As President Biden calls for stronger online privacy protections for children, Congress has been busy at work to answer the bell. On February 16, 2022, Senators Richard Blumenthal (D-CT) & Marsha Blackburn (R-TN) introduced their highly anticipated bill aimed at protecting children’s health and well-being online – the Kids Online Safety Act (“KOSA”). KOSA aims to protect minors, defined as individuals who are age 16 or younger, from the potentially negative impacts of a minor’s engagement with a “Covered Platform.” Under the proposal, a “Covered Platform” is a commercial software application or electronic service that connects to the internet and that is used, or is reasonably likely to be used, by minors. Covered Platforms would include offerings by both non-profit and commercial entities.
If KOSA is enacted into law, Covered Platforms would be required to:
- Provide a duty of care to act in the best interests of minors and to prevent harm to minors;
- Provide tools, safeguards, and reporting mechanisms to minors and parents to supervise and control a minor’s use of a Covered Platform;
- Disclose policies and procedures concerning the Covered Platform’s use of algorithmic recommendation systems and advertising and marketing activities aimed at minors; and
- Conduct annual third party audits and issue annual reports that identify systemic risks to minors.
KEY OBLIGATIONS
Duty of Care
KOSA would require Covered Platforms to provide a duty of care to act in the best interests of a minor, and to prevent and mitigate the heightened risks of physical, emotional, developmental or material harms to minors posed by the content on, and engagement with, their services. KOSA identifies several specific risks for which Covered Platforms should protect minors from, including the promotion of self-harm, eating disorders, substances abuse, physical harms, sexual exploitation, and predatory and unfair marketing practices, to name a few.
Tools, Safeguards, and Reporting Mechanisms
If enacted, KOSA would also require Covered Platforms to provide minors and parents with readily-accessible and easy to use safeguards to control their experience and personal data. Personal data is defined by KOSA as information that identifies or is linked or reasonably linkable to an individual, household, or consumer device. Such safeguards would include settings to:
- Limit the ability of other individuals to contact or find a minor;
- Prevent individuals from viewing a minor’s personal data;
- Limit features that increase a minor’s use of a Covered Platform (automatic playing of media, notifications, rewards for time spent, etc.);
- Delete the minor’s account and request removal of personal data; and
- Restrict the sharing of the geolocation of a minor and to provide notice regarding the tracking of a minor’s geolocation.
Notably, if KOSA is enacted into law, when a Covered Platform knows or reasonably believes that a user is a minor, the default settings for any safeguards must be the strongest option available.
In addition to providing safeguards for minors, Covered Platforms would also need to provide tools for parents to supervise, control, and monitor a minor’s activity. Under KOSA, parents would have the right to control privacy and account settings, safeguards, restrict purchases, and track usage. Additionally, Covered Platforms would be required to provide parents and minors with the means to submit reports of harms to a minor, and be required to establish an internal process to receive and respond to such reports in a reasonable and timely manner. Lastly, KOSA would make it illegal for Covered Platforms to facilitate the advertising of products or services to minors that are illegal to minors based on applicable state or federal law.
Transparency
KOSA would put additional disclosure and transparency obligations on Covered Platforms than those in effect in existing child and consumer data privacy laws. Prior to a minor’s use or registration of a Covered Platform, KOSA would require Covered Platforms to provide conspicuous notice of its policies and procedures with respect to personal data and safeguards of minors, information about how minors and parents can access safeguards and parental tools, and notice about whether the Covered Platform, including any algorithmic recommendation systems used by the Covered Platform, pose any heightened risks of harm to a minor. Covered Platforms would also need to give such notice to the parents of a minor, and would need to obtain acknowledgment from a minor or parent of the receipt of any information related to the heightened risk of harms to minors.
Covered Platforms that use algorithmic recommendation systems on minors would also be required to disclose how such systems are used and provide parents and minors the ability to opt out of their use. Under KOSA, an algorithmic recommendation system is defined as a fully or partially automated system used to suggest, promote, or rank information. Covered Platforms would be required to provide an overview of how algorithmic recommendation systems are used on the platform for minors, including how such systems use personal data belonging to minors, and options to modify the results of algorithmic recommendation system, including the right to opt-out or down rank types or categories of recommendations.
KOSA would also put additional restrictions and transparency requirements on Covered Platforms that facilitate advertising aimed at minors. KOSA would require the Covered Platforms to provide information and labels regarding the name of any products being advertised, provide information on why the minor is being targeted for particular advertisements, and identify if a particular media displayed is an advertisement or otherwise considered marketing material.
Audits and Public Reports
If passed into law, KOSA would require Covered Platforms to undergo an independent third party audit at least once per year in order to inspect the Covered Platform’s operations, and issue a detailed report that identifies the foreseeable risks of harms to minors. The audit must also include an assessment of how the Covered Platform prevents and mitigates each identified risk of harm.
ENFORCEMENT AND PENALTIES — NO PRIVATE RIGHT OF ACTION
If passed, KOSA would be become effective 18 months after the date of enactment and be enforced by the FTC and State attorney generals. A violation of KOSA would be treated as a violation of a rule defining an unfair or deceptive act or practice, and Covered Platforms may be liable for civil penalties of up to $46,517 per violation. KOSA does not provide for a private right of action for violations of the law.
KOSA v. COPPA
If enacted, KOSA would create additional compliance obligations for companies already subject to the Children’s Online Privacy Protection Act (“COPPA)” – America’s principal federal law for the protection of children’s online privacy. COPPA requires companies to provide notice to, and obtain consent from, parents prior to the collection of the personal information of children under the age of 13, as well as to offer parents certain controls over that data. However, COPPA only regulates the processing of data of children under the age of 13. KOSA would require Covered Platforms to not only comply with COPPA’s regulations for the data they collect from children under 13, but also meet KOSA’s compliance obligations for all minors under 17.
WHAT’S NEXT?
In addition to the key obligations that that Covered Platforms would owe directly to parents and minors, KOSA would also direct the FTC to establish guidelines for Covered Platforms seeking to conduct market and product focused research on minors. KOSA would also direct the FTC, FCC, and NIST to coordinate and conduct a study on age verification systems and commercial use feasibilities – which could impact how companies comply with various state and federal laws geared towards minors should any such technology or mechanisms become widely adopted.
Goodwin’s Data Privacy Team is actively tracking KOSA as it treads through congress. However, we note that KOSA is part of a much larger global pattern of legislative initiatives to protect kids online. In addition to KOSA, there are several other kids online privacy and safety bills pending in Congress, including the Kids Internet Design and Safety Act and Children and Teens’ Online Privacy Protection Act. Furthermore, both the UK (Online Safety Bill) and the EU (Digital Services Act) have pending legislation aimed at protecting minors (defined as an individual under the age 18), and the Irish DPC recently published guidance which sets out principles and recommendations for companies to follow when processing children’s data in Ireland. Companies that operate software services that are used, or reasonably likely to be used, by minors should remain vigilant about developments in the regulation of the protection of children online.