Jennifer Huddleston and Christopher Gardner
On March 5, the Senate adopted by unanimous consent a youth online safety bill called the Children and Teens’ Online Privacy Protection Act, also known as COPPA 2.0. The bipartisan bill was introduced by Senator Ed Markey (D‑MA), one of the authors of the original Children’s Online Privacy Protection Act (COPPA) in 1998 during his time in the House, which was passed in the Senate by unanimous consent. That same day, the House Energy and Commerce Committee held a markup on a package of youth online safety bills but decided to table its equivalent version of this bill.
With the nickname COPPA 2.0, it may seem that the bill would be a minimal change to existing norms; however, many elements go beyond just raising the age of existing COPPA protections to 16 (a change that still merits its own considerations as well). From rights to deletion to changes in the law’s knowledge standard, the law does more than just shift the age.
What Does COPPA 2.0 Actually Change in COPPA?
COPPA 2.0 is a modernization and expansion of the original COPPA. The most consequential change is expected to be expansion of the law’s protections from children under the age of 13 to teens ages 13–16. But the bill does much more than expand COPPA’s requirements to apply to teens.
The most significant legal right is a new addition in COPPA 2.0 that centers around the ability of a child’s parent or a teen’s own right to correct inaccuracies or delete personal information collected by a website, online service, online application, or mobile application.
This bill also imposes several major new requirements upon online providers. One is a new ban on the collection and sharing of information for the purpose of individual-specific advertising. Another is a new ban on the storage or transfer of personal information outside the US without direct notice to a child’s parent or a teen. The bill also adds a new security mandate for the storage and protection of personal information collected by an online operator.
These requirements are coupled with a new, lowered standard of knowledge for online operators. In COPPA, the legal standard for child protections is set at “actual knowledge.” Under COPPA 2.0, this is changed to actual knowledge or “knowledge fairly implied on the basis of objective circumstances.” The bill provides limited guidance on this standard, only directing the Federal Trade Commission (FTC) or state attorneys general to consider “the totality of circumstances, including whether a reasonable and prudent person …would have known that the user is a child or teen.” The bill further directs the FTC to issue guidance on complying with this new standard.
The final major change in COPPA 2.0 is its relationship to state law. Under COPPA, current law prevents states from issuing laws or regulations imposing liability on actions described in COPPA that are inconsistent with the original law’s treatment of said actions. It goes on to state that “nothing in this title shall be construed to prohibit” state action providing “greater protection to children or teens than the provisions of this title.” This change declares COPPA 2.0 to be an effective floor for state legal protections.
Does It Make Sense to Up COPPA’s Age to 16?
Children and teens under 17 are protected under many of COPPA 2.0’s proposals; however, the bill specifies a different parental role for each in that protection. In the case of children, the ability to exercise the legal rights granted by this bill are delegated to the parents. Teens, those ages 13–16, are given that responsibility themselves. But this inevitably raises the question: Does this represent an update to reflect changes in the nearly 30 years since the original COPPA, or does it create a new set of problems?
Yes, teens are rapidly developing in a number of social, emotional, and physical ways. Proponents often point to the idea that younger teens are perhaps less prepared or more vulnerable than older teens. Each family will have to make the decision about what age is right to let their child have access to technology or platforms like social media. Even within the same family, different vulnerabilities, benefits, and needs may mean that the right age or restrictions are different.
There are young teens that have used the internet in successful and beneficial ways. This can include starting businesses or even engaging in political discourse. In other cases, it can be a creative outlet or place to find communities centered around interests such as gaming or books. While there may be issues that we wish younger teens did not have to deal with including questions of sexual health, grief, or abuse, the unfortunate reality is that they do. While the internet can be a place where vulnerabilities are amplified for some, it can also be a critical place to find support for others. This applies to younger teens as well as older ones.
Non-policy solutions have continued to evolve to provide options for those that want a more limited experience, particularly for younger teens. This indicates a market responding to consumer demand, not failure. Industry is working to provide a teen-sensitive environment for those who want an option besides full access, such as Instagram’s teen accounts. Parents can also limit contact, install filters, and set time limits or otherwise turn on or off parental-control features within various apps and devices as best suits their family’s needs.
COPPA 2.0’s Other Policies and Their Potential Consequences
As mentioned, an increased age is not the only change to COPPA under the revised proposal. Other elements such as a right to deletion and acting as a floor rather than a ceiling could have significant impacts on both innovators and consumers. In some cases, these elements may mean less opportunities for young people and even create more unsafe situations for the teens they are intended to protect.
A right to deletion comes from a good place, but it could be abused to make concerning situations even worse. The intentions behind such laws are typically to allow kids and teens (or their parents) to remove information and data from the internet before they can meaningfully understand what they were consenting to. However, data rarely belong to one individual, and there are multiple concerning situations in which this right could be abused by adult bad actors. For example, if the right can be invoked to delete the messages that a child or teen was part of as part of their personal data, this could remove evidence tied to grooming by a predator or bullying by a peer. Since a crime had not yet occurred, such messages or other similar evidence could be deleted if a young person invoked such a right, making it more difficult rather than less difficult to protect a child or teen.
The revised proposal also allows a potential patchwork to develop by permitting states to pass additional requirements with this law acting as a “floor” rather than a “ceiling.” This means a state-by-state patchwork that is harmful to both innovators and users could emerge. A state-level patchwork of compliance particularly burdens smaller innovators and may discourage platforms from providing services in all 50 states. As Morgan Reed of ACT the App Association once said in congressional testimony in regards to similar approaches in data privacy: If federal law is a floor, then the floor is lava for small businesses.
The result can be that individuals, whether teens or adults, lose access to online platforms, not because they are inherently less safe but because the additional compliance costs or requirements fail to consider the unique audiences or functions of a particular platform. Some may find that making the required changes are not worth the changes for the size of the market. For example, the growing platform BlueSky pulled out of Mississippi due to its legislation’s potential costs and burdens.
In other cases, allowing further state legislation on top of federal law can create an effect by which the most restrictive state creates de facto federal policies. This is already seen in the international context such as when Discord imported its biometric age verification elements in the broader US despite not being dictated by law. It has also been seen in the “Sacramento Effect” that has occurred in data privacy where a stringent California law becomes a de facto federal law.
Conclusion
Nearly 30 years later, there seems to be renewed focus on if COPPA is sufficient for the changes to the internet that have also occurred in that time. There were of course trade-offs even in the original COPPA, and the FTC continues to issue guidance on how it interprets different elements of the law.
In considering any changes or new policy requirements, policymakers should be cautious and consider carefully how such legislation might affect the most vulnerable teens for whom the internet can be a lifeline. They should also carefully consider if such changes meaningfully improve privacy and safety or just create compliance burdens and limitations that disrupt innovation and the experience of all users.
Of course, there is another way to seriously discuss improving data privacy for teens not currently covered by a COPPA. Despite a growing disruptive patchwork of state laws, the debate over a federal data privacy discussion has largely stalled. A data privacy framework, not only for kids and teens but all users, could provide clarity to consumers and innovators while still preserving beneficial uses of data and consumer choice.