Push for Independent Research in Tech Accountability Legislation

A House subcommittee meeting may have previewed the fate of data privacy and children’s online safety legislation in this Congress. Two key bills advanced unanimously to the full House Energy and Commerce Committee during last Thursday's markup session, but lawmakers on both sides of the aisle raised concerns, including the chair and ranking member of the full committee.

The House Energy and Commerce Innovation, Data and Commerce Subcommittee markup session featured debate on an updated discussion draft of the American Privacy Rights Act (APRA), which would establish comprehensive data privacy regulations, and the Kids Online Safety Act (KOSA) which would set a duty of care for the largest social media companies and require strong default privacy and safety settings and features for young users.

APRA is a bicameral and bipartisan project led by the powerful House and Senate Commerce Committee chairs, Rep. Cathy McMorris Rodgers (R-WA) and Sen. Maria Cantwell (D-WA). The House version of KOSA is led by Innovation, Data and Commerce Subcommittee Chair Gus Bilirakis (R-FL) with Rep. Kathy Castor (D-FL), and the Senate version has close to 70 cosponsors from both parties.

While a dozen amendments were introduced to the bills during the session, legislators will wait until a full committee markup to consider them. Debate on transparency and research measures featured prominently while broader sticking points may ultimately doom progress on the bills this Congress.

Push for Transparency and Research in House Online Privacy and Safety Package

Advocates called for APRA and KOSA to include transparency and research measures which have been pared down or removed from earlier versions of the legislation. A letter campaign ahead of the markup had mixed results and exposed broader divisions over the legislation.

Earlier Senate versions of KOSA included an independent research program to request data from large online platforms for academic and nonprofit studies. The American Data Privacy and Protection Act (ADPPA), introduced last Congress, has data collection and processing exemptions for public interest research and reporting. Civil society groups and researchers called on the committee to add similar research programs and protections back to KOSA and APRA.

The Center for American Progress, a progressive think tank, led a letter to APRA sponsors Rep. McMorris Rodgers and Sen. Cantwell that called for the public interest research protections in ADPPA to be added to APRA. Likewise, a nonprofit research organization, Children and Screens, was joined by the nonpartisan political advocacy organization Issue One in a letter to House Energy and Commerce Committee leadership requesting “the strongest possible transparency provisions” for independent research and public reporting in APRA and KOSA.

The sign-on letters were supported by dozens of nonprofit groups and researchers, including the American Psychological Association, Center for Democracy and Technology, New America’s Open Technology Institute, the Coalition for Independent Technology Research, and my Stanford Internet Observatory colleagues Renée DiResta and Jeff Hancock.

The effort appeared to be successful in convincing lawmakers to add protections for public interest research to the updated version of APRA, but some lawmakers said the new language doesn’t go far enough and there was disagreement on research requirements in KOSA.

Public Interest Research Protections Added to APRA Discussion Draft

While no amendments were adopted during the markup session, the APRA discussion draft was significantly updated ahead of the meeting. One change adds protections for researchers to collect and use data for academic and public interest studies.

Rep. Lori Trahan (D-MA) said she requested the APRA update to protect independent research. She also filed an amendment to establish safe harbor protections for researchers to collect public information from online platforms for “matters of public concern.” The language is nearly identical to a provision in the Platform Accountability Accountability and Transparency Act, a bill that stalled in the Senate.

“I'm glad to see the changes I suggested have been included in the latest draft to ensure that consumers can delete their data held by data brokers and that public interest and peer reviewed research is restored as a permitted purpose,” Rep. Trahan said during the markup session. In the past Congress, she introduced the Digital Services Oversight and Safety Act (DSOSA), which contained a comprehensive scheme to enable independent research. Rep. Trahan was joined by Rep. Jay Obernolte (R-CA) in a May 2023 letter calling on the Biden administration to establish an international research center for online harms.

Rep. Larry Bucshon (R-IN) raised concerns that APRA could limit medical research for drugs and treatments. “The draft legislation limits the general scientific research exemption to efforts that are public and peer reviewed, which in my view is somewhat restrictive,” he said.

After the session, Alix Fraser, director of the Council for Responsible Social Media at Issue One, said privacy legislation fundamentally requires independent scrutiny and data access for researchers.

“Privacy legislation will never be complete without effective transparency provisions that will ensure compliance with the law. Technology companies have proven time and time again that they can't be trusted to grade their own homework. We need unbiased access to all the information necessary to understand the intent and impact of the products developed by these companies,” Fraser said via email.

Update or Remove the KOSA Research Program

Earlier versions of KOSA in the Senate included a program for independent researchers to propose studies related to children’s online safety and request data from large social media companies. Researchers hoped the program would help facilitate a wide range of studies with data from social media companies.

