California’s Kids Code Complicates Federal Privacy Bill Talks

California’s trailblazing law directing online services like Instagram and TikTok to protect children’s privacy is likely to complicate the path forward for a federal bill safeguarding consumer data.

The new law, enacted last week, adds to California’s lead over national efforts to adopt an overarching privacy law, though it may push the US Congress to act on kid-focused measures so standards are uniform across states.

“California has leapfrogged over any federal effort,” said Phyllis Marcus, a partner at Hunton Andrews Kurth LLC who previously led children’s privacy enforcement at the Federal Trade Commission.

The state was the first in the US to adopt a comprehensive consumer privacy law in 2018, with updates applied more recently. Now it’s the first to add directives for how social media platforms, video games, and other online services must design their products with children and teens in mind. This collection of privacy laws is adding to California lawmakers’ contention that a federal bill shouldn’t override their state’s laws.

“As California continues to add strong privacy policies like this one, it becomes all the more imperative that we ensure that federal privacy legislation does not undermine decades of progress made in our state,” Rep. Anna Eshoo (D-Calif.), a member of the House panel responsible for consumer privacy, said in a statement.

Read more: California Adopts First-in-Nation Safeguards for Kids Online

California’s state capitol building in Sacramento on July 17, 2022. Gov. Gavin Newsom (D) recently signed into law new requirements for TikTok, Instagram, and YouTube to step up their privacy and safety protections for children and teens.

Photo: Myung J. Chun/Los Angeles Times via Getty Images

Progress on House lawmakers’ bipartisan federal privacy bill (H.R. 8152) has stalled over concerns about preemption of state laws and enforcement-related issues.

California lawmakers are “understandably apprehensive” about a federal law undermining their state measures, which may make it harder to advance a comprehensive bill and force further negotiations, according to Josh Golin, executive director of Fairplay, a kids’ advocacy group.

Pressing on Federal Bill

Despite the hurdles, the House bill’s backers are pressing ahead as the legislative calendar dwindles.

Bill sponsor and Energy and Commerce Chair Frank Pallone (D-N.J.) views California’s law as further evidence Congress must pass a strong privacy bill that protects all Americans, a spokesperson for committee Democrats said.

A spokesperson for Republicans on the Energy and Commerce Committee also said the House bill is needed, adding that California shouldn’t dictate security standards for the rest of the country.

Pallone and Rep. Jan Schakowsky (D-Ill.), who leads the panel’s Consumer Protection and Commerce Subcommittee, are working to secure a meeting with House Speaker Nancy Pelosi (D-Calif.) to discuss the bill’s path forward, Schakowsky said last week.

Kids’ Bills

California’s new law could have a very different effect on several children’s privacy bills pending in the US Senate, neither of which would preempt state rules. When combined, they would be similar in strength to California’s law, Golin said.

California’s law is “a huge win and we need more,” kids advocacy group CommonSense founder Jim Steyer said.

“This should be a big spur to several of the major federal bills,” he added in reference to committee-approved bills that would require safeguards to control minors’ experience on platforms (S. 3663) and update an existing federal children’s privacy law (the Children’s Online Privacy Protection Act, or COPPA) to make the handling of kids’ data safer (S. 1628).

Sen. Ed Markey (D-Mass.), sponsor of S. 1628, said after the California law’s enactment there is “more momentum than ever to pass bipartisan federal legislation with real solutions to the threats facing young people in today’s online gauntlet of privacy threats.”

Markey’s bill is similar to California’s law, which would restrict how companies can use children’s data. His bill would prohibit companies from collecting a minor’s personal information without providing notice and obtaining consent.

Read more: FTC’s Bedoya Calls for Congress to Update Kids’ Privacy Law

Following the Rules

While members of Congress hash out thorny issues around federal privacy protections, companies are left with uncertainty about how to mesh California’s law with COPPA, the federal law governing the data of children under age 13. Markey’s bill would extend the law to children under 17, while California’s new law targets online services likely to be accessed by children under age 18.

California’s policy also broadens the scope of companies subject to compliance requirements and raises questions about how to check user ages online.

“It’s the big unanswered question of how any of this will work in practice,” said Christine Lyon, a Silicon Valley-based partner at Freshfields Bruckhaus Deringer LLP.

Companies often use age gates that ask a user to enter their birthday before entering a site or app, though children can lie to gain access. Efforts to verify age, by uploading an ID or submitting a selfie, may undermine privacy goals.

A spokesperson for Meta Platforms Inc., which owns Instagram, said the company is still assessing how the law would impact its products and user experiences. Meta supports clear industry standards and California’s law is an important development toward establishing such standards, the spokesperson added.

A spokesperson for TikTok parent company Bytedance Ltd. did not respond to a request for comment.