On July 30, 2024, in a 91-3 vote, the U.S. Senate passed the bill for the Kids Online Safety and Privacy Act (the “Bill”). The Bill, which combines the bills for the Kids Online Safety Act (“KOSA”) and the Children and Teens’ Online Privacy Protection Act (“CTOPPA”), aims to expand online safety and privacy protections for individuals under the age of 17 (“minors”).
Kids Online Safety Act
KOSA is a minors’ online safety law that would create an affirmative “duty of care” for “an online platform, online video game, messaging application, or video streaming service that connects to the internet and that is used, or is reasonably likely to be used, by a minor” under the age of 17 (“covered platform”). The duty of care implicates an obligation to take reasonable measures to mitigate certain harms to minors, including (1) certain mental health disorders; (2) physical violence, online bullying, and harassment; (3) sexual exploitation and abuse; and (4) financial harms.
Among other obligations, KOSA also would require a covered platform to offer tools for minors and their parents to configure privacy- and safety-protective features, provide parents with tools to manage minors’ use of the platform, and provide a reporting channel to alert the platform of harms to minors. Additionally, a covered platform would be subject to disclosure requirements, including an obligation to notify a known minor of the platform’s policies and practices with respect to safeguards for minors, and be required to obtain verifiable parental consent before an individual the platform knows to be under the age 13 initially uses the platform. A covered platform with more than 10 million active monthly users must issue an annual public report describing “reasonably foreseeable risks of harms to minors” and assessing the mitigation measures to prevent those risks, based on an independently and reasonably conducted third-party audit on the platform.
Children and Teens’ Online Privacy Act
CTOPPA seeks to modernize the Children’s Online Privacy Protection Act (“COPPA”) by expanding COPPA’s online privacy protections for children under the age of 13 to “teens” between the ages of 13 and 16. Under CTOPPA, covered operators of online services must obtain teens’ verifiable consent before collecting their personal information, comparable to COPPA’s requirement to obtain verifiable parental consent for collecting personal information from children under the age of 13. Similarly, teens would have the rights under CTOPPA to (1) obtain a description of specific types of personal information collected from them; (2) have a reasonable means to obtain personal information collected from them; and (3) object covered operators’ further use or future collection of personal information from them, which are the rights COPPA provides to parents about personal information collected from their children.
CTOPPA also would create new rights that teens and parents (on behalf of their children) may exercise, which are the rights to delete minors’ personal information and update minors’ personal information that is incorrect. CTOPPA further proposes (1) a total ban on “individual-specific advertising” to minors; (2) data minimization requirements to only collect and retain personal information to the extent necessary to fulfill a transaction or provide a product or service, or as required or specifically authorized by applicable law; and (3) a prohibition on storing or transferring personal information of teens or children outside the U.S. without providing direct notice to teens or parents, respectively.
The Bill, which is currently before the U.S. House of Representatives, shows an increasing momentum for federal children’s online privacy and safety legislation. President Biden also published a statement shortly after the Senate’s vote “encourag[ing] the House to send the [Bill] to [his] desk for signature without delay.” Whether the House will pass the measure remains unclear, with various industry groups, civil rights advocates, and other interested parties voicing concerns over the Bill’s likely sweeping effects and potential First Amendment issues. The House has already adjourned for the annual August recess, and consideration of the Bill will not occur until after the session resumes in September.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor the development of the Bill and provide updates as they become available.