Frustrated advocates are saying that Congress is falling down on the job by declining to enact the Kids Online Safety Act (KOSA, S. 1409) and the Children and Teens’ Online Privacy Protection Act (COPPA 2.0, S. 1418). One Wired article summarizes the legislative process those bills traversed and cites harms accruing to kids on social media to support its conclusion that Congress’ job is to pass KOSA and COPPA 2.0. “Why hasn’t Congress protected kids yet?” the author asks unironically. The problem with this view is two-fold. First, it ignores that comprehensive privacy reform more effectively addresses kids’ privacy issues than a standalone extension of COPPA would; and second, it also fails to account for the fact that KOSA and state-level policies like it rest on disputed legal grounds, would undermine efforts to secure kids’ privacy, and would be especially difficult to implement.
Proponents of KOSA and COPPA 2.0 do not appear to argue with the relative benefits of comprehensive privacy reform, as compared to narrower reforms aimed only at children and teens. For example, Common Sense Media noted that the comprehensive privacy bill being debated last Congress, the American Data Privacy and Protection Act (ADPPA), was, “stronger than current federal law” and “stronger than California law.” The organization also said, “now is the time, once and for all, for Congress to come together to pass a strong national data privacy and security bill.”
Ultimately, digital markets are such a dynamic space that doubling down on age-specific privacy requirements and restrictions—while leaving federal law that applies to adults untouched—is increasingly unwieldy. This problem is especially pronounced where proposals would apply to teens. Those measures would exacerbate a regime that piles on restrictions, protections, and red tape for parents and dependents to navigate, which suddenly drops off at the age of 18. Digital privacy—highly dependent shifting contexts and consumer expectations—does not fit a regime with age as the primary touchstone nearly as well as comprehensive updates that feature limits on collection and processing, with a flexible approach based on risk. Congress should build future comprehensive bills on those foundations and work toward more workable data minimization and algorithm provisions, strong preemption, and stricter limits on enforcement. More fundamentally, mandates that require more additional data collection to verify or assure the age of specific consumers necessarily impact people over the age limit of a KOSA or COPPA 2.0. Thus, privacy protections applying to all ages are an important complement to any updates to child privacy or online safety laws.
There is certainly a shared interest in enacting new laws to protect only kids, and to protect Americans of all ages. However, suggestions that kids-only bills are a better path because comprehensive reform is “gridlocked to death” are misplaced. There is no evidence to support the view that kids-only efforts are somehow more likely to pass than comprehensive reform. In no way does Majority Leader Schumer appear ready to forego comprehensive reform in favor of kids-only bills, noting instead that there is consensus that “we need some kind of privacy law.” Even if a House member were to introduce a KOSA companion, it faces a rough road ahead, as its foundations are especially new, untested, and inherently in tension with privacy.
Instead of demonstrating that Congress failed its responsibilities in bypassing KOSA and COPPA 2.0, evaluators have surfaced a renewed interest in comprehensive reform. Between the lines of the Wired article, two new pieces of evidence that comprehensive reform is less “gridlocked to death” than kids-only bills emerged: first, Senate leaders’ stated desire to enact comprehensive reform even as kids-only bills are in the mix; and second, there is down-dais support for House Energy and Commerce Chair McMorris Rodgers’ efforts, which are focused on comprehensive reform that includes kids’ privacy updates, more so than kids-only bills. If we have learned anything from Majority Leader Schumer’s artificial intelligence (AI) ‘Insight Forum’ series and recent AI hearings across Capitol Hill, it is that business groups, civil society, academics, and more or less a consensus of participating stakeholders agree that comprehensive data privacy reform must happen now. The consensus is so clear that it would be a missed opportunity for President Biden not to highlight how essential comprehensive reform is in his next State of the Union address.
ADPPA required Committee members to take tough votes on hard-fought tradeoffs last Congress, and many of the interests helping push a compromise product forward, including ACT | The the App Association, still want changes to it. Thus, the statements of support for Committee leadership on the House side are significant. Coupled with the commitments to work on comprehensive reform from Senate leaders, they are the best signs in over a year that a comprehensive bill has a better path than kids-only reform.