Facebook Inc. faces another tongue-lashing on Thursday on Capitol Hill, but little can be done until Congress updates U.S. law on kids and online services.
The Children’s Online Privacy Protection Act, or COPPA, was passed in 1998 — when Facebook founder Mark Zuckerberg was 14 and still six years away from creating the social network. COPPA requires the Federal Trade Commission to issue and enforce regulations concerning children’s online personal information, but little has changed in the law since smartphone apps like Facebook and Instagram changed the way humans interact with the internet.
The last significant alteration came in 2013, when the definition of “personal information” was updated to include photos, voice and personal identifiers such as IP address. The result is a law that protects some data children generate online, but doesn’t do much else.
“A product can be COPPA-compliant, but still bad for kids and their mental and emotional well-being. Privacy is just one component,” Ariel Fox Johnson, senior counsel of global policy at Common Sense Media, told MarketWatch. The impact of social media is “bad for their mental well-being when their brains are still developing and peer pressure is intense,” she added.
On Thursday, Facebook’s global head of safety is expected to face a hostile crowd of lawmakers in the wake of a Wall Street Journal investigation on internal Facebook research detailing Instagram’s effects on young people, and the same Senate subcommittee’s chair, Democratic Sen. Richard Blumenthal of Connecticut, said a “Facebook whistleblower” will testify. Facebook FB, -0.31% executives have been roasted repeatedly in congressional hearings for alleged monopolistic behavior, data-privacy concerns and other failings, which have led to no significant successes in passing new law or updating old ones.
“These hearings have devolved into becoming platforms for politicians to feature on C-SPAN or in headlines on the business pages of newspapers. They lose their value if they keep occurring on a regular basis with one docket of complaints after another, with no meaningful change in legislation,” Bhaskar Chakravorti, dean of global business at the Fletcher School at Tufts University, told MarketWatch.
Late Wednesday, Facebook released its internal research on the impact of Instagram on teens, which is said it also provided to Congress.
From April: Senate hearing on app stores puts Apple, Google under regulatory spotlight
Privacy law for minors in the U.S., like Big Tech antitrust action and data-protection legislation, is acutely behind the efforts of Europe, where Alphabet Inc.’s Google GOOGL, -1.09% GOOG, -1.22% has rung up billions of dollars in fines, and regulators and courts are far more aggressive in enforcing what’s on the books.
Online privacy law for youths in Europe was recently expanded with the UK’s Age Appropriate Design Code, also known as the Children’s Code, adding to the EU’s General Data Protection Regulation, or GDPR, which covers child privacy. The UK’s design law, which went into effect in early September, requires companies that target users younger than 18 to comply with 15 standards. The code calls for privacy settings to be high by default for children, to collect and retain only the minimum amount of data on users, and to have geolocation switched off and an opt-in option. Google search, YouTube and Instagram were among the services that announced changes this summer ahead of the law taking effect.
There is legislation for similar actions floating around Congress, which has not established an overarching data-protection law similar to GDPR. Sen. Edward Markey, D-Mass., who sits on the Senate Commerce subcommittee that will question Facebook executive Antigone Davis, has introduced a bill that many refer to as “COPPA 2.”
In-depth: Big Tech has an antitrust target on its back, and it is only going to get bigger
Markey, who has made several attempts over the years to update COPPA, co-authored a bill with Sen. Bill Cassidy, R-La., called the Children and Teens’ Online Privacy Protection Act. It would prohibit internet companies from collecting personal information from anyone 13 to 15 years old without the user’s consent; create an online “Eraser Button” that requires companies to give users the ability to eliminate a child or teen’s personal information; and implement a “Digital Marketing Bill of Rights for Minors” that limits the collection of personal information from teens.
A House bill from Rep. Kathy Castor, D-Fla., called “Kids PRIVCY Act,” incorporates key elements of the U.K. law, including expansion of coverage to sites likely to be accessed by children and teenagers, a requirement for a Privacy and Security Impact Assessment, and a call for companies to “make the best interests of children and teenagers a primary design consideration.”
For more: What the House antitrust bills are trying to do
In the U.S., COPPA enforcement has been inconsistent and fines nominal: Alphabet Inc. parent Google GOOGL, -1.09% GOOG, -1.22% and its YouTube subsidiary paid $ 170 million in September 2019 to settle allegations by the FTC and the New York Attorney General that YouTube “illegally collected personal information from children without their parents’ consent,” violating COPPA, according to the FTC. The $ 136 million penalty paid to the FTC is the largest levied by the agency since Congress enacted COPPA.
Johnson characterized the fine as “a slap on the wrist” for a company the magnitude of Google, whose market value is roughly $ 1.9 trillion. In Europe, Google has been fined a total of nearly $ 10 billion in separate actions.
The seeds for real privacy law change in the U.S. tend to start at the state level, creating a patchwork of laws that can be hard to enforce and even harder to comply with for Facebook, Google or Apple Inc. AAPL, +0.65%, Proton’s Fossen said. Two laws in California — the California Consumer Privacy Act of 2018 and Student Online Personal Information Protection Act (2015) — have influenced federal legislation, according to Common Sense’s Johnson, whose organization has helped craft the two state privacy laws but faced resistance from Facebook on CCPA.
Opinion: Regulating Big Tech will be hard, and California is proving it
“It takes states like California to move the needle; there has been pure dysfunction in D.C.,” Common Sense Chief Executive Jim Steyer told MarketWatch.
“Washington has been completely missing in action for essentially 20 years.”