Browse all articles

The Time Is Now for Comprehensive Federal Data Privacy Legislation

The American Data Privacy and Protection Act presents a historic opportunity to protect kids – and all of us – online, but it needs to be strengthened.

Woman sitting at a desk with a nameplate at the US Congress

In poll after poll, the overwhelming majority of voters from both sides of the aisle show their support for online privacy and holding social media firms accountable for the harm that occurs on their platforms. Congress must do its job. Until then, consumers are powerless to stop tech firms from collecting personal information. Common Sense has long maintained that online privacy is the first step toward reducing serious online harm for kids and teens.

As a single mom whose teen uses social media, this issue hits home.

I had the rare privilege of testifying before members of Congress at a hearing on "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security" to express Common Sense's views on data privacy and security. I testified about the American Data Privacy and Protection Act (ADPPA), a legislative proposal that lays the groundwork for achieving comprehensive data privacy at the federal level. It also provides strong online protections for children.

What this draft does to protect kids:

  • Requires companies to get permission before collecting, processing, or transferring "sensitive" data, acknowledging that certain data—such as children's data—is inherently entitled to greater protection;
  • Bans targeted advertising for children;
  • Gives individuals a right to sue for wrongdoing; and
  • Establishes a Youth Privacy & Marketing Division within the Federal Trade Commission.

Current law fails to provide kids with common sense protections

Children should be allowed to grow up—to go from tweens to teenagers to young adults—without worrying about a permanent record of typical youthful indiscretions or the collection of their every thought and "like." But they can't. By the time a child reaches 13, a single ad tech firm has compiled over 70 million data points on that child. And all that data leads kids to be routinely exposed to harmful content, ranging from disordered eating, substance abuse, sexual abuse content, and suicidal ideation to advertisements promoting illegal products.

In 1998, when Congress passed the Children's Online Privacy Protection Act (COPPA), kids didn't have the social media that they have today. Friendster did not come online until 2003, followed by Facebook in 2006, Instagram in 2010, and Snapchat in 2011. COPPA was seven years old before people shared videos online—YouTube did not launch until 2005—and 20 years passed before short-form videos exploded in popularity with TikTok's release in 2018. Nearly 25 years have passed since COPPA's enactment, and during this time, the exponential growth in computing power has allowed these social media companies and other firms to collect ever larger data sets containing millions of data points about individuals, leading us into the era of "Big Data."

During this 25-year span, Congress did not provide children with new online privacy protections. For years, civil society groups like Common Sense, along with parents and lawmakers, have tried to pressure tech companies to change their practices. Federal lawmakers' attempts at passing common sense legislation have come in fits and starts. Kids and teens, and their families, are fed up with waiting any longer.

This legislative proposal, which has bipartisan support in the House and the Senate, is not perfect; it is, however, a great start. But given how high the stakes are, there is a tough path ahead. And while this proposal contains much-needed consumer protections, there's room for improvement to better protect kids.

This is what we'd like to see added to the draft bill:

  • Cover all minors under the draft's privacy protections—not just children younger than 17;
  • Substantially increase funding and staff for the independent Federal Trade Commission, which already has 82 other laws to enforce and is notoriously underfunded for meeting its heavy responsibilities;
  • Clarify that all "third-party" targeted advertising to minors is banned;
  • Shorten the implementation time period that harmed consumers must wait before suing tech firms, and minimize the burden on them to obtain relief; and
  • Eliminate what is referred to as the "actual knowledge" standard required to hold tech firms liable for targeted advertising. Firms cannot tout their advertising reach to kids and claim that they did not know children use their sites.

We are gratified that leaders on both sides of the aisle agreed that children's data is entitled to the same heightened protections as other sensitive categories of data. This would ensure that parents and caregivers must "opt in" to allow targeted advertising to children, protecting kids and teens from things like "dark patterns" that are known to cause online harm to youth.

This is the year that Congress must ensure children, teens, and all consumers are finally treated with the respect they deserve for their online data. There is still time and still the political will to reach a data privacy agreement—this year. The perfect should not be the enemy of the good in this case. We know there is hard work ahead, and we are committed to working with leaders in Congress to help reach an agreement that includes strong protections for minors.

Jolina Cuaresma

Jo Cuaresma is senior counsel, privacy and tech policy, at Common Sense. She has a 20-year legal career spanning private practice, government, and academia. She works at the intersection of administrative law, technology, and consumer protection, and focuses on online privacy and emerging technologies. Additionally, she is an adjunct professor at the University of California Berkeley Law School, where she teaches a seminar on regulatory oversight. Jo is a single mom to a teenager and an aunt to 11 nieces and 13 nephews.