This bill expands existing online privacy protections to include teens (ages 13-16) by updating definitions, strengthening consent requirements, and prohibiting certain data collection and advertising practices for operators of online and mobile applications.
Edward "Ed" Markey
Senator
MA
The Children and Teens’ Online Privacy Protection Act significantly updates existing law to expand online privacy protections for individuals aged 13 to 16. It broadens the definition of personal information collected online and imposes stricter requirements on operators regarding notice, verifiable consent, and data use for advertising. The bill also mandates studies on application oversight and the privacy risks associated with teens using financial technology products.
New Privacy Bill Extends COPPA Protections to Teens Ages 13-16 and Bans Targeted Ads for Minors
The Children and Teens’ Online Privacy Protection Act is a major digital upgrade to the 1998 laws that currently only protect kids under 13. This bill effectively raises the 'privacy age' to 16, requiring apps and websites to get verifiable consent before grabbing data from young teens. It also hits the brakes on the data-tracking machine by banning individual-specific advertising—those ads that follow you around the web—for anyone under 17. Beyond just names and emails, the bill expands protected 'personal information' to include things like your kid's face (facial templates), their voice recordings, and even their precise GPS location down to the street name.
Digital Bodyguards for the High School Crowd
Under Section 2, the rules for how tech companies treat 13- to 16-year-olds are getting a lot stricter. Currently, once a kid hits 13, they are often treated like adults in the eyes of data brokers. This bill changes that by requiring companies to obtain 'verifiable consent' from the teens themselves before collecting their info. For parents, this means you gain the right to see exactly what data a company has on your child, the power to correct it if it's wrong, and the 'delete' button to wipe it out entirely. For example, if your 14-year-old signs up for a new social app, the company can’t just quietly build a profile of their habits to sell to the highest bidder; they have to be transparent and get permission first.
Closing the 'Internal Operations' Loophole
The bill also tightens the screws on how companies use data for 'internal operations.' While apps can still collect some data to keep the lights on—like fixing bugs or authenticating users—Section 2 explicitly says they can’t use that 'internal' data to build a secret profile or nudge a teen to stay on the app longer. This is a direct hit to the 'infinite scroll' algorithms that thrive on user data. However, there is a bit of a gray area: the bill allows 'contextual advertising.' This means if a teen is looking at basketball scores, they might see an ad for sneakers. While this is better than tracking them across the whole internet, the line between 'contextual' and 'targeted' can sometimes get blurry in practice.
The Schoolhouse Exception and the 'Fairly Implied' Standard
One practical shift happens in the classroom. Section 2 allows schools to sign off on data collection for educational tools without needing a parent’s signature every single time, provided the data is used only for schoolwork. This keeps the tech running in the classroom but puts the burden on the school to monitor those contracts. Perhaps the most debated part of the bill is the 'knowledge fairly implied' standard. Instead of companies being able to say, 'We didn't know they were 14,' the FTC will now look at whether a reasonable person would have known the user was a minor based on the circumstances. While this stops companies from playing dumb, it also leaves some room for interpretation that might lead to legal tug-of-wars over what 'fairly implied' actually looks like in the real world.