When President Joe Biden delivered his first State of the Union address as President of the United States last week, topline priorities regarding the war in Ukraine, curbing inflation, and promoting elements of his domestic Build Back Better agenda understandably consumed much of the runtime. Yet those in the technology policy world were quick to take notice when the President turned his attention to privacy for the first time on the national stage. Using a sliver of his precious time at the podium, the President argued, “[i]t’s time to strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children.”
President Biden’s speech was notable for a few reasons. First, as my colleague Graham Dufault already explored, the President’s remarks conspicuously omitted any mention of another tech policy priority, the package of digital platform antitrust bills recently approved in the Senate Judiciary Committee and moving their way toward a floor vote in the chamber. President Biden’s snub of legislation much further along in the process than children’s privacy should tell you all you need to know about how highly he prioritizes the type of handicapping of app stores called for in those bills: not very.
Second, it marks the first time President Biden has weighed in on privacy legislation in a high-profile, public setting. That the President chose now as the appropriate time to throw his support behind privacy legislation speaks to both the growing relevance of the issue nationally (comprehensive state privacy bill proposals continue apace), as well as the machinations at the congressional level that have produced something of a groundswell of support around children’s privacy legislation. Relevant to the latter development, Biden recognized a guest of the First Lady, Facebook whistleblower Francis Haugen, who blew the lid off of a number of unsavory practices at Facebook/Meta that led to a series of congressional hearings surrounding the implications for children and teens specifically.
Taking Up President Biden’s Call to Action
Indeed, there are a few currently viable vehicles through which Congress could achieve children’s privacy reform. Just last week, the bipartisan duo of Marsha Blackburn (R-TN) and Richard Blumenthal (D-IL) introduced the Kids Online Safety Act, which, while not a traditional overhaul of the Children’s Online Privacy Protection Act (COPPA), would require online platforms “to act in the best interests of children,” provide additional safeguards by default, and create additional transparency into the risks to children’s health and safety posed by the platform.
That bill immediately jumps the queue, joining a couple of other measures likely to receive additional attention now that the President has weighed in. Such bills include Representative Kathy Castor’s (D-FL-14) Kids PRIVCY Act (currently the children’s privacy bill of choice among House Energy & Commerce Democrats), which would extend COPPA protections to minors 17 years and younger, among other updates to the statute. On the Senate side, Senator Ed Markey (D-MA), author of the original COPPA text, continues to push his Children and Teens’ Online Privacy Protection Act, which would extend COPPA protections to minors 16 years and younger.
Sketching out the Work Ahead
While it’d be foolhardy to predict at this early stage which of these initiatives is most likely to ultimately emerge through the congressional ringer, it’s clear that the fight to reform children’s privacy law will only heighten in coming months. And months it will take, as many issues require substantial additional work from lawmakers before they move forward. Aside from resolving the differing age cutoffs referenced above, lawmakers need to work out a slew of other issues, including the future of the COPPA Safe Harbor program, any new law’s relationship to emerging state and global design practices relating to children, and more. On the first point, key Democrats are clearly concerned with the current framework that allows companies to meet COPPA compliance obligations through participation in a Federal Trade Commission (FTC)-approved Safe Harbor program. Earlier this year, Representatives Castor and Schakowsky (D-IL-9) sent a letter to the six currently certified safe harbors to demand more information about their compliance frameworks and track record of revoking membership for non-complying member-operators. This follows remarks from former FTC Commissioner Rohit Chopra that implied the Safe Harbor program may be too insulated from public scrutiny and, generally, that safe harbors do not act quickly enough to sanction non-compliance.
Lawmakers will also need to decide how they want their updates to children’s privacy to interoperate with frameworks around the world and in the states. One of those emerging standards is the much-discussed UK Age Appropriate Design Code, which came into effect last year and places a type of fiduciary “best interests of the child” standard upon covered companies to ensure their design decisions, such as behavioral nudges, do not negatively impact the well-being of child users. Ever the early adopter of emerging global standards, California is moving rapidly to approve its own version of the Age Appropriate Design Code, the California Age-Appropriate Design Code Act, that could quickly shift the paradigm of child protection in the United States if passed. On the federal level, both the Blackburn/Blumenthal Kids Online Safety Act and Representative Castor’s Kids PRIVCY Act adopt elements of this framework, though regulators are already raising questions about the ability of enforcement bodies to enforce broadly drafted “best interests” standards without more concrete best practices to interpret what that means in practice.
Finally, members on both sides of the aisle seem to agree that the current verifiable parental consent (VPC) regime under COPPA needs an overhaul, though the solution remains unclear. Some Democrats argue that VPC disproportionately burdens working class families that do not have time to manage time-consuming consent paperwork, which has led them to question the viability of the notice and consent paradigm altogether and focus on data minimization standards. On the Republican side, members tend to be more open to innovating on the current VPC process, including by updating the outdated mechanisms for obtaining VPC, which still include things like a faxing the covered entity or calling a toll-free number.
Watch this Space
While much remains in need of further clarification, it is very clear that children’s privacy is an area developers need to be attuned to in the coming months. As the President’s remarks and the rapid emergence of the Age Appropriate Design Codes in the UK and California attest to, policymakers are hungry for solutions that they believe will elevate the standard of protection, and they are willing to upend traditional regulatory structures to do so.