U.S. Rep. Kathy Castor, D-Fla., is introducing a bill in Congress that would strengthen the Children’s Online Privacy Protection Act (COPPA), banning targeted advertising to kids under 13 and extending privacy protections to all young people under the age of 18. 

“The proposed bill would ensure that the most vulnerable among us are better protected when they are online," says Katie McInnis, policy counsel for Consumer Reports. “It introduces a number of broad protections, but just as importantly, it closes several important loopholes that hindered enforcement under COPPA.” 

The PRotecting the Information of our Vulnerable Children and Youth (PRIVCY) Act would create a protected class of “young consumers” ages 13 to 17, giving them greater control over what personal information is collected and what companies can do with it.

More about Children's Privacy

“Right now a 13-year-old and a 35-year-old are the same in the eyes of federal privacy law,” says Ariel Fox Johnson, senior counsel for privacy and policy at Common Sense Media, an advocacy group that is supporting the bill and was consulted about its content.

Castor’s bill would ban companies from targeted advertisements aimed at children under 13 and require opt-in consent for teens, while preventing companies from making that consent a requirement for access to content. It would establish a “right to access” that would give parents and young people the ability to correct or delete information online. 

“The bill expands the kinds of information explicitly covered to include physical characteristics, biometric information, health information, education information, contents of messages and calls, browsing and search history, geolocation information, and latent audio or visual recordings,” Castor said at a press conference announcing the legislation. 

Other provisions could give the legislation teeth in terms of real-world enforcement, according to privacy advocates. 

McInnis says, for example, that the proposed legislation would ban forced arbitration and increase Federal Trade Commission penalties by 50 percent while allowing the FTC to seek punitive damages against companies that violate the law. 

The proposal also provides for an important private right of action for parents, allowing them to sue companies if their children’s privacy is violated, which could potentially open the door for large civil judgments.

“This parental private right of action means that the law will actually be enforced and companies can’t continue to take advantage of the FTC’s limited bandwidth,” Johnson says.

The law would eliminate so-called Safe Harbor provisions in COPPA that allow companies to “self-regulate,” a loophole that has resulted in more lenient enforcement without a corresponding increase in privacy protection, McInnis says. 

“Researchers have discovered that apps ‘certified’ under the Safe Harbor program are no better, and may even be worse, than those that were not,” she adds. 

Finally, the legislation would amend COPPA’s “actual knowledge” provision, which currently allows companies to ignore important data that proves that a user is a child.

“If a company did not know a child’s birthdate, they would say they . . . didn’t have ‘actual knowledge’ [that the child was 12 years old] even if the company was tracking the child’s location to elementary or middle school and knew they were working on fourth grade math,” Johnson says. “This would get rid of companies turning a blind eye to that.”

But Will It Become Law?

Castor’s bill is the latest in a series of recent congressional initiatives that could enhance online privacy protections for young people. 

In March 2019, Sens. Ed Markey, D-Mass., one of the original authors of COPPA in 1998, and Josh Hawley, R-Mo., introduced a bill generally referred to as COPPA 2.0. That one differs from Castor’s PRIVCY legislation on several key points.

COPPA 2.0 extends protection to teens only up to age 16, and it doesn’t allow for a private right of action, a sticking point for many Republicans, who are concerned about the potential damage a lawsuit can have on smaller businesses. However, it expands protections for users of connected toys and similar devices, requiring a point-of-sale privacy dashboard to alert parents to potential problems, as well as the creation of a division within the FTC charged with protecting childen’s privacy.

Earlier this month, U.S. Reps. Tim Walberg, R-Mich., and Bobby Rush, D-Ill., introduced their own COPPA update, called the Preventing Real Online Threats Endangering Children Today (PROTECT).

The bill includes some basic extension of protections, safeguarding teens up to age 16, Johnson says. In other ways, however, the Rush-Walberg bill may actually eliminate protections for digital information already protected under COPPA.

“The Rush-Walberg bill doesn’t include online identifiers and other information like audio and visual regulations, which COPPA currently covers,” Johnson says. “That could definitely be seen as congressional intent to cut back those protections.” 

Consumer Reports reached out to Rush and Walberg, but neither responded in time for publication. 

It’s always hard to predict the prospect of bills becoming law. Going forward, these protections may be folded into a comprehensive privacy bill like the Consumer Online Privacy Act (COPRA), proposed by Sen. Maria Cantwell, D-Wash., late last year. On the other hand, a stand-alone privacy bill for kids could face fewer hurdles.

“In the past, we’ve managed to get children’s privacy legislation without getting comprehensive privacy legislation, so it’s possible that the only thing Congress will be willing to do is kids,” Johnson says. “But we’re hopeful that adults could have protections, too, and all the main comprehensive drafts we’ve seen had a place for special protections for kids.”