Re: National Taxpayers Union’s View on KOSA & COPPA 2.0
Dear Speaker Johnson, Minority Leader Jeffries, and Members of the U.S. House of Representatives:
On behalf of the National Taxpayers Union (NTU), the nation’s oldest taxpayer advocacy organization, I write to express our views on the Kids Online Safety Act (KOSA) and the amended Children and Teens’ Online Privacy Protection Act (COPPA 2.0). NTU applauds Congressional leaders for their continued efforts to advance legislation to promote online safety and privacy. However, given NTU’s numerous concerns outlined below, I urge you to oppose the two bills.
I. Summary
a) The Kids Online Safety Act (KOSA)
While Congressional efforts to protect online safety and privacy for young people are laudable, KOSA would significantly increase surveillance and privacy risks for all internet users.
We believe that KOSA rightly identifies a growing range of social and mental health challenges that American youth face today, including anxiety, depression, and substance use. A growing body of evidence suggests that these issues increasingly affect the youth in the United States and across the developed world, including many European countries. Some of these issues, like depression and substance use, are also on the rise in adult populations—suggesting a multifaceted, broader systemic challenge for the United States and beyond.
However, KOSA’s main problem is that it seeks to solve complex societal and mental health issues through technical solutions for online platforms and websites. We believe that no single technical solution can adequately address the complex challenges that increasingly affect youth in the United States and beyond. On the contrary, by holding online platforms and websites responsible for all sorts of societal ills, KOSA would provide an incentive to increase surveillance of users of all ages. While the legislation does not prescribe a specific age verification method, its language introduces a potential backdoor for regulators to mandate such a requirement later, which could exacerbate data privacy and security risks for all users.
b) The Amended Children and Teens’ Online Privacy Protection Act (COPPA 2.0)
Whereas KOSA proposes to create a new legal framework for online harm, COPPA 2.0 seeks to update COPPA, which was passed in 1998. While COPPA 2.0 might be less expansive than KOSA in scope, several of its proposals risk creating unintended consequences for online privacy and regulatory accountability while restricting access to many online platforms and services for American users aged 13 to 15. Finally, like KOSA, COPPA 2.0 would grant the Federal Trade Commission significant enforcement authority without establishing mechanisms to ensure regulatory neutrality and accountability.
II. KOSA’s Mandatory Age Verification Would Increase Surveillance and Privacy Risks for All Users
Unlike earlier drafts, the latest KOSA draft does not directly mandate age verification. Instead, it proposes a study to evaluate “the most technologically feasible methods and options for developing systems to verify age at the device or operating system level” (KOSA §9(a)). However, at a time when age verification systems are increasingly gaining popularity at the state level, the language of Section 9 potentially creates a backdoor through which regulators could implement an invasive age verification requirement. That is especially concerning considering that 18 states have already established age verification requirements for certain websites, several of which are currently subject to legal challenges in the respective state courts.
The bill’s sponsors, such as Senator Richard Blumenthal (D-CT), emphasize that KOSA “does not impose age verification requirements or require platforms to collect more data about users (government IDs or otherwise).” KOSA’s proponents might also highlight the growing availability of alternative forms of identity verification, including credit cards, cellphone registration, or facial age estimation techniques. Yet, these identification systems often carry privacy and security risks of their own, depending on how they are implemented. These age-verification methods would also apply to all users—not only those below the statutory minimum age.
Furthermore, even with less intrusive (and potentially less accurate) forms of identity verification, businesses have an incentive to minimize potential risks and costs by asking all users for government-issued identification. At a time when Congress has not established a federal privacy law and the misuse of sensitive private data and cyberattacks are increasingly common, the proposed legislation could add new vulnerabilities for the sensitive personal data of U.S. adults and youth—including biometric data, financial information, and social security numbers.
In this context, a comparison with minimum-age drinking might provide a helpful, albeit imperfect, frame of reference. The 1984 Federal Uniform Drinking Age Act established 21 as the minimum national drinking age in the United States. Similar to KOSA, this law’s provisions are intended to apply only to underage consumers, since it forbids serving alcohol to those under 21. However, drinking establishments must establish whether an individual is 21 or older by asking for a government-issued ID to avoid liability. Wanting to avoid penalties, bars often err on the side of caution, with the result that customers might be asked for identification even if they are well above the minimum drinking age. Consequently, although the law is intended to apply to those under 21, it also affects older adults, who must now carry identification to establish their age.
Unlike online platforms and websites, bars do not need sophisticated digital methods to verify someone’s identity, reducing any associated privacy and surveillance risks. In contrast, online platforms and websites would not only need to introduce potentially intrusive methods of identity verification, but they would also have an incentive to monitor user activity continuously and, in some cases, remove content or censor speech to avoid liability. Therefore, compared to the analog world, the cybersecurity and surveillance risks associated with age verification for online platforms are much higher—and they could easily affect all users, not just those under the statutory minimum age.
