How Does the American Privacy Rights Act Protect Children?

In the most significant step towards a comprehensive US data protection policy in quite some time, a discussion draft of the American Privacy Rights Act (APRA) was released last Sunday. Many federal legislative proposals in recent years have been bipartisan, but the fact that this is also bicameral improves its chances of making it to the finish line. While APRA does not contain as many provisions related to minors as the previously proposed comprehensive data protection law, the American Data Privacy and Protection Act, it does have some details that would impact how minors’ data is used.

What APRA Says About Minors

1. Definition of a covered minor

For the purposes of this bill, the age of majority is 17. For reference, the age of consent for collection and use of data is currently 13 in the US; in the EU, 13, 14, 15, and 16 are all operative ages for digital consent in various countries. A recently passed data protection law in Florida makes 18 the age majority. (The proposed federal Kids’ Online Safety Act (KOSA) and Children and Teens’ Online Privacy Protection Act (COPPA 2.0) also have 17 as the age of majority.) No detail is given as to the standard by which entities in scope of the bill are meant to establish ages; under the current regime, the standard is “actual knowledge,” which can be established by merely asking a user to state their age.

2. Sensitive covered data

One of APRA’s key concepts is “sensitive covered data.” This includes categories typically classified as personally identifiable information (PII), as well as some others, including intimate imagery, and information regarding health, sexual behavior, and video watching history. Also included here is “[i]nformation about an individual who is a covered minor.”

3. Algorithmic harm assessments

APRA requires certain data-holding entities to conduct assessments related to algorithms that they employ, and to include mitigation plans for certain harms that may result from the use of these algorithms. The bill includes a fairly constrained list of the harms that are relevant here, most of which relate to inequities, such as access to housing or negative impacts associated with protected characteristics. However, also included is an otherwise undefined category of harm “related to ... covered minors.”

Sensitive data

APRA is not the first bill to classify information about children as “sensitive” data that is subject to stricter rules. At least nine US states have had bills including very similar provisions up for discussion, and this language passed into law in (at least) Florida, New Hampshire, Tennessee, and Texas. There are several ramifications of APRA’s inclusion of information about children under the rubric of “sensitive covered data.” Of particular note:

• Affirmative consent is needed to transfer any of this data to a third party, who can then only process, retain, or transfer that data on for the purpose that consent was granted.
• Entities must establish consent withdrawal mechanisms for this data.
• Sensitive covered data cannot qualify for the “publicly available information” exemption from certain provisions of this law.
• Whereas, within bounds, the collection, processing, retention, or transfer of certain data is generally permissible for the purposes of delivering contextual or targeted advertising, that is not the case for sensitive covered data.

Preemption of Age Appropriate Design Codes?

One of the trickiest political challenges around this bill is that of preemption. Certain exceptions to preemption are explicitly granted, but there is one particular set of bills and laws that may be in question. Age-appropriate design codes have been framed as data protection laws—though their provisions typically go beyond questions of privacy and seek to prevent a variety of harms to minors. Only two of these bills have passed—California’s in 2022 and the Maryland Kids Code was sent to the Governor’s desk at the end of last month—but others have been proposed. If these are classified as privacy laws, they could be preempted in whole or in part by APRA, if it is passed.

Integrating Other Federal Bills

Also this week, the House of Representatives saw the introduction of partner bills to the Senate’s two leading contenders for legislation aimed at protecting children online, KOSA and COPPA 2.0. A hearing has been announced to discuss all three of these bills together, suggesting the possibility that there may be some future version of APRA that incorporates more rules relating to children into a broad data protection law. Notably, one of COPPA 2.0’s main protections is the ability to demand the deletion of a minor’s data; APRA would give a right of deletion (amongst others) to all Americans. Commentators have long called for the prioritization of a comprehensive federal data protection law, while Congress has been more focused on piecemeal measures regarding children. For the first time in a while, there may be a chance for the former to come to fruition.