U.S. advocates aim to expand children’s online safety
In the United States, the chief privacy law concerning minors, usually defined as those under 13 years old, is the Children’s Online Privacy Protection Rule, or COPPA. It requires that minor-oriented websites obtain verifiable parental consent before data collection or use, have a clear privacy policy and provides information about fines and other issues. Its effectiveness is uncertain, however, given the proliferation of digital methods to obscure ones identity (including age), ineffective enforcement and, in some cases, what seem to be entities outright ignoring the law. It has been modified in the past, but recently the Federal Trade Commission proposed additional changes to strengthen and expand COPPA’s ambit.
Such legislation is not limited to the federal government, however. After the signing of the California Age-Appropriate Design Code Act in 2022, other states have begun to look at additional regulations to better protect American minors while on the Internet. Maryland, Minnesota, New Mexico and other states are the latest to consider their own legislation, drawn from the same source that inspired California’s Act: the United Kingdom’s Age-Appropriate Design Code.
What is in the UK Code?
The Age-Appropriate Design Code, or ‘Children’s Code’ as it’s commonly known, broadens the requirements for services that operate online and collect data from UK children under 18. Any service which children are likely to access is subject to the Code, including applications, games, social media and online stores, among others. Does a child have a device that connects to the internet, like a toy or a mobile phone? That’s covered as well.
If you’ve worked with the General Data Protection Regulation, the Code contains familiar provisions, such as an extraterritoriality provision applying the Code to any company processing data for UK children, regardless where the processing occurs, minus a few carve-outs. The Code also requires that service providers must map data, verify the age of users, have particular understanding of geolocation information, ensure transparency and favor data minimization. The Code further includes more targeted restrictions, for example barring so-called ‘nudge’ techniques that prompt children to divulge extra data and lower privacy settings.
What is going on in the United States?
So far, state-level laws in the US are broadly mimicking the Children’s Code. Like the Children’s Code, California’s Act expands ‘children’ to anyone under 18. Whereas COPPA targets web services targeted at children or with actual knowledge of users under the age of 13, the Act would cover any business ‘likely to be accessed’ by minors, as well as closely regulate the collection and use of geolocation information and explicitly bar the use of dark patterns. Other states are following similar rationales for their own Acts, though there are substantial variations between state proposals. Other states are modifying related legislation, such as a Florida law targeting social media usage among minors that was expanded to consider any online platform. Even some companies have publicly announced support for these laws, such as children’s entertainment juggernaut Roblox.
However, the laws are encountering substantial opposition, most prominently from the trade group NetChoice, which represents digital titans such as Amazon, Google and Meta. NetChoice sued to block California’s Act and scored an initial victory when U.S. District Court Judge Beth Labson Freeman granted NetChoice a preliminary injunction in September of 2023. The decision is expected to be reviewed by the Ninth Circuit Court of Appeals this year, and however the Ninth Circuit rules will certainly influence other states’ legislation.
NetChoice’s lawsuit successfully argued that California’s Act was unconstitutionally vague. In doing so, NetChoice was joined by some free speech groups that were concerned about broad language in California’s Act. Ironically, another major point raised in opposition was the Act’s potential invasiveness, as age verification would require a substantial amount of data collection. Judge Freeman even noted that the age verification could worsen concerns around children’s privacy.
Supporters of California’s Act argue that the Act primarily affects corporate design choices, a form of conduct but not speech under Constitutional law. Concurrently, state legislators are continuing to prepare and advance their own versions of these laws as well. Some proposals are evolving to incorporate tort-derived concepts, including a requirement for companies to determine whether their products or services could lead to ‘reasonably foreseeable’ harm to children.
As always, the law of the internet and the impact on data privacy continues to change. If you have questions about how new legislation might impact your company’s business prospects, think you might have experienced a cybersecurity incident, or if you want to learn more about potential privacy concerns, contact a member of McDonald Hopkins' national cybersecurity and data privacy team.