The two bills here aim to protect victims of online child sexual abuse but heavily misfire by making the internet less safe by implicating E2EE technology. The STOP CSAM Act was introduced this year by Sen. Dick Durbin (D-Ill.), which aims to combat the proliferation of child and sex abuse material online. The bill increases funding to essential organizations like the Internet Crimes Against Children Task Force—law enforcement task forces located in nearly every major city—that provide communities with on-the-ground investigators tackling serious sexual crimes that exploit children. It also expands the mandatory child abuse reporting to include certain youth athletic programs that receive more than $10,000 in federal funding.
Unfortunately, the bill creates potential liability for any business that knowingly “hosts or stores child pornography” or “facilitates” child exploitation. However, it is well-known that nefarious actors can use platforms and E2EE to facilitate child sexual exploitation crimes. The problem is that E2EE makes the internet safer for individuals to transfer sensitive data electronically, such as financial or tax information, attorney-client communications, and sensitive or embarrassing communication between users. Further, nefarious actors will still be able to access encryption even without a platform providing it as a service, and they likely will. However, the average internet user might be less motivated to seek out encryption tools to secure their data or communications.
The EARN IT Act was also reintroduced this year by Sens. Lindsey Graham (R-S.C.) and Richard Blumenthal (D-Conn.). It includes provisions that establish a National Commission on Online Child Sexual Exploitation Prevention to develop recommended best practices to curb the sexual exploitation of children; and a redundant amendment to Section 230 that creates a CSAM exemption. However, while the bill tried to address industry and civil society alarms about outlawing E2EE, there are still concerns that allowing client-side scanning before the E2EE process will harm user privacy because it erodes the entire purpose of E2EE—that only the sender and recipient have access to the transferred data.
Efforts mentioned throughout this article might be well-intentioned, but many would lead to negative consequences in the name of safety and privacy, from harming encryption to federal agency overreach. In comparison, a comprehensive national privacy and security law would promote global competitiveness, reduce data security and national security risks, and provide all Americans with privacy protections. Notably, many comprehensive proposals have entire sections dedicated to children. Americans should have data privacy and security protections regardless of their age or where they live.