Technology industry stakeholders are bracing for both the intended and unintended consequences of a bipartisan effort aimed at making the internet safer for minors.

When Congress returns from its August recess, the US House of Representatives is likely to take up a package of privacy legislation aimed at increasing online protections for minors. The package, which the Senate passed in a 91-3 vote on July 30, includes the Kids Online Safety Act (KOSA) and Children's Online Privacy Protection Action (COPPA) 2.0. Given broad political support for the legislation, industry and legal experts say companies engaged in data collection should examine the ramifications of the pending bills now.

"Tech companies are going to need to worry about it," said Hilary Wandall, chief ethics and compliance officer at Dun & Bradstreet. "They're going to need to be very diligent in understanding when the content that they are developing and the solutions they are offering may be of interest to children, how to ensure that they are not exposing children inadvertently to those who would prey on them."

The pending legislation would require social media platforms to enable their strongest privacy settings for kids by default. KOSA is designed to hold social media companies more accountable for potential harm caused to minors using their platforms. It also would enable the federal government to investigate and sue websites believed to cause children "psychological distress." COPPA 2.0 is focused more on strengthening data protection and marketing limits.

A federal framework

Much like other US legislative efforts on privacy, children's privacy laws vary widely across state lines. A Brookings Institution analysis noted inconsistencies in laws in Arkansas, California, Louisiana and Texas specifically. The variations include different approaches to age verification, parental consent, data collection limits, ad restrictions, parental account access and enforcement authority. That can make the US system confusing for both consumers and companies to navigate.

KOSA and COPPA 2.0 include a focus on parental consent and limiting what data Big Tech companies such as Meta Platforms Inc., Snap Inc. and TikTok Inc. can collect from children online, said Jodi Daniels, founder and CEO of Red Clover Advisors, a privacy consultancy, and a faculty member of the Institute for Applied Network Security. It would create a US standard with some similarities to privacy legislation in Europe.

"The concept of being more of a consent-first approach is a bit more of a European approach," Daniels said. "Only in some scenarios is the US actually more opt-in, and for children, that's essentially what they're trying to make it be — stop harvesting children's data and give [parental] protections ... because silly 14-year-olds do things they shouldn't."

Additionally, under KOSA, a new "duty of care" provision would obligate online platforms to prevent and mitigate specific dangers to minors, such as content promoting suicide, eating disorders, substance abuse, sexual exploitation, and advertisements for products such as tobacco and alcohol. It would require independent audits and research on the impact of social media platforms on children and teens.

"The Kids Online Safety Act changes social media platforms' focus from a duty of profit — exploiting children's developmental vulnerabilities — to a duty of care, protecting children's safety and wellbeing," said Dawn Hawkins, CEO of the National Center on Sexual Exploitation.

Unintended consequences

Critics of the pending US legislation say the privacy bills could have unintended consequences. Concerns have been raised by a variety of industry and consumer groups, including the American Civil Liberties Union; the Center for Democracy and Technology; the Electronic Frontier Foundation; and GLAAD, an LGBTQ+ advocacy group.

Sen. Ron Wyden, D-Ore., one of the three dissenting votes in the chamber, alongside Sen. Mike Lee, R-Utah, and Sen. Rand Paul, R-Ky. Wyden, said while he supported elements of the package, including COPPA 2.0, he thought KOSA's improvements were "insufficient." The Oregon senator said he would work to "conduct rigorous oversight" of the Federal Trade Commission to ensure that future administrations would not pressure companies to censor "gay, trans, and reproductive health information."

The authority KOSA grants the FTC and state-level attorney generals to investigate and file lawsuits against websites is a potential red flag for privacy and data experts.

"There is concern that the interpretation of 'mental distress' could become politicized," said Paige Bartley, senior research analyst at S&P Global Market Intelligence's 451 Research. "Other proposed effects could be the subjective and widespread removal of informational resources or user-generated content, as well as intrusive applications and services for ID verification, age gates and content filtering."

Others argue KOSA's language is too vague and subjective and could lead to restrictions on benign content by companies adopting extreme caution.

"One person's harmful content could be another person's inspirational video," said Patrick Hedger, executive director at the Taxpayer Protection Alliance. "The sponsors of KOSA have talked about content that could cause eating disorders, but that kind of content could be a cooking influencer or a fitness influencer that creates body image issues for some users, but not others, but that's perfectly constitutional content."

Path forward

Before the pending bills can become law, they must be passed by the House. Speaker Mike Johnson, R-La., previously told reporters he was supportive of the legislation, but he has yet to schedule a vote for the children's privacy package.

There are also differences between the House and Senate bills that would need to be resolved. The Senate's bill applies broadly to all online platforms, including social media, messaging apps and multiplayer video games. The House version of KOSA only applies to the largest "high impact" platforms, defined as companies with at least $2.5 billion in annual revenue or more than 150 million global monthly active users.

The House's legislation has a tiered compliance system, with fewer requirements for mid-size and smaller platforms. In the Senate bill, the same regulatory standards will be applied uniformly.

The House also has a narrower definition for compulsive usage that could result in a "mental health disorder," as defined by the American Psychiatric Association. The Senate's iteration of KOSA refers to "psychological distress" caused by compulsive usage.

As far as the mechanics of the legislation are concerned, each chamber can independently pass their own version of the bill. A conference committee would then be assigned to reconcile the differences and create a unified version. This unified bill would need to be approved again by both chambers. President Joe Biden, whose signature would be needed on the final bill, previously expressed support for the package.

Most observers see a path forward for the privacy laws.

"We have done Gen Z a disservice by not doing a better job around privacy," said Theresa Payton, CEO of Fortalice Solutions LLC, a cybersecurity firm that offers users protection against internet predators. "I do believe we can find a happy place between freedom of speech ... individual rights and consent."