Several bills have been proposed in the U.S. Congress and state legislatures with the goal of strengthening children’s privacy online and protecting minors from invasive advertising and inappropriate content. Here we will examine two important federal bills and two key state laws and where they stand at the end of 2022.
The Kids Online Safety Act or KOSA was originally introduced in February 2022 by U.S. Senators Blumenthal (D-CT) and Blackburn (R-TN). The goal of the bill was to protect minors from harassment, exploitation and mental health trauma online by establishing a “duty of care” responsibility surrounding content that was likely to be accessed by those aged 17 and younger. KOSA is also being heralded as a much-needed update to the Children’s Online Privacy Protection Act (COPPA), which was enacted back in 1998.
In November, 90 LGBTQ+ and human rights advocacy groups announced their opposition to the bill in its current form, citing limitations on access to information that could provide support, help and critical information to vulnerable young people.
Some legislators pushed to include KOSA in the government funding omnibus bill, but Democratic leadership had objections. The bill will not be included in the end-of-the-year government funding omnibus bill and will have to be reintroduced next Congress.
Children and Teen’s Online Privacy Protection Act (CTOPPA or “COPPA 2.0”)
The Children and Teen’s Online Privacy Protection Act was introduced in July 2022 by Sens. Markey (D-MA) and Cassidy (R-LA). The bill seeks to amend the current COPPA law by revising the requirements under the rule, including modifying COPPA’s actual knowledge standard to a constructive knowledge standard, raising the age of consent for data collection to 15 from 12 and creating a new division to enforce children’s privacy protections within the U.S. Federal Trade Commission.
According to the released text of the bill, the legislation would prohibit an operator of a website, online service, online application, or mobile application directed to a child or minor with constructive knowledge the user is a child or minor from collecting the user's personal information without:
providing notice and obtaining consent,
providing a parent or minor with certain information upon request,
conditioning participation by a user on the provision of personal information, and
establishing and maintaining reasonable procedures to protect the personal information collected from users.
The bill was also under consideration to be included in the end-of-the-year government funding omnibus bill but has been removed from the final legislation, like KOSA, and will have to be reintroduced next Congress.
In September 2022, New York state senator Andrew Gournades proposed the New York Child Data and Privacy Protection Act, similar to the Age Appropriate Design Code passed in California. The bill would ban certain types of data collection and targeted advertising and requires companies acquiring consumer data to assess their products’ impact on children. The bill would also require companies to submit a data protection impact assessment before their product went public.
The legislation is still currently under committee consideration in the New York State Legislature.
Pixalate will continue to monitor legislation that will affect online privacy both in the U.S. and internationally and provide periodic updates for the industry.
Disclaimer: The content of this page reflects Pixalate’s opinions with respect to the factors that Pixalate believes can be useful to the digital media industry. Any proprietary data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that - opinion, not facts or guarantees.
Per the MRC,
“'Fraud' is not intended to represent fraud as defined in various laws, statutes and ordinances or as conventionally used in U.S. Court or other
legal proceedings, but rather a custom definition strictly for advertising measurement purposes. Also per the MRC,
“‘Invalid Traffic’ is defined generally as traffic
that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in measurement counts.
Among the reasons why ad traffic may be deemed invalid is it is a result of non-human traffic (spiders, bots, etc.), or activity designed to produce fraudulent traffic.”