It’s been a couple months since the kids media industry last heard about the Kids Online Safety Act (KOSA) and the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) bills in the US. But some experts recommend planning ahead in the event that these wide-ranging bills will get signed into law.
As a refresher, these bills require social media companies to protect kids from content that promotes dangerous behavior, disable addictive features and ban targeted advertising to kids. COPPA 2.0 extends the age of non-consenting users that online companies can collect personal info from to 16 from 13. KOSA creates a “duty of care” that requires online platforms to give kids the strongest privacy settings by default, along with the ability to opt out of personalized algorithm recommendations.
These bills have bipartisan support: the US senate overwhelmingly passed them at the end of July, and a House committee has advanced them to the stage where the House and Senate will vote on whether to grant them final approval.
Even though it isn’t certain that the laws will pass, companies should examine what parts of their business are covered by KOSA and COPPA 2.0, says Mark Brennan, a partner who’s in charge of the technology and telecom sector group at American-British law firm Hogan Lovells.
If you operate or control an online platform used by kids, a good first step is to assess its existing privacy safeguards, says Brennan.
A company should look at these protections with an eye towards passing the yearly independent audits that would be required by KOSA. These audits look at what a company is doing to be compliant and if it’s taking meaningful steps to protect kids from content that promotes topics such as self-harm, eating disorders and sexual exploitation.
The audits will require that platform operators provide information and data to prove their compliance.
These aren’t necessarily easy steps, Brennan acknowledges—especially when technology, entertainment, gaming and other companies that operate in this space could be dealing with an assortment of governmental rules and regulations already. “These bills make good-faith compliance far more difficult for companies that are already facing a wave of online safety legislation at the state level,” he says. “And KOSA states that it does not preempt state legislation that goes further than its requirements, so we could see states continuing to push the boundaries.”
However, if the bills pass, they’ll likely be challenged in court, adds Brennan. “There is already a nationwide patchwork of litigation challenging state online safety laws—many of which extend far beyond safety and infringe on the First Amendment, as numerous courts have found.”
Clients of the kidSAFE Seal Program, the LA-based certification service for kid-friendly sites and apps, have been taking measures to prepare for the acts becoming law, says Shai Samet, kidSAFE’s founder and president. For the moment, he advises companies—especially those confused by the legislative process—to take a wait-and-see approach because there’s a chance of constitutional challenges, and because complying with the bills now by taking actions such as creating more content-moderation tools or preparing for external audits will require some significant structural and organizational changes that could be prohibitive for smaller companies.
A topline point he flags about KOSA is that it requires apps for kids that don’t have any “stickiness” features, such as push notifications or timed rewards that drive users back to the app. But driving engagement is a priority for companies, and ideally there should be a level playing field between kid-skewing apps and those aimed at adults, he adds.
Cyber security firm Kidas, which focuses on children’s online safety, has a few key strategies for companies that want to start improving the kids’ safety aspects of their digital domains, says CEO Ron Kerbs. For meeting COPPA 2.0 compliance, he suggests enhancing privacy measures by encrypting data and limiting data collection to the bare minimum. AI-powered monitoring tools—the type that are meant to identify bullying in text chats—need to go beyond filtering out keywords to actually identifying predators and preventing harmful behavior.
Companies should also invest in training staff on safety protocols and maintaining compliance. “By taking these proactive steps, companies can not only ensure compliance, but also genuinely contribute to making the internet a safer place for children,” says Kerbs.
Another way to handle the proposed change of COPPA 2.0 extending the age of coverage and protection to 16 from 13, is just to treat all kids the same and not collect personal data that can identify kids. That’s what streaming company Future Today, which owns and operates the HappyKids AVOD, is already doing, says co-founder Vikrant Mathur. HappyKids currently doesn’t collect data for users under 16, so the changes bumping that age to 17 won’t affect the platform much, if at all, he adds.
“With all of our kids-directed apps, we treat all users the same irrespective of their age, and we’re already providing the same protection to teens using HappyKids as we do to preschoolers.”
Whether the KOSA and COPPA 2.0 bills end up getting signed into law or not, the kids media business always has a role to play in protecting kids, adds Mathur.
“As an industry, we need to create more safe spaces for kids to engage and learn, while ensuring that the law continues to support the various business models that the publishers can use to create long-lasting services. These proposed enhancements to COPPA seem like a reasonable step in that direction.”