Revised Kids Online Safety Act (Free Preview)

Revised Kids Online Safety Act (Free Preview)
Photo by Katherine Hanlon on Unsplash


A significantly changed “Kids Online Safety Act” emerges as one of the Senate Commerce chair’s countermoves to the “American Data Privacy and Protection Act” (ADPPA) moving to the full House.


In July, Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell (D-WA) held a markup of two bills, either of which could have been the bill Congress passed in response to the focus on data privacy had ADPPA not come along. Cantwell has long eschewed the bill even though it uses the same framework as her data privacy bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.3195), with admittedly significant differences (see here for analysis and detail on the first iteration of COPRA that is almost the same as the latest version.) Cantwell vowed in early July to mark up privacy bills, and she was true to her word with both the “Kids Online Safety Act” (S.3663) and “Children and Teens’ Online Privacy Protection Act,” (S.1628) coming before the committee. This edition examines the significantly changed, and some would say weakened, “Kids Online Safety Act.”


The Senate Commerce, Science, and Transportation Committee marked up a pair of data privacy bills that focus on teens and children in late July as a countermove to the House Energy and Commerce Committee proceeding with marking up the “American Data Privacy and Protection Act” (ADPPA) (H.R. 8152), the broader bill that the chair of the Senate Commerce committee opposes. As has been extensively reported, Senator Maria Cantwell (D-WA) declined to join Ranking Member Roger Wicker (R-MS) and House Energy and Commerce Committee Chair Frank Pallone Jr. (D-NJ) and Ranking Member Cathy McMorris Rodgers (R-WA) in introducing ADPPA. Cantwell reportedly wanted a range of changes and refused her support. In early July, Cantwell had pledged to marking up data privacy bills pertaining to children and teens, in part, to appease Members of her committee inclined to support ADPPA.

And so, at the 27 July markup, the committee took up The “Kids Online Safety Act” (KOSA) (S.3663) (see here for more detail and analysis on the bill as introduced) and the “Children and Teens’ Online Privacy Protection Act,” (S.1628) (see here for more detail and analysis of the original version.) This edition of the Wavelength will analyze the first bill with the other to be analyzed in a forthcoming edition.

Cantwell may have been trying to appease Senators Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN), the chair and ranking member of the Consumer Protection, Product Safety, and Data Security Subcommittee and are leads on many of these issues. At some point earlier this year, Blumenthal and Blackburn, the sponsors of KOSA, reportedly reached a deal on a data privacy bill before ADPPA that Cantwell spiked. Hence, Cantwell bringing their bill on online privacy for children and teens was probably, in part, an attempt to mend fences.

Blumenthal and Blackburn introduced KOSA earlier this year in response to the revelations of Facebook whistleblower Frances Haugen regarding how the company’s subsidiary Instagram knew its product was harming girls and teens with body-image issues. Blumenthal and Blackburn are the chair and ranking member of the Consumer Protection, Product Safety, and Data Security Subcommittee and are leads on many of these issues.

Blumenthal and Blackburn unveiled a new version of KOSA for the markup and a suite of changes to the new version of KOSA. Other Senators successfully added language changing KOSA. Moreover, Wicker indicated at the markup that a number of the changes came at his insistence and that he will need to see more changes if KOSA is to advance. For ease of comprehension, I will treat the Blumenthal/Blackburn substitute amendment and their amendment to this bill as one document unless necessary to do otherwise.

Overall, the version of KOSA that emerged from committee is weaker than the bill introduced in February, which was already one of the more social media platform friendly bills in the children and teen’s online privacy space.

Subscribe to read the rest.

Other Developments

The International Telecommunication Union (ITU) elected Doreen Bogdan-Martin, the candidate of the United States, as the organization's next Secretary-General “with 139 votes, out of 172 votes cast.” Bogdan-Martin defeated Rashid Ismailov, the Russian Federation’s candidate. She will succeed Houlin Zhao of the People’s Republic of China.

The European Parliament adopted amendments to the Radio Equipment Directive that will mandate that “all mobile phones, tablets and cameras sold in the EU will have to be equipped with a USB Type-C charging port” by the end of 2024. The Parliament added that “[f]rom spring 2026, the obligation will extend to laptops.” The Parliament stated that the law “is part of a broader EU effort to reduce e-waste and to empower consumers to make more sustainable choices.”

