Children’s Online Privacy: KOSA and COPPA Updates

As we predicted in our 2024 Forecast, Congress has wasted no time in the new year advancing legislative efforts to expand protections for minors online. Recently, a new version of the Kids Online Safety Act (KOSA) was announced, garnering enough support to pass the Senate with a veto-proof majority after 15 new sponsors signed on to the bill. Plus, updates to the Children’s Online Privacy Protection Act (COPPA) 2.0 bill were released with the support of new co-sponsors, Senators Maria Cantwell (D-WA) and Ted Cruz (R-TX). 

Federal efforts are set against the backdrop of significant developments at the state level. The United States District Court for the Northern District of California found the California Age-Appropriate Design Code Act (CAADCA) likely violative of the First Amendment and enjoined the Act from taking effect until further judicial review, which is pending. The Ninth Circuit had earlier ruled that COPPA does not preempt state privacy claims. More recently, the U.S. Supreme Court heard oral arguments in two cases involving the constitutionality of laws in Texas and Florida implicating the scope of First Amendment rights of social media platforms. All these developments indicate that the courts will have just as much influence establishing legal parameters for the protection of kids and teens in the online ecosystem as state legislatures, Congress, and federal agencies. 

KOSA Updates

The text of the KOSA bill has been updated to require platforms to “exercise reasonable care in the creation and implementation of any design feature” to prevent and mitigate harms, such as bullying and harassment, that can be particularly harmful to minors. The addition of a reasonable care standard was implemented to head off concerns by advocacy groups that the bill would lead to the censoring of legal content, but critics appear to remain unsatisfied.
 
The revised bill does not allow state Attorneys General to enforce the reasonable care provision of KOSA, instead reserving exclusive enforcement powers for this provision for the Federal Trade Commission (FTC). State Attorneys General can, however, enforce Section 103, which requires readily accessible and easy-to-use safeguards to protect minors from harms online; Section 104, which requires clear and conspicuous disclosures of policies and practices related to minors online; and Section 105, which requires annual public reports that address risks to minors and prevention and mitigation measures taken to address such risks.

The KOSA text also now includes a definition of a “design feature,” which means “any feature or component … that will encourage or increase the frequency, time spent, or activity of minors on the covered platform” (the FTC proposed a similar restriction in its proposed COPPA Rule, but the FTC’s authority to do so is entirely unclear). Moreover, platforms must, by default, enable their most protective privacy and safety settings for minors and offer tools for parents to monitor the online activity of their children. Minors must be able to easily delete their data and accounts and limit their time on the platform.
 
It is expected that passage of KOSA will be met with fierce litigation due to the perceived infringement on First Amendment rights associated with the bill as written. Critics argue that KOSA’s provisions are regulations on content because the effect – and perhaps the goal – would be to limit minors’ access to truthful speech viewed as “harmful,” rather than regulate collection of personal information, impacts on markets or the technical aspects of a platform’s operation that, as a whole, may be harmful to consumers or competition.

COPPA 2.0 Updates

The most recent COPPA 2.0 updates include “small modifications based on conversations with stakeholders and additional technical corrections,” according to a statement released by Senator Ed Markey (D-MA). 

As a reminder, COPPA 2.0 originally passed out of the U.S. Senate Committee on Commerce, Science, and Transportation in 2022 alongside KOSA. COPPA 2.0 aims to expand COPPA protections to those under 17 years old by expanding the definition of covered websites to include platforms “used or reasonably likely to be used by children or minors.” This definition is similar to the definition that was found to likely violate the First Amendment in the challenge to the CAADCA. COPPA 2.0 bans targeted advertising to children and teens and requires operators to permit users to erase a minor’s personal information collected by the operator. The bill also establishes a digital marketing bill of rights for teens and a Youth Marketing and Privacy Division at the FTC. 

COPPA 2.0 covers online applications, mobile applications, and connected devices. Covered online services are required to re-affirm consent when data collection policies change and comply with rules limiting retention of minors’ data to no longer than is necessary to fulfill a requested transaction or service. State Attorneys General have authority to bring a civil action on behalf of any resident that may have been adversely affected by a violation of the law.

Critics argue that COPPA 2.0 suffers from some of the same constitutional infirmities as KOSA, will increase compliance costs, and impermissibly requires service providers that serve both minors and adults to choose between full COPPA compliance or age-verification technology that requires even more data collection and retention. 

Conclusion

It is clear that the privacy and online safety of kids and teens is a major driver of public policy. Given the many challenges Congress faces in this election year, the likelihood that KOSA and COPPA 2.0 will be enacted remains unclear, but state privacy law developments will also continue into this legislative session. All eyes are on the courts as they wrestle with questions of whether various laws violate the First Amendment. Important judicial decisions are expected this year that will likely influence the contours of Internet governance for decades to come.