Few groups garner more attention today than children online. For education, entertainment, and so much more, children’s access to the Internet is more important than ever before. To that end, the Federal Communications Commission, along with other government agencies, spends billions of dollars annually to ensure that every American classroom, and nearly every American home, has Internet access.
At the same time, legitimate concerns have emerged concerning the effects of prolonged technology use by children. As a result, nearly every Congress sees bills introduced—undoubtedly with good intentions—to protect children from harms that may befall them online.
Government has proven itself more than capable of spending money to promote access to the Internet. Sadly, it’s less adept at crafting legislation to protect children from online excesses. This Congress is no exception.
Consider the Kids Online Safety Act, or “KOSA,” that Congress introduced earlier this year. Who could be against kids’ online safety?
No one, of course. But this bill wouldn’t protect kids online. Instead, it would kill the Internet as we know it. And in the process, it would irreparably damage the lives of the 70-plus million American children who today learn, grow, and stay connected online.
Here’s how.
KOSA contains a large number of legal obligations and corresponding legal risks. The bill may have only been intended to apply to companies like Facebook, YouTube and other social media platforms that have drawn legislators’ ire. Political messaging about the bill certainly indicates this, with repeat callouts of “Big Tech” and “social media” in blog posts and the like.
But KOSA doesn’t only concern itself with social media. Instead, its rules and risks apply to “covered platforms,” which the bill’s publicly-available draft language defines as any “commercial software application[s] or electronic service[s] that connect[] to the internet and that [are] used, or [are] reasonably likely to be used, by a minor.”
This language is so extraordinarily sweeping that the definition of “covered platform,” and consequently all of KOSA’s obligations, would easily put at risk nearly every website, app, and device that accesses the Internet. Again, while this may not have been the authors’ intent, it is likely how the bill would be interpreted by at least some state attorneys general, all of whom would have the authority to enforce KOSA if enacted.
Let’s go one step further and consider just one of KOSA’s myriad obligations. Section 5 of the draft language currently requires “parental notification” prior to any time a “minor, or an individual that a covered platform reasonably believes is a minor” “register[s], use[s], or purchase[s] a covered platform.” That parental notification must include, among other things, access to myriad parental control tools required by the bill, as well as explicit details regarding how the entity will safeguard children’s online data. Only once the parent of the child explicitly acknowledges that they’ve received this notification can the child begin to use the website, app, or other entity that is considered to be a “covered service.”
Such a dance of the seven veils would be truly staggering in practice. Prior to a child registering, or even using, virtually any website, app, or online device, a parent would have to be notified and acknowledge receipt of that notification. Conceivably, every time a child opened Instagram on an iPhone, connected to Zoom classes online, or visited literally any website on the World Wide Web, a parent would need to be notified and affirmatively acknowledge that notification. Indeed, the bill’s draft language mandates that these notifications would be required not just when a minor encounters a new “covered platform,” but also each and every time that covered platform is actually used. Parents of teenagers would be inundated with hundreds, perhaps even thousands, of notifications per day that, by law, they would have to acknowledge receiving before their child could continue using the Internet.
Websites’ compliance with KOSA would be impossible too. Most websites do not know the age of their visitors, much less how to contact a visitor’s parents, nor should they. But under KOSA, websites, as “covered platforms” would by necessity be forced to identify users by age and identify their parents. A website might implement an entry portal requiring every visitor to confirm their age and how to notify parents. But would this be enough to satisfy KOSA? Who would be at fault if the user clicked the wrong box, either accidentally or on purpose? As for potential verification methods—for obvious reasons, surely there is no centralized database of minors that a website can cross-reference to determine whether a particular user is indeed a minor, and to then obtain parental contact information.
Websites would ultimately be faced with an impossible choice: (a) likely violate privacy laws and maintain information about minors’ association with their parents, or (b) violate KOSA and not send the required parental notifications.
But that’s not all. In the name of protecting children online, KOSA would open the business-sensitive algorithms of every website to review by third parties. If such public disclosures were required, copyrights, trade secrets, and the very foundations of intellectual property would be eroded and undermined.
A generation ago, Congress passed the Communications Decency Act. It too was designed to protect children from online harms. Among its provisions was Section 230, which provided websites safe harbor from certain legal liabilities regarding user-generated content in exchange for provisions to protect children.
Section 230 was carefully contemplated and crafted. But it failed to protect children because neither courts nor the executive branch were particularly interested in the child protection provisions of its text. While the safe harbor provisions of Section 230 have been widely hailed as the most important law protecting the Internet—and rightly so—no meaningful mechanisms to protect children have been required, despite Section 230’s clear textual commandment to do just that.
In contrast to Section 230, KOSA is poorly worded, poorly contemplated, and would do little to protect children if enacted. Only one thing is certain: its enactment would spell doom for the Internet. KOSA’s provisions are impossible to implement, as compliance would require herculean efforts by websites large and small, invading the privacy of minors and their families, and undermining the very foundations of intellectual property law and entire business models as we know them today. And given KOSA is an American law, American businesses would be most affected by its edicts. By necessity, American businesses, and much of the Internet as we know it today, would likely move offshore in response to its enactment.
There’s a famous proverb: the road to oblivion is paved with good intentions. While KOSA’s advocates no doubt have children’s best interests at heart, the actual bill, as it exists today, would ultimately spell doom for the Internet as we know it.