Last week, the National Taxpayers Union submitted a letter to the U.S. Senate highlighting the likely unintended consequences of two Congressional privacy bills: the Kids Online Safety Act (KOSA) and the Amended Children and Teens Online Privacy Protection Act (COPPA 2.0). Although the two pieces of legislation are frequently grouped together, they present overlapping, but distinct, sets of policy challenges. Whereas KOSA would create new surveillance and privacy risks, COPPA 2.0 could significantly restrict American youths’ access to many internet platforms and websites compared to their international counterparts.
A previous blog post explains several problematic aspects of KOSA, which is arguably the more expansive and problematic of the two bills. By creating incentives for the private sector to increase online surveillance, KOSA would exacerbate privacy and cybersecurity risks at a time when more Americans are increasingly concerned about data misuse. Likewise, KOSA’s overly broad and vague definition of “harm”—combined with granting regulators unchecked powers to define and enforce the law—raises the possibility that a less scrupulous administration might seek to use the law to restrict information on important but politically partisan topics.
Whereas KOSA proposes to create a new legal framework, COPPA 2.0 seeks to update an existing law, the 1998 Children’s Online Privacy Protection Act (COPPA). Although COPPA 2.0 might be less expansive than KOSA, it also risks creating harmful unintended consequences for online privacy and regulatory accountability while restricting access to many online platforms and services for American teens.
Some of the broader concerns with KOSA also apply to COPPA 2.0. For example, like KOSA, COPPA 2.0 would grant the Federal Trade Commission enforcement authority without establishing adequate mechanisms to ensure the Commission’s political neutrality and accountability—despite the Commission’s recent record of regulatory activism and increasingly doctrinaire approach to competition policy. Unlike earlier KOSA drafts, COPPA 2.0 does not include age-verification requirements, nor does it recommend a study to evaluate technologically feasible methods for age verification.
However, a major concern with COPPA 2.0 is that it proposes changing the basis for establishing liability for online platforms from the “actual” knowledge standard to the “fairly implied” knowledge standard, as outlined in COPPA 2.0 § 2(b). While it is unclear whether that will require companies to establish age verification processes formally, it could nonetheless oblige them to collect more personal data on their users.
Under an optimistic scenario, such requirements could significantly increase COPPA-related compliance costs. Amongst possible worst-case scenarios, such provisions could compel companies to require identification verification for all customers in the form of government-issued identification, credit card information, or biometric data. Depending on how such information is collected, processed, and stored, that could easily create new surveillance risks from unscrupulous companies, enterprising criminals, and nefarious government actors alike, both domestic and foreign.
Finally, if passed, COPPA 2.0 could significantly curtail U.S. teens’ access to numerous platforms and websites. Whereas the current COPPA obligations apply only to individuals under 13, obligations under COPPA 2.0 would apply to users aged 13 to 16, in addition to those under 13. Several organizations, such as the Information Technology and Innovation Foundation (ITIF), point out that, in response to current COPPA rules, many online platforms and websites currently do not allow users under 13.
If COPPA 2.0 extends the current COPPA obligations to users aged 13 to 16, these platforms and websites might simply respond by banning all U.S. users under 17 from their platforms. Similarly, certain companies might refuse to provide services to such users. Ultimately, for many companies, COPPA 2.0-related compliance costs could easily outweigh any additional revenue gained from serving a relatively limited demographic group.
Such a development could easily restrict U.S. teens’ access to online spaces, while their European and Asian counterparts could continue to enjoy such access without any significant restrictions. Furthermore, since teens in lower-income households with parents who do not have university degrees might rely more heavily on online platforms for educational and extracurricular opportunities, restricted access to those sources could disproportionately affect teens from less affluent households without university-educated parents.
While the U.S. government must develop policies to improve youth online safety and address the broader societal and mental health challenges that the two bills’ sponsors correctly identify, KOSA and COPPA 2.0 are not the answer. Due to the significant risks that the two bills pose to the online freedoms and data protection of individuals of all ages, the National Taxpayers Union opposes both bills and urges U.S. lawmakers to oppose them in their current form.