Federal Privacy Bill Sets Up Confusion Over Using Kids’ Data

A federal privacy bill reshaping decades-old standards for how companies treat the data of minors would force companies to take a more holistic approach to their compliance programs.

The measure, called the “American Privacy Rights Act” or “APRA,” was approved by a House subcommitee Thursday. APRA combines proposed updates to the Children’s Online Privacy Protection Act and a comprehensive privacy bill discussion draft, in a recalibration of Congress’s recent focus on children’s privacy.

If the bill becomes law, practitioners and privacy professionals will have to consider how kids and teens’ privacy fits into their comprehensive consumer privacy programs, rather than standalone COPPA protections, said Sara Kloek, vice president for education and children’s policy for the Software & Information Industry Association.

Specific mandates in the bill would require companies to treat all data collected from or about minors as “sensitive,” which would trigger consent requirements before collectors could share data with third parties. Determining which data belong to a covered minor while complying with part of the measure which requires companies to collect only the data necessary to provide services, could prove difficult, said Bailey Sanchez, senior counsel with the Future of Privacy Forum.

“As far as compliance goes it opens up whole new problem for age information and age assurance,” said Amy Lawrence, chief privacy offer and head of legal at SuperAwesome Inc., a marketing platform targeting youth audiences. “How do you deal with a strict bar of processing a minor’s IP address? You would have to know everyone’s age.”

The 1998 Children’s Online Privacy Protection Act made the data of children under 13 one of the few protected classes of personal data in the United States. The new proposal, approved by the House Energy and Commerce Subcommittee on Innovation, Data, and Commerce, includes some—but not all—of the changes in “COPPA 2.0,” a separate draft bill to update the 26-year-old statute.

The bill leaves out other aspects of the standalone COPPA 2.0 proposal, like raising the age for parental consent and enforcement provisions. The legislation remains in its procedural infancy and likely to evolve after feedback, including from companies ultimately tasked with enforcing the bill if it becomes law, said Chair Cathy McMorris Rodgers (R-Wash.).

Compliance & Enforcement

Attorneys also pointed to compliance challenges posed by language in the bill that’s unclear. For example, while it would expand COPPA to cover data collected “about” a minor, not just from them, it doesn’t define what that includes.

“There’s a lot of stuff that’s about a kid that might not be collected from them,” SIIA’s Kloek said, adding it would be difficult to build a compliance program without more specifics. Kloek speculated the ''about’’ data could include a child’s photo posted by a parent.

SIIA in a statement called for further clarification from Congress about how it defines contextual advertising and first-party data.

The measure also takes a major swing at how companies advertise to kids online. It bans targeted advertising at children younger than 17. The limitations on sensitive data could also serve as a de-facto ban on contextual advertising—ads targeted based on the content displayed on the page.

“Everybody trying to do contextual advertising in the kids space —This will impact them dramatically,” said Lawrence.

The lack of a knowledge standard in the bill could also raise uncertainty for companies. The bill’s vagueries could raise questions about liability in situations when companies don’t know if a user is a minor. Websites could be incentivized to produce more invasive forms of age verification in the spirit of compliance, said SuperAwesome’s Lawrence.

“APRA doesn’t do a great job of setting out a knowledge standard for a covered minor. Now it’s just anything directed to a child—which it creates the back and forth of what is considered as directed to a child,” Lawrence said. “I guess the FTC has to tell us.”

That dynamic isn’t new, Sanchez said. “Figuring out what obligations you want to put on companies to know the age of users has been a challenge for lawmakers over the past couple years.”

The FTC, which already enforces existing children’s privacy rules, would take the lead on enforcing APRA, alongside state attorneys general.

The bill leans into the FTC’s role, adopting in places restrictions that mirror agency enforcement actions, said Kloek. One provision would bar education technology providers from using data collected from minors for non-educational, commercial purposes, matching the FTC’s settlement with edtech firm Edmodo. For its part, the FTC expressed a desire to codify restrictions during its most recent rulemaking to update its COPPA rule. A final rule is expected in the coming months.

APRA also takes aim at growing concerns with the potential harms of algorithm-driven platforms to children. Lawmakers say that kids will benefit from requiring stricter requirements, including impact assessments, for covered algorithms. That could put it at odds with state efforts to rein in harmful design practices. While many states have contextualized those efforts as consumer protections rather than privacy laws—which could exempt them from APRA’s preemption as laws outside of “comprehensive privacy” legislation—experts say it’s unclear what lawmakers’ intentions are.

“There are open questions as to whether it would preempt the design codes,” said Sanchez. “This is about data. Design codes go broader than that.”