Improving COPPA: A Road Map for Protecting Kids' Privacy in 2020 and Beyond

We're only a few weeks into the new decade, and kids' privacy protections are already in focus for families and policymakers. Following a year where regulators started putting companies on notice, with YouTube and TikTok paying fines and the FTC announcing a rule review of the 1999 Children's Online Privacy Protection Act (COPPA), we are seeing lawmakers in Congress renew efforts to strengthen laws that hold companies accountable.

Just this month, in addition to a new "age-appropriate" design code in the U.K., two new COPPA updates have been introduced in Congress: Representative Kathy Castor's (D-Fla.) Protecting the Information of our Vulnerable Children and Youth (PRIVCY) Act, unveiled today, and Representatives Bobby Rush (R-Ill.) and Tim Walberg's (R-Mich.) Preventing Real Online Threats Endangering Children Today (PROTECT) Act, introduced January 9. On the Senate side, Senator Ed Markey (D-Mass.) -- a longtime kids' champion -- has offered updates almost every session. His current bill, COPPA 2.0, was co-authored with Senator Josh Hawley (R-Mo.) and introduced last spring. 

These bills all recognize the unique vulnerability of children and teens, but offer widely varying levels of protections. On a handful of key metrics, it is clear that two provide a better model:

• Expanding protections to teens: The Castor bill leads the way here, offering teens up to the age of 18 special protections and requiring that companies get opt-in consent before data collection, use, and sharing. Markey/Hawley is another strong option, providing these rights to kids up to age 16. While Rush/Walberg does offer special protections to kids under age 16, it extends parental consent to kids age 15 and under, meaning teens are treated no differently than 8-year-olds. 
• Preventing companies from pretending that kids aren't on their sites: Both the Markey/Hawley and Castor bills address a critical shortcoming in COPPA: sites that look the other way when kids are using them. By changing COPPA's strictly interpreted "actual knowledge" standard to "constructive knowledge" -- so a service is liable if it knew or should reasonably have known it was collecting children's info -- the bills would have made it much more difficult for apps and social media platforms like TikTok to claim for years that they didn't have children on their sites. In contrast, the Rush/Walberg bill does not improve the standard, instead only directing that the FTC conduct a study on the issue. With rules from the California Consumer Privacy Act to the U.K.'s Age Appropriate Design Code all making it harder for companies to ignore the obligations that come with having kids on their sites, the world seems past a study at this point.
• Stopping behavioral tracking and targeting of kids: Both Castor and Markey/Hawley flat-out prohibit behavioral ads (ads targeted to a child based on that child's personal information) for kids under 13. For teens, consent is required. This is important, because right now if parents provide consent, companies understand themselves to have free reign to target ads and do whatever other data processing or sharing they want on kids. (COPPA arguably prohibits some of this, but that aspect of the law has not been enforced.) The Rush/Walberg bill is silent on behavioral ad targeting, leaving a problematic status quo in place. 
• Ensuring all personal information is protected: All of the bills would update the definition of personal information, adding, for example, geolocation and biometrics to the types of information that is protected. But only Markey/Hawley and Castor address the full range of information collected from young people, including audio, video, online browsing, and IP addresses. Arguably, by leaving out pieces of information already included by the FTC, Rush/Walberg's bill may even be narrowing the definition of what is protected. Given the growing popularity of connected devices that collect all manner of sensitive audio and video recordings in homes, and kids' constant tracking online, this would move in the wrong direction.
• IoT protections: Connected devices pose unique risks and challenges, and the Markey/Hawley bill offers the most protections here, adding security requirements and a "privacy dashboard" notice enabling families to make smart, safe choices in selecting products. Castor, too, recognizes the need to protect information associated with devices, and explicitly makes this information protected. The Rush/Walberg bill limits protections to mobile applications on "portable computing devices" that communicate over wireless. 
• Meaningful enforcement: Both Castor and Markey/Hawley provide needed support for stronger enforcement. The Markey/Hawley bill would create a new youth-focused division at the FTC. The Castor bill would increase civil penalties and enable parents to enforce their rights. The Rush/Walberg bill would do neither.

These proposals come at a time of rightful scrutiny of how kids are protected online, and Common Sense welcomes an ongoing discussion about children and teen's privacy. We all need a safer, more secure internet, and if we're going to start somewhere, it should be with kids.