Bipartisan Smorgasbord of Children’s Online Safety Legislation Passes the House

On Monday, the United States House of Representatives passed the Kids Internet and Digital Safety (KIDS) Act, a sprawling collection of measures aimed at mitigating online harms to minors, in a 267-117 vote. The bill, H.R. 7757, will now head to the Senate, where it reportedly faces long odds.

Last week, House Energy and Commerce Committee Chair Brett Guthrie (R-KY) and Ranking Member Frank Pallone (D-NJ) announced that they had agreed on new text for the legislation, which is anchored around a version of Kids Online Safety Act (KOSA) and the Children and Teens’ Online Privacy Protection Act (COPPA 2.0), two bills that have been batted around by both houses of Congress in various forms for more than four years. A version of COPPA 2.0 passed the Senate in March and a Senate version of KOSA is also under consideration.

The committee narrowly voted to advance an earlier version of the KIDS Act in March, shortly after the bill was introduced. However, Guthrie and Pallone appear to have decided to find a text that they could both endorse, whether on principle or, especially in light of the Republicans’ paper-thin majority, to shore up the legislation’s support in the event of lobbying from Big Tech.

Earlier this year, the KIDS Act was the subject of much critique from safety advocates, state legislators, and state Attorneys General (for the version of KOSA that was incorporated into the KIDS Act). There are three main critiques of the earlier KIDS Act, two of which have been addressed in the new version:

1. Preemption of state laws: The former version preempted state laws covering similar ground; the new version does not preempt any state law that is more protective. Still, Axios reports that critics are concerned the bill “would make it more difficult to sue social media companies for design features.”
2. Standard of knowledge: The earlier version only expected online services to treat users as minors if they “have actual knowledge” of their age or “acted in willful disregard” in assuming that they are not minors, a standard that was seen as too weak by critics, compared to the Senate KOSA’s “knowledge fairly implied on the basis of objective circumstances.” The version that passed the House employs a “know or should have known” standard, which is likely closer to the Senate’s formulation, for KOSA and some of the other measures. The “willful disregard” standard remains in the SPY Kids Act and Data Broker Disclosures measure.
3. Duty of care: Other versions of KOSA, including the Senate’s, include a duty of care for platforms “in the creation and implementation of any design feature to prevent and mitigate” a series of specific harms. In both the March and the June texts for the KIDS Act, this is replaced by a requirement to “establish, implement, maintain, and enforce reasonable policies, practices, and procedures that address” a list of harms, which do not include several mental health-related harms that are present in the Senate’s text.

The other important development is that the KIDS Act now incorporates a version of COPPA 2.0 and a measure that requires data brokers who hold minors’ data to register with the Federal Trade Commission (FTC). Meanwhile, POLITICO reports that the White House is working with Senator Marsha Blackburn (R-TN) on a new package for the Senate, set to include the NO FAKES Act and the App Store Accountability Act as well as KOSA.

What’s in the KIDS Act?

Although KOSA and COPPA 2.0 are undoubtedly the two centerpieces of the package, 12 other pieces of legislation are also part of the Act, many of which were previously introduced independently. Each of these measures is summarized below. Of particular interest, however, are a number of caveats that apply to the interpretation of all measures in the KIDS Act and respond to the concerns of many critics of tech legislation.

None of the following may result from the Act:

• viewpoint-based enforcement
• prevention of platform actions to mitigate spam or criminality, or to ensure security
• exposure of minors’ data
• changes to Section 230
• preclusion of the use of encryption or decrypt user communications, or,
• “the affirmative collection of any personal information with respect to age that is not already collected in the normal course of business.”

It remains to be seen how compatible in practice these stipulations are with the measures prescribed in the main body of the bill, or if they can appease many of the passionate voices in the child safety, online civil liberties, or tech industry communities.

A single regime is also established for all the measures in the KIDS Act. The FTC is to enforce the act under its “unfair or deceptive acts or practices” processes. State Attorneys General may also bring civil actions, though the FTC can intervene and file appeal petitions in those cases. State suits may not be brought while an FTC-led case is pending for the same defendant.

Contents of the newly-passed KIDS Act

SCREEN Act

Websites with more than one-third material deemed “harmful to children,” i.e. pornography, are required to use age verification to block minors from access. This is a version of a statute already adopted in many red-leaning states to restrict minors’ access to pornography, and upheld by the Supreme Court. This appears to be the only measure in the bill that requires age verification; KOSA and COPPA 2.0 specifically exclude a requirement for age gating or age verification being implied. The prescription for age verification here is vague (“a system or process to determine whether it is more likely than not that a user of a covered platform is a minor”), but the legislation appears to give FTC leeway to create specific standards.

