The views expressed by contributors are their own and not the view of The Hill

States are protecting children’s online privacy, but Congress still needs to act

Adam Berry/Getty Images

On May 9, Maryland Gov. Wes Moore (D) signed into law the Maryland Age-Appropriate Design Code Act, also known as the Maryland Kids Code, to safeguard children’s online privacy. The Maryland Kids Code is partially modeled after the California Age-Appropriate Design Code Act or CAADC, which was enacted in September 2022.

Both laws emerged in response to several concerns about children’s privacy, such as online surveillance, excessive data collection, data monetization, and addiction to online services and products, to name a few.

Despite state action in this area, First Amendment and preemption concerns can impede state laws on children’s privacy. Moreover, exclusions for the connected physical devices we refer to as the “internet of things” can cause regulatory gaps. 

Congress should enact a comprehensive privacy statute to protect children’s privacy. Without congressional involvement, the patchwork of additional state laws regulating children’s privacy could proliferate. The level of privacy protection that minors are given should not depend on what state they happen to live in. 

The Pew Research Center reports that 72 percent of teenagers now have in-home access to computers, smartphones, and gaming consoles, with 65 percent having access to a tablet in 2023. Further, 97 percent of children aged 13 to 17 access the internet everyday (up 5 points from 2014). The average home has at least 21 connected devices, including connected gaming consoles.

Decades ago, a child could open a refrigerator at home, ring a neighbor’s doorbell or play with a toy without companies collecting data about these activities. With the rise of connected devices, this is no longer the case. Today’s children are undoubtedly leaving longer and more intricate digital footprints than previous generations. 

In a 2023 decision, a federal district court issued a preliminary injunction against the CAADC, finding that the CAADC’s requirement that companies estimate the ages of child users, among other things, raised significant First Amendment concerns. The California Attorney General has appealed this decision. Unlike the CAADC, the Maryland Kids Code does not contain an express age-estimation requirement. This difference could allow the Maryland Kids Code to avoid some of the CAADC’s perceived First Amendment weaknesses. 

It is too early to tell whether the CAADC will survive the ongoing legal challenge to its validity, or whether industry trade groups will initiate legal proceedings against the Maryland Kids Code.

Preemption doctrine presents another hurdle. The federal Children’s Online Privacy Protection Act of 1998 (COPPA) preempts inconsistent state laws. This limits states’ ability to enact laws that are incompatible with COPPA to protect children’s privacy more adequately. Both the CAADC and the Maryland Kids Code encourage covered businesses to consider children’s best interests in designing online services and processing children’s data. The CAADC and the Maryland Kids Code both provide protections to children under the age of 18, whereas COPPA only protects children under 13 — a significant loophole. Congress has failed to sufficiently update COPPA to address the modern privacy risks children face. While laws adopted by Congress are not free from First Amendment constraints, there is a pressing need for congressional intervention in this area. 

A significant shortcoming of both the CAADC and the Maryland Kids Code is their failure to cover (in contrast to COPPA) physical products, such as internet-connected toys. This exclusion likely means that the protections provided in both laws for children do not apply to such devices, despite the privacy and cybersecurity concerns they generate.

Congress should adopt a comprehensive privacy statute which protects both adults and children, simultaneously regulating consumer-connected devices and other online services. Congressional action to protect children’s online privacy beyond COPPA is long overdue.

Stacy-Ann Elvy is a professor of law and Martin Luther King, Jr. Hall Research Scholar at the University of California-Davis School of Law.

Tags children Internet privacy Wes Moore

Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.