In last month’s State of the Union address, President Biden called on lawmakers to strengthen digital privacy protections for minors, earning him bipartisan applause. The bill has bipartisan momentum. There are currently multiple bills in Congress intended to create new safeguards for kids.
Nonetheless, policymakers face two huge technological problems with carving out special privacy protections for young children. First, the current structure of the internet has no way of definitively verifying a user’s age, so it’s easy for minors to pretend to be adults and vice versa. Second, developing strong protocols for protecting children’s data, while ignoring adults’ privacy, gives hackers a convenient target to attack.
Legislation that focuses only on protecting children from exploitation online, while well-intentioned, is a technological dead end. What’s really needed is a new framework for universal privacy that can be strengthened, as needed, for children.
The history of past online child protection legislation is illustrative of the problem. In 1998, during the Clinton administration, the 105th congress passed the Children’s Online Privacy Protection Act (COPPA). The law applies to companies that knowingly handle data of minors under 13 years of age. It stipulates that websites collecting the information of children under 13 must obtain consent from parents; COPPA is why most websites require users to self-identify by using a checkbox stating they are more than 13 years of age when signing up.
In addition to parental consent, the rule stipulates fundamental digital privacy protections, such as not collecting more information than is necessary and adding strong digital security to children’s data. The regulation is administered by the Federal Trade Commission (FTC).
While COPPA had good intentions, it lacks teeth and is difficult to enforce. The most important aspect of the act is that it required parental consent to collect data for those under 13. This information is outlined in privacy policies, which are notoriously difficult to understand. This “consent-based” method to allow or disallow children’s data collection also presumes that consumers understand the highly technical nature of data use, which most people do not.
To address COPPA’s deficiencies, Rep. Tim Walberg (R-Mich.) proposed the PROTECT Kids Act, a bipartisan bill that calls for three major new provisions. First, it directs the FTC to conduct a study to better understand and standardize protection for children. Second, it adds additional protected data categories for minors: biometric and geolocation. Third, it calls for increasing the age needed for parental consent to 16 years.
Congress is also considering another alternative, the Children and Teens’ Online Privacy Protection Act, introduced by Sen. Ed Markey (D-Mass.). This bill, too, seeks to put more teeth into COPPA. It calls for raising the age of consent to 15 and giving parents an eraser button, which would allow them to go website-by-website and delete their children’s information “where technologically feasible.” It also would establish a “Digital Marketing Bill of Rights for Teens,” banning targeted advertising to children, and calls for more explicit privacy and security policies for smart toys that connect to the internet.
Protecting children’s privacy online is essential, and two of the new children’s privacy bills address important online privacy concerns in the digital age. But a narrow emphasis on children’s privacy misses the mark in addressing online privacy concerns for children and all citizens.
As noted earlier, someone of any age can pose as a child or as an adult, and internet providers, websites and companies that collect personal data would not know the difference. A technologically feasible way to verify age is to call for secure digital credentials for online age verification. These secure credentials can come in multiple forms. For example, a physical, biometric enabled hardware key could be added to a multi-factor password system or a digital ID that functions similarly to e-wallets many people already use to pay for goods and services. Internet users would be required to use these credentials to set up online accounts to verify their identity from the outset. Currently in the United States, there are no universally accepted digital identification tools for consumers that can be used for age verification.
Focusing only on children’s privacy without calling for universal digital privacy practices could make children’s data less secure. Data repositories for adults also will have children’s data in them due to the ease of lying about your age on the internet. Requiring more specific labeling of children’s data makes these repositories less anonymous, and thus more vulnerable to hackers.
A better solution is to develop a framework for privacy practices for Americans of all ages. A “universal” privacy framework would set the security standards so that no one’s data is unsecured. Thus, even if a child falsely verified their age, any data about them would still be protected. These standards could be augmented for children’s products, through methods such as the ones found in COPPA, the PROTECT Kids Act or the Children and Teens’ Online Privacy Protection Act. Indeed, most privacy laws around the world have additional provisions for children and minors that additionally protect young people’s data.
Truly protecting the rights of children who are not legally able to consent to online services requires a broader privacy framework, based on legislation that covers all Americans. The United States currently lacks such legislation. If we want to protect children’s data, the first step is to establish universal digital privacy practices for everyone – including children – and add additional protection where needed.
Jordan Shapiro is an economic and data policy analyst at the Progressive Policy Institute. She is trained as a data scientist and focuses on ethical government technology.