For decades, the Children’s Online Privacy Protection Act (COPPA), a federal law that regulates data collected from children under 13, has been the only law to expressly address privacy for minors’ information other than student data. Bipartisan efforts to expand COPPA and other attempts at federal legislation to address online and data privacy for users under the age of 18 have repeatedly stalled in the past few years.
In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children. This follows a common pattern in which states filled the gaps left by an absence of federal privacy law — seen with the proliferation of state legislation on data breach notification, health, artificial intelligence and now, children under 18. Without preemptive federal legislation, these state laws create a dizzying and challenging compliance patchwork for businesses, with laws that are interpreted and enforced by regulators with varying priorities.