On July 30, 2024, the US Senate passed the Kids Online Safety Act (KOSA) and the Children and Teens’ Online Privacy Protection Act (also known as COPPA 2.0) with a 91–3 vote. These bills introduce measures to protect minors online, including requiring platforms to mitigate harms like cyberbullying and sexual exploitation. While proponents believe the laws will protect children, critics argue they could limit free expression and raise privacy concerns. The bills now move to the House for consideration before the August recess.
One such critic, the ACLU, along with several other civil society organizations, sent out a letter on June 27, 2024, urging the House of Representatives to amend KOSA “so that it would serve its intended goal, while mitigating the strong likelihood that the bill would otherwise censor valuable speech and undermine the privacy rights of all users online.” Key points in the letter revolve around the following:
- The organizations oppose KOSA as currently drafted due to concerns about over-filtering content and potential censorship.
- The broad "duty of care" may lead to excessive content filtering, restricting valuable speech.
- Content filters could mistakenly remove essential information, particularly around sensitive issues like mental health.
- Amending KOSA is recommended to better protect free speech and clarify provisions on content recommendations.
- There are concerns that the bill could enable excessive parental surveillance of teens' online activities.
- Further refinements to KOSA are encouraged with the purpose of balancing child safety with privacy and free expression rights.
Below we include a brief summary of the key points of the two laws:
Kids Online Safety Act (KOSA)
- Scope of Application: KOSA applies to "covered internet platforms," which are defined as any public-facing website, internet application, or mobile application, including social networks, video-sharing services, and search engines. It does not include platforms wholly owned, controlled, and operated by smaller entities under specific thresholds.
- Obligations: The Act imposes several obligations on platforms to protect minors:
- Implement measures to prevent online harms, including cyberbullying, sexual exploitation, and promotion of harmful behaviors like drug use and eating disorders.
- Provide tools for parents to control their children's online activity, such as viewing privacy settings, limiting purchases, and restricting screen time.
- Default settings must ensure the highest level of privacy for minors.
- Platforms must allow minors to opt out of personalized recommendations and limit their data collection.
- Rights: KOSA grants parents the right to access and control their children’s privacy settings and manage their online activity. It also emphasizes the protection of minors from harmful online content and interactions with unknown adults.
- Enforcement: The Federal Trade Commission (FTC) is primarily responsible for enforcing KOSA. The Act treats violations as unfair or deceptive acts under the Federal Trade Commission Act, giving the FTC the authority to impose penalties and require compliance. State Attorneys General can also enforce the Act within their jurisdictions.
- Penalties: Violations of KOSA can lead to significant penalties under the Federal Trade Commission Act. This includes civil penalties, which may exceed the standard amounts to ensure deterrence. Penalties also apply to first-time violations.
COPPA 2.0
- Scope of Application: COPPA 2.0 updates the original Children’s Online Privacy Protection Act by extending protections to minors aged 13 to 17, in addition to children under 13. It applies to websites, online services, and connected devices that collect, use, or disclose personal information from children and minors.
- Obligations: The Act requires operators to:
- Obtain verifiable parental consent before collecting personal information from children under 13.
- Provide clear privacy notices and implement data minimization practices.
- Ban targeted advertising to children and minors under 17.
- Allow minors to request the deletion of their data and prohibit the sale of connected devices that fail to meet cybersecurity standards.
- Rights: Minors have the right to have their personal information protected and, in some cases, deleted upon request. They are also shielded from targeted marketing practices under this Act.
- Enforcement: The FTC is also responsible for enforcing COPPA 2.0, treating violations as unfair or deceptive acts under the Federal Trade Commission Act. The Act grants enforcement authority to the FTC and state Attorneys General, allowing for civil actions and penalties.
- Penalties: Penalties for violations are enforced under the Federal Trade Commission Act, with the possibility of increased civil penalties for deterrence. COPPA 2.0 also allows for the enforcement of penalties by other federal agencies, depending on the entity involved, such as banking institutions or transportation providers.