The research program was replaced with a much narrower provision in a July 2023 Senate Commerce Committee markup of KOSA that advanced the bill to the Senate floor. The updated section tasked the Federal Trade Commission (FTC) with contracting the National Academy of Sciences for a series of studies “on the risk of harms to minors by use of social media and other online platforms.”

Rep. Trahan and House Energy and Commerce leadership expressed frustration with this change made in the Senate, but a fix remains unresolved.

“I was extremely disappointed to see that the Senate struck and replaced KOSA’s original section on independent research facilitation with a limited series of studies that hardly provide a shred of accountability and insight the sponsors initially intended with this bill,” said Rep. Trahan.

House Energy and Commerce Chair Frank Pallone (D-NJ) also objected to the change, but introduced an amendment to delete the section on National Academies studies without offering replacement text. He cited a recent National Academy of Sciences committee report on social media and adolescent well-being and limited funding for the FTC to enter into a contract.

“According to staff at the National Academy, no new research has been published in the interim that would change the result of that study, and therefore there's no need in my opinion for a new National Academy of Sciences report at this time,” Rep. Pallone said.

“Paying for those studies would likely force the FTC to cut important consumer protection work and leave the agency with less funding to implement new requirements... It's not only redundant; it's harmful.”

Tech industry lobbying and conservative concerns about online censorship and regulatory overreach appear to be the driving factors that replaced the KOSA research program with a potential series of studies by the National Academies, according to multiple sources familiar with those discussions.

“I've long advocated that we keep the FTC focused on their consumer protection mission. We need the Commission focused on implementing provisions outlined in a data privacy law, and it's time for us to focus them on the mission we're directing them today.” Chair Rodgers said in support of the Pallone amendment.

While Republican leaders support removing the KOSA section on research, Rep. Trahan said Rep. Pallone’s amendment should be used to reinstate the broader research program.

“I agree with Ranking Member Pallone, and so many others, that we should improve this section on independent research. And I think the best place to start is with the original bipartisan provision that actually enabled independent accountability into these platforms,” Rep. Trahan said.

What’s Next

The bills now advance to the full House Energy and Commerce Committee for consideration. APRA remains a discussion draft which has not been formally introduced and assigned a bill number, while KOSA has already advanced to the Senate floor.

The bills have powerful backing with the House and Senate Commerce chairs sponsoring APRA and Senate Majority Leader Chuck Schumer signing on as a co-sponsor of KOSA, but sticking points remain.

House Republican leadership is withholding support for APRA with concerns about weak preemption of state privacy laws and a private right of action, according to Axios. Senate Commerce Ranking Member Ted Cruz (R-TX ) opposes a private right of action that would allow individual plaintiffs to bring lawsuits for privacy violations, according to Bloomberg’s Oma Seddiq.

The Democratic Congressional delegation from California has so far opposed any privacy law that preempts that state's regulations.

“Americans shouldn't have to settle for a federal privacy law that limits states' ability to advance strong protection in response to rapid changes in technology and emerging threats in policy — particularly when Californians' fundamental rights are at stake,” California Privacy Protection Agency Executive Director Ashkan Soltani told the International Association of Privacy Professionals.

KOSA is awaiting a Senate floor vote with a filibuster-proof 68 co-sponsors. Politico reported earlier this month that the Senate started a hotline process, surveying members on their support or objection to the bill before bringing it to the floor for a vote.

Sen. Ron Wyden (D-OR) previously blocked a vote on KOSA by announcing his intention to object to a motion for unanimous consent on the bill due to concerns that state attorneys general could use it to police LGBTQ+ content.

Similarly, in the House markup, Rep. Pallone objected to a duty of care provision for KOSA. “Adopting the duty of care could cause social media companies to over filter content out of an abundance of caution about legal risks. And as a result, some young people could lose access to helpful and even lifesaving content,” Rep. Pallone said.

He argued that children's online safety “can only be solved through reforming Section 230.” The Committee is considering a complete repeal of 230, with a hearing on a bill to repeal the measure introduced by Rep. Pallone and Chair Rodgers held a day prior to the markup session in the House Energy and Commerce Committee.

Enforcement authority for state attorneys general has been reduced in KOSA, but some civil society organizations continue to oppose the bill. A letter led by the Center for Democracy and Technology argues the duty of care could still be “misused to target marginalized communities and politically divisive information.” The letter also expresses privacy concerns with the bill’s required parental tools.

While APRA and KOSA are potentially monumental for data privacy and online safety, unresolved debates on the fundamentals of a national privacy law and concerns over free expression, respectively, may continue to block progress. The fight for researcher access to data is a wonky policy topic, but there appears to be growing awareness among legislators that it must be addressed one way or another.