On July 30, the United States passed the Kids Online Safety Act (“KOSA”) and Children and Teens' Online Privacy Protection Act (COPPA 2.0), marking a significant shift in the regulatory approach towards tech companies in protecting children's privacy.
Kids Online Safety Act (“KOSA”)
KOSA was initially proposed by Senators Richard Blumenthal and Marsha Blackburn in 2022 but failed to pass after considerable controversy. On May 2, 2023, the senators reintroduced the bill, which the Senate Committee on Commerce, Science, and Transportation reviewed. After multiple discussions and revisions, KOSA was scheduled for a Senate legislative session on December 13, 2023, and was finally passed on July 30 with an overwhelming majority of 91 to 3 votes.
KOSA introduces a "duty of care" for online platforms, requiring them to implement measures to protect minors from harmful content, such as content that may lead to anxiety, depression, or compulsive behavior. The bill includes stronger parental controls and greater transparency regarding platform algorithms. It also mandates platforms to conduct annual risk assessments and establish the safest default privacy settings for users under 17.
The bill stipulates that any platform must provide prominent, clear, and understandable notifications to minors before they register or consume content. These notifications must include: the platform’s policies and practices for protecting minors; how to obtain information about these protections; and whether the platform offers or uses any products, services, or design features that may increase risks, such as personalized recommendation systems.
Additionally, KOSA imposes reporting obligations on platforms. Specifically, platforms with an average monthly active user count over 10 million in the past calendar year and primarily offering community forums or user-generated content and discussion services must submit reports required by the bill. These reports must outline potential risks to minors and include audit results from independent third parties to assess the platform’s preventive and mitigating measures.
COPPA 2.0
COPPA, passed in 1998 when smartphones and social media were not yet prevalent, requires websites and online services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13. It also mandates these services to publish detailed privacy policies, disclose data collection methods, and ensure parental rights to review and delete their children's personal information. The bill grants the Federal Trade Commission (FTC) oversight and enforcement authority to address challenges posed by the internet's development. With rapid technological advancements and the growing prominence of the internet, COPPA 2.0 updates aim to provide more comprehensive protection for teens in the current technological environment.
COPPA 2.0 updates include: first, raising the age limit for protected minors from 13 to 17, prohibiting companies from collecting personal information from these users or their parents without consent; second, expanding the definition of "personal information" to include biometric data such as fingerprints, voiceprints, and facial images; and third, addressing a gap in the original COPPA to prevent companies from tracking users while claiming ignorance of their minor status.
Although these bills have passed the Senate, there may be adjustments to specific details due to significant disagreements among tech and interest groups. The next step is for these bills to be submitted to the House of Representatives for approval, which will occur after lawmakers return from recess on September 9.
Since the enactment of COPPA in 1998, the FTC has focused on enforcing the law through actions to protect children's privacy. Notable cases include a $170 million fine against Google in 2019 for collecting personal information from children under 13 without consent, and a recent investigation and fine against TikTok by the FTC for similar reasons. These cases reflect the emphasis U.S. regulators place on protecting children's privacy. The new bills, which extend the age range of protected minors from 13 to 17, indicate a move towards more comprehensive and stringent privacy protection. We will closely monitor these regulations and enforcement trends to assist businesses in designing and operating digital products and online services that fully comply with children's privacy protection requirements, helping them avoid legal risks and build a responsible and trustworthy market presence.
Kaamel will continue to track the latest developments in these bills and provide updates on privacy protection information and trends. Stay tuned for more information on privacy protection!