KOSA

The KIDS Act includes a version of KOSA with a collection of measures to protect children from harms on social media platforms, including:

• Covered platforms must take steps to address four specific harms to minors (under 17): severe threats of physical violence; sexual exploitation and abuse; the distribution, sale and use of gambling and drugs (including. alcohol, tobacco, and cannabis); and financial scams. Minors should still be able to actively seek out content and access protective resources.
• User tools must be provided and defaulted to the most restrictive setting for minors. These include: contact and privacy restrictions; limits on platform time; and the ability to opt out of personalized recommendations and or from specific categories of content being recommended.
• Parental controls must also be provided, and defaulted to the most restrictive setting for under-13s. Minors are to be notified when parental controls are applied.
• Direct messaging warnings and protections must be provided for teens.
• Platforms must respond to reports of harms to minors within 10 days, or sooner for imminent threats.
• Advertising illegal or age-restricted products to minors is prohibited.
• A third-party audit is required to assess compliance.

SPY Kids Act

Prohibits covered platforms from conducting “market or product-focused research” on minors (under 17), unless it is “used solely to improve the privacy, security, transparency, or safety of the covered platform.”

Safer GAMING Act

Imposes safety measures on games that facilitate communication between users. Parental action required to allow communications for under-17s. Minors and parents must also have tools to: prevent the minor being recommended as a contact, restrict purchases, and impose time limits. Minors are to be notified when parental controls are applied.

SAFE BOTs Act

A collection of specific requirements for providers of AI chatbots when engaging with minors, including: AI chatbots may not claim to be licensed professionals; they must disclose that they are not real people both at the initiation of a session or if asked; they must must provide suicide and crisis hotline details; and they must advise the user to take a break after three hours. The providers must also have policies and procedures in place to address the first three harms cited in KOSA.

Safe Social Media Act

Directs a study on minors’ use of social media, platforms’ use of personal data, and mental health impacts of social media on minors.

No Fentanyl on Social Media Act

Directs a report on the ability of minors to access fentanyl through social media; relevant social media features to the access of fentanyl; and possible mitigations.

Assessing Safety Tools for Parents and Minors Act

Directs a review of industry efforts to promote minors’ online safety and their effectiveness.

Also included in the section following this language is a provision directing a 4-year longitudinal study on the risks and benefits of chatbots with respect to the mental health of minors.

Promoting a Safe Internet for Minors Act

Replaces a 2008 statute directing an online safety education program (Protecting Children in the 21st Century Act) with a new effort to identify best practices for online safety education, conduct an outreach campaign, and facilitate the sharing of and access to educational resources and information about online harms to minors.

AWARE Act

Directs the FTC to develop and make available educational resources regarding safe and responsible use of chatbots by minors.

Kids Internet Safety Partnership Act

Establishes a body to coordinate with agencies and stakeholders to study and report on risks, benefits and evidence-based best practices regarding the impacts on minors of a broad range of online services and apps.

COPPA 2.0

A series of amendments to the original 1998 version of COPPA, providing updates for the contemporary internet and increased stringency. The measures include:

• Raising the age of a “child” for the purposes of the law to 14 from 13 and adding a teen category (14-18). Teens have some of the same protections as “children,” but the notice and consent that is in the domain of younger users’ parents is given over to teens themselves.
• The “actual knowledge” standard is updated, in at least some cases, to the stricter “knows or should have known” standard.
• The category of “personal information” protected under the law is updated to include additional types, such as media with image or voice, identifiers like IP addresses and cookies, biometrics, DNA, and geolocation data.
• Prohibits the collection, use, and sharing of children or teens’ personal information for individual-specific advertising and for any other purpose unless it is necessary for the service provided (or for compliance with federal law). Prohibits the retention of such information for longer than needed.
• Parents and teens have a new right of deletion for their child’s / their personal information.
• Separate rules are established for services provided through educational institutions, where the notice and consent are generally given over to that institution.
• State laws are no longer preempted from imposing stricter standards.
• Directs a study on risks to the privacy and mental health of teens who use financial technology products.

Data Broker Disclosures

Requires that data brokers who process minors’ personal data (as defined by COPPA 2.0) register with FTC and provide information on their customer credentialing practices and security breaches. A searchable directory of registered data brokers is to be published.

What’s next

On the bill’s passage in the House, Politico reported that the prospects of it advancing in the other chamber are “dim.” The August recess looms, as does a break ahead of the midterm elections, leaving Senators little time to consider the bill amid the chamber’s many competing priorities.