Last week, U.S. Rep. Kathy Castor, D-Fla., brought back a proposal to “update the Children’s Online Privacy Protection Act (COPPA) with safeguards to keep children and teenagers safe online and hold Big Tech companies who surveil and target children accountable” and which will “build on COPPA’s strengths and expand privacy protections for children and teenagers as well as directives to operators to make the best interests of children and teenagers a primary design consideration.”
Castor reintroduced the “Protecting the Information of our Vulnerable Adolescents, Children and Youth (Kids PRIVACY) Act.”
“Children are spending more time online than ever before, and it’s time that Congress address the evolving online landscape, especially the tracking and data gathering that has vastly outpaced online privacy protections for kids,” said Castor. “I’m proud to reintroduce my Kids PRIVACY Act, endorsed by parents, safety advocates and pediatricians to update COPPA, protect children online, and hold Big Tech accountable. Parents and families deserve a 21st century privacy law that can contend with a 21st century internet. Companies continue to knowingly target kids, and it is past time they are penalized for violating privacy protections. Let’s come to the table, Democrats and Republicans, to strengthen protections for our youngest neighbors and bring these safeguards into modern day.”
Fairplay, Common Sense Media, Center for Digital Democracy, Network for Public Education, Media Alliance, Dr. Ellen Wartella, Sheikh Hamad bin Khalifa Al-Thani, Professor of Communication at Northwestern University, XR Safety Initiative, Woodrow Hartzog, Professor, of Law Boston University School of Law, Parent’s Television and Media Council, Consumer Federation of America, American Psychological Association, Stop Predatory Gambling & Campaign for Gambling-Free Kids, National Center for Missing & Exploited Children, Serge Egelman, Research Director of the Usable Security & Privacy Group at the International Computer Science Institute (ICSI) at University of California, Berkeley, Parent Coalition for Student Privacy, Accountable Tech, American Academy of Pediatrics, Electronic Privacy Information Center, and The Eating Disorders Coalition for Research, Policy, & Action are all backing the proposal.
According to Castor’s office, the bill “specifically strengthens privacy protections for children and teenagers by” doing the following:
Banning Companies from Providing Targeted Advertisements to Children and Teenagers: Prohibits companies from targeting children and teenagers based on their personal information and behavior.
Best Interests of Children and Teenagers: Requires an operator to make the best interests of children and teenagers a primary design consideration when designing its service.
Requiring Opt-In Consent for all Individuals Under 18: Companies must obtain specific, informed, and unambiguous opt-in consent before collecting, retaining, selling, sharing, or using a young consumer or child’s personal information.
Creating a Right to Access, Correct, and Delete Personal Information: Companies must provide individuals the opportunity to access, correct, or delete their personal information at any time.
Protecting Additional Types of Information: Expands the type of information explicitly covered to include physical characteristics, biometric information, health information, education information, contents of messages and calls, browsing and search history, geolocation information, and latent audio or visual recordings.
Requiring User-Friendly Privacy Policies: Companies must make publicly available privacy policies that are clear, easily understood, and written in plain and concise language.
Creating a Protected Class of “Teenagers” Ages 13-17: For the first time in statute, the bill provides protection for teenagers 13-17, allowing them to control who collects their personal information and what companies can do with it.
Expands Coverage of Companies: Applies to all sites likely to be accessed by children and teens, not just child-directed services.
Limiting Disclosure to Third Parties: The bill prohibits companies from sharing personal information without consent. Furthermore, it creates additional duties companies must comply with before disclosing any personal information with third parties.
Requiring Reasonable Data Security Policies, Practices, and Procedures: Requires companies to have a written security policy, point of contact for information security management and processes to identify, assess, and mitigate vulnerabilities.
Prohibiting Industry Self-Regulation: Repeals dangerous safe harbor provision that allow for lax enforcement and rubberstamping of potentially unlawful practices.
Strengthening FTC Enforcement: Raises the maximum allowable civil penalty per violation by 50 percent and allows the FTC to pursue punitive damages. Also establishes a Youth Privacy and Marketing Division at the FTC.
Providing for Parental Enforcement: Parents will be able to bring civil actions to help enforce the bill and any resulting regulations.
Banning Forced Arbitration: In a much-needed reversal of current law, companies will no longer be able force their consumers to waive their right to sue.
So far, there are no House co-sponsors and no companion measure over in the U.S. Senate. Castor’s bill was sent to the U.S. House Energy and Commerce Committee.