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) published a joint cybersecurity advisory “about control system defense for operational technology (OT) and industrial control systems (ICSs)…intended to provide critical infrastructure owners and operators with an understanding of the tactics, techniques, and procedures (TTPs) used by malicious cyber actors.”

The Australian Federal Police arrested a man “for allegedly attempting to misuse stolen Optus customer data in a text message blackmail scam.”

The United States House of Representatives passed  the “Merger Filing Fee Modernization Act of 2022” (H.R.3843), the “Informing Consumers about Smart Devices Act” (H.R.4081), the “Artificial Intelligence Training for the Acquisition Workforce Act” (S.2551), and the “FedRAMP Authorization Act” (H.R.8956).

The United Kingdom’s (UK) Information Commissioner’s Office (ICO) “launched a second consultation on a draft code of practice about using personal data for journalism (the code)” “[f]ollowing the first consultation that ended in January 2022.” The ICO said it “considered the feedback received from the media industry and other stakeholders, and significantly reduced the length and overall complexity of the code.”

The European Commission “adopted two proposals to adapt liability rules to the digital age, circular economy and the impact of global value chains: Firstly, it proposes to modernise the existing rules on the strict liability of manufacturers for defective products (from smart technology to pharmaceuticals)” and “Secondly, the Commission proposes for the first time a targeted harmonisation of national liability rules for AI, making it easier for victims of AI-related damage to get compensation.”

The Australian Competition and Consumer Commission (ACCC) ACCC announced the launch of “two internet sweeps to identify misleading environmental and sustainability marketing claims and fake or misleading online business reviews.”

The European Union’s Coordinated Supervision Committee's (CSC) biannual report was published that discusses the body’s progress on its “aims to enhance cooperation among the different data protection supervisory authorities and ensure a more effective supervision of EU large-scale IT systems and of EU bodies, offices and agencies.”

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) issued “Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks, that directs federal civilian agencies to better account for what resides on their networks.”

The United States (U.S.) National Institute of Standards and Technology (NIST) Cybersecurity for the Internet of Things (IoT) program released two new documents:

§  The final version of Profile of the IoT Core Baseline for Consumer IoT Products (NIST IR 8425). The public draft (June 2022) took the consumer IoT cybersecurity criteria from our February 2022 white paper on Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products and formally incorporated them into NIST’s family of IoT cybersecurity guidance. This final version addresses feedback received by NIST on the June 2022 draft.

§  Workshop Summary Report for “Building on the NIST Foundations: Next Steps in IoT Cybersecurity” (NIST IR 8431). This IR reviews the keynote presentations from our June 2022 virtual workshop, and identifies NIST’s key takeaways and next steps based on the workshop discussions and Q&A.

The United Kingdom’s Competition and Markets Authority “published its response to the Department for Culture, Media and Sports consultation on a pro-innovation approach for regulating AI” that “highlights the importance of equipping regulators with the appropriate tools to intervene against the most harmful practices of AI systems, welcomes government’s support for voluntary regulatory fora such as the Digital Regulation Cooperation Forum (DRCF) as a means of avoiding algorithmic harms from being missed as a result of gaps between regulators priorities, and emphasising the importance of advocating a risk-based approach internationally – evolving that position as AI technology develops and matures.”

The United States (U.S.) Department of Justice announced that “[t]he Agreement between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland on Access to Electronic Data for the Purpose of Countering Serious Crime (“Data Access Agreement” or “Agreement”) entered into force.”

Commission Nationale Informatique & Libertés (CNIL), France’s data protection authority, “analysed the main types of age verification systems in order to clarify its position on age verification on the Internet, particularly on pornographic sites for which such verification is mandatory…[and] finds that such current systems are circumventable and intrusive, and calls for the implementation of more privacy-friendly models.”

United States (U.S.) Senators Angus King (I-ME), John Cornyn (R-TX), Tim Kaine (D-VA), and other Senators introducedbipartisan legislation to establish a China Grand Strategy Commission tasked with developing a comprehensive whole-of-government approach for how the United States should address the economic, security, and diplomatic challenges posed by China.”

Australia’s and New Zealand’s “information commissioners and ombudsmen” highlighted “the importance of government agencies developing robust digital systems that strengthen the community’s access to information.”

The United Kingdom’s (UK) Information Commissioner’s Office (ICO) took action “action against seven organisations who have failed to