Pixalate’s 2022 Summary of the Status of Key Federal and State Online Privacy Legislation

Several bills have been proposed in the U.S. Congress and state legislatures with the goal of strengthening children’s privacy online and protecting minors from invasive advertising and inappropriate content. Here we will examine two important federal bills and two key state laws and where they stand at the end of 2022.

Federal

Kids Online Safety Act (KOSA)

The Kids Online Safety Act or KOSA was originally introduced in February 2022 by U.S. Senators Blumenthal (D-CT) and Blackburn (R-TN). The goal of the bill was to protect minors from harassment, exploitation and mental health trauma online by establishing a “duty of care” responsibility surrounding content that was likely to be accessed by those aged 17 and younger. KOSA is also being heralded as a much-needed update to the Children’s Online Privacy Protection Act (COPPA), which was enacted back in 1998.

In November, 90 LGBTQ+ and human rights advocacy groups announced their opposition to the bill in its current form, citing limitations on access to information that could provide support, help and critical information to vulnerable young people.

Some legislators pushed to include KOSA in the government funding omnibus bill, but Democratic leadership had objections. The bill will not be included in the end-of-the-year government funding omnibus bill and will have to be reintroduced next Congress.

Children and Teen’s Online Privacy Protection Act (CTOPPA or “COPPA 2.0”)

The Children and Teen’s Online Privacy Protection Act was introduced in July 2022 by Sens. Markey (D-MA) and Cassidy (R-LA). The bill seeks to amend the current COPPA law by revising the requirements under the rule, including modifying COPPA’s actual knowledge standard to a constructive knowledge standard, raising the age of consent for data collection to 15 from 12 and creating a new division to enforce children’s privacy protections within the U.S. Federal Trade Commission.

According to the released text of the bill, the legislation would prohibit an operator of a website, online service, online application, or mobile application directed to a child or minor with constructive knowledge the user is a child or minor from collecting the user's personal information without:

• providing notice and obtaining consent,
• providing a parent or minor with certain information upon request,
• conditioning participation by a user on the provision of personal information, and
• establishing and maintaining reasonable procedures to protect the personal information collected from users.

The bill was also under consideration to be included in the end-of-the-year government funding omnibus bill but has been removed from the final legislation, like KOSA, and will have to be reintroduced next Congress.

State

California Age Appropriate Design Code

California’s Age Appropriate Design Code was signed into law in September 2022 and will go into effect July 1, 2024. The law would require companies to consider the privacy and protection of children in the design of any digital product or service that children are likely to access in the state of California.

New York Child Data Privacy and Protection Act

In September 2022, New York state senator Andrew Gournades proposed the New York Child Data and Privacy Protection Act, similar to the Age Appropriate Design Code passed in California. The bill would ban certain types of data collection and targeted advertising and requires companies acquiring consumer data to assess their products’ impact on children. The bill would also require companies to submit a data protection impact assessment before their product went public.

The legislation is still currently under committee consideration in the New York State Legislature.

Pixalate will continue to monitor legislation that will affect online privacy both in the U.S. and internationally and provide periodic updates for the industry.