As digital platforms increasingly cater to younger audiences, lawmakers are pushing for stronger protections for children and teens online. This advisory series examines two proposed laws that may change the landscape for children’s privacy online. This first installment will offer an in-depth look at the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) and its potential impact on privacy standards.

COPPA 2.0 was initially passed in the Senate with overwhelming support back in July. More recently, the bill was advanced by the House Committee on Energy and Commerce (the “Committee”) in September. If enacted, this law could have a significant impact on businesses operating online platforms.

COPPA 2.0 is an update to the original Children’s Online Privacy Protection Act, which was enacted in 1998. The new version significantly expands the scope of protections and imposes stricter requirements on companies with online platforms. The key provisions of COPPA 2.0 include:

• Age Expansion: COPPA 2.0 extends the law’s protections to include not just children under 13, but also teens under the age of 17. Many businesses that were confident they were not targeting children under 13 with their services, and therefore less concerned with COPPA, may have more difficulty committing to such an assessment now that the scope of the law has expanded.
• Data Minimization: The law introduces a “data minimization” requirement, which mandates that companies collect only the information that is necessary for the functioning of their services. This provision aims to reduce the amount of personal data collected from minors, thereby limiting the potential for misuse. This is a concept many businesses have already been grappling with in light of requirements under various comprehensive data protection laws. However, given the national reach of this law, businesses will need to be more intentional in how data is mapped across the enterprise (regardless of the state of residence of the data subject) to ensure it is meeting this obligation.
• Prohibition on Targeted Ads: COPPA 2.0 places a ban on targeted advertising to minors without explicit consent from their parents or guardians. Businesses that rely heavily on advertising revenue would need to develop new strategies that comply with these restrictions while still reaching their target audiences effectively.
• Right to Erasure: The law grants minors and their parents the right to request the deletion of any personal data that has been collected. This “right to erasure” is designed to give young users more control over their digital footprints. Businesses would need to establish clear and accessible processes for handling these requests. Similar to data minimization, businesses that already have processes in place for compliance with other laws will still potentially need to expand what they are covering under their current processes.
• Parental Rights: The law would allow parents to obtain information about their child’s use of social media platforms directly from platform operators without their child’s consent, ultimately giving parents significant oversight into what their child or teen is doing online. This particular change was one of the additions made in the Committee and has been faced with some scrutiny from House Democrats who feel this change would undermine the privacy of a minor and may be the subject of continued debate.

Despite the changes in the Committee, the legislation still has bipartisan support, reflecting a shared concern across party lines about the need for enhanced protections for children and teens online. Given this support, the bill is expected to pass the House, although the timeline for its passage and the likelihood of any additional modifications remains uncertain.