In honor of May 25 being International Missing Children Day, we look at the growing complexity of the digital world and how it demands a collaborative effort from lawmakers and regulatory bodies to protect children's online privacy and prioritizing their safety
In 2022, about 1.7 million children were victims of a data breach, which means that they had personal information exposed or compromised. In addition, 90% of parents told Pew Research Center that they were concerned about social media platforms having access to their personal information.
Safeguarding children’s data and online privacy is challenging due to the existing fragmented legal framework, which consists of various federal and state laws with differing methods and restrictions. Even so, there are ways to address these gaps, says Amber Thomson, Partner in the cybersecurity and data privacy litigation practice at Mayer Brown.
Understanding the current federal and state legal landscape
“The current legal landscape aiming to protect children’s data and online privacy is a complex patchwork of federal and state laws, each with distinct approaches and limitations,” says Thomson. At the federal level, the Children’s Online Privacy Protection Act (COPPA) is the cornerstone legislation and is enforced by the U.S. Federal Trade Commission (FTC). COPPA primarily targets websites and online services directed at children under 13 years of age and mandates parental consent for the collection, use, and disclosure of personal information. Despite its foundational role, COPPA has faced criticism for its limited age scope and challenges in enforcement.
On the state level, Thomson notes that there has been a notable surge in initiatives to enhance children’s privacy protections. California, for example, leads with the California Consumer Privacy Act and its successor, the California Privacy Rights Act (CPRA), which extend privacy safeguards to minors under 18. This trend has inspired other states to enact similar laws, focusing on regulating children’s data, particularly in connection with social media.
Significant divergences create a fragmented regulatory environment, and perhaps most problematic is the inconsistent definition of “child” across jurisdictions.
These state laws often include provisions for age-appropriate design codes and “harmful content age verification” laws, which aim to shield children from potentially damaging online content. However, these efforts sometimes face opposition on grounds of infringing on free speech rights, highlighting the ongoing tension between privacy protection and other legal considerations.
At the federal legislative level, efforts to strengthen children’s online safety have seen mixed success. Initiatives like the Kids Online Safety Act have been proposed to address broader online safety issues, although many such efforts have not yet been passed into law. Recent U.S. Senate hearings have continued to highlight the need for comprehensive federal action.
The challenge remains to harmonize these federal and state efforts to ensure consistent and effective protections for children’s data privacy across the United States. Such enhancements to current protections could include standardizing age definitions, increasing parental control, imposing stricter penalties for non-compliance, and improving education and awareness about online privacy risks. These measures, combined with potential international collaboration, could help close existing gaps and create a more cohesive legal framework to protect children online.
Areas of commonality and divergences
The current legal landscape protecting children’s data and online privacy reveals several important commonalities across jurisdictions. Most prominently, there is widespread recognition that children deserve special privacy protections beyond those afforded to adults, according to Thomson. For example, laws at both federal and state levels requiring parental consent mechanisms for data collection from younger users demonstrate this special protection.
Another common thread is the growing emphasis on privacy by design principles, which requires online services to build child safety and privacy considerations into their products from inception rather than as an afterthought. Additionally, there is increasing consensus that certain exploitative design features which may target children should be restricted, with many laws limiting data retention periods and collection practices.
Despite these commonalities, Thomson points out that significant divergences create a fragmented regulatory environment. Perhaps most problematic is the inconsistent definition of child across jurisdictions. Indeed, COPPA applies to children under 13 only, while state laws like California’s CPRA extend protections to minors under 18. This creates compliance challenges for companies operating across multiple states.
The challenge remains to harmonize these federal and state efforts to ensure consistent and effective protections for children’s data privacy across the United States.
Another key divergence lies in the scope of covered entities. While some laws apply only to child-directed services, others extend to general audience websites that are likely to be accessed by children. Enforcement mechanisms also vary, with some laws relying primarily on regulatory action while others provide private rights of action.
These inconsistencies create regulatory gaps that sophisticated companies and bad actors can exploit, which clearly underscores the need for more harmonized approaches to children’s data protection that can keep pace with rapidly evolving technologies and business models that target young users.
How to close the fragmented legal landscape
To strengthen protections for children’s data privacy and close existing gaps, Thomson explains that a comprehensive approach at both federal and state levels is necessary, which specific steps including:
Establish a consistent age definition — A uniform age definition should be established across all jurisdictions to ensure consistent application of privacy protections. This would address the current discrepancies under which federal and state laws currently operate.
Improve monitoring tools for parents — Additionally, enhancing parental control mechanisms, such as developing more user-friendly tools, would allow parents to monitor and manage their children’s online activities effectively.
Expand the scope of protections of personal information — Specific efforts to reduce the exploitation of children online should include expanding the definition of personal information to encompass biometric data, reflecting the growing use of such data in digital services.
Improve transparency to parents — Require companies to provide clear, detailed disclosures about their data collection practices and any third-party sharing. This would help parents and guardians make informed decisions about their children’s digital interactions.
Strengthen consistent protection across geographies — Establishing global standards for children’s data privacy through international collaboration can also play a significant role in providing consistent protection across borders.
The splintered legal landscape protecting children’s data privacy creates regulatory gaps that sophisticated companies and illicit actors can exploit. As the digital world continues to evolve, it is imperative that lawmakers and regulatory bodies work together to establish a more cohesive and comprehensive framework for protecting children’s online privacy — one that will prioritize their safety, well-being, and rights in the face of increasingly complex technological advancements.
You can find out more about how organizations and individuals can fight against child exploitation both online and in the real world here