III. KOSA Defines “Harm” Too Broadly and Fails to Create Meaningful Checks for the Federal Trade Commission
Another problematic aspect of KOSA is that it defines “harm” and the risks of harm too broadly while giving the Federal Trade Commission (FTC) and state attorneys general extensive discretion in deciding how the law will be interpreted and enforced. If harm were defined more narrowly (e.g., terrorism-related content or “grooming”) in statute, the increased surveillance and censoring activities would apply in a more limited set of circumstances. However, the overly broad approach to defining harm in Sections 2 and 3—which includes relatively common issues like “anxiety,” “depression,” and “eating disorders” in certain instances—means that a significant portion of online activity could be monitored. As a result, the surveillance risks associated with KOSA are much higher than they would have been if harm was more narrowly defined.
These risks are especially pronounced due to the absence of comprehensive federal privacy legislation in the United States. As a result, U.S. residents often do not enjoy consistent privacy protections across sectoral and state boundaries—unlike their counterparts in the European Union, Canada, and Japan. Against this backdrop, it is unsurprising that civil liberties groups, such as the Electronic Frontier Foundation (EFF) and American Civil Liberties Union (ACLU), have warned about the surveillance and censorship risks that KOSA presents.
Likewise, KOSA would grant the FTC and state attorneys general significant authority in interpreting and enforcing the law without creating meaningful checks on their powers. The growing polarization of the political environment and politicization of erstwhile neutral regulatory agencies means legislation like KOSA could be used to pressure websites and suppress content that the government du jour deems harmful to minors—including social and political content that reflects the views of the other end of the political spectrum. In other words, an unscrupulous administration could use such legislation to restrict information on important but politically partisan topics—such as abortion, climate change, and gun rights—in certain contexts. That is why any online harm legislation should include a more precisely defined, narrower set of harms and mechanisms to ensure regulatory neutrality and accountability.
IV. COPPA 2.0 Risks Significantly Restricting Access to Online Spaces and Services for American Teens
Some of the broader concerns with KOSA also apply to COPPA 2.0. For example, like KOSA, COPPA 2.0 would grant the FTC significant enforcement authority without establishing meaningful checks to ensure the Commission’s political neutrality and accountability. Unlike earlier KOSA drafts, COPPA 2.0 does not propose possible age-verification methods, nor does it propose a study to compare technologically feasible options to do so. However, the legislation mandates that the basis for establishing liability for online platforms be changed from the “actual” knowledge standard to the “fairly implied” knowledge standard. While it is unclear whether that will necessitate companies to establish age verification processes formally, it would require them to collect more personal data—increasing compliance costs for companies and enhancing potential privacy risks for users.
Finally, if passed, COPPA 2.0 could significantly curtail U.S. teens’ access to numerous platforms and websites. Whereas the current COPPA obligations apply only to individuals under 13, obligations under COPPA 2.0 would apply to users aged 13 to 16, in addition to those under 13. Several organizations, such as the Information Technology and Innovation Foundation (ITIF), point out that, in response to current COPPA rules, many online platforms and websites currently do not allow users under 13. If these obligations also apply to users aged 13 to 16 under COPPA 2.0, many platforms and websites might respond by banning American users under 17 from their platforms altogether. Likewise, certain companies might refuse to provide services to those users. Ultimately, for many platforms, COPPA 2.0-related compliance costs could easily outweigh any additional revenue gained from serving a relatively limited demographic group.
Such a development could easily restrict U.S. teens’ access to online spaces, while their European and Asian counterparts could continue to enjoy such access without significant restrictions. Furthermore, since teens in lower-income households with parents who do not have university degrees might rely more heavily on online platforms for educational and extracurricular opportunities, restricted access to those sources could disproportionately affect teens from less affluent households without university-educated parents.
V. Conclusion
While the government must develop policies to improve youth online safety and address the broader social and mental health challenges that the bills’ sponsors correctly identify, KOSA and COPPA 2.0 are not the answer. Members of the House of Representatives must recognize the unintended consequences that the two proposed laws would introduce for individuals of all ages. For the reasons outlined in this letter, our organization stands in opposition to KOSA and COPPA 2.0, and we urge you to oppose the bills in their current form.
The National Taxpayers Union appreciates Congress’ consideration of our views on this important issue, and we stand ready to work with you as you consider the best ways to improve online safety and privacy.
Sincerely,
Ryan Nabil
Director of Technology Policy and Senior Fellow
National Taxpayers Union
122 C St NW
Washington, DC 20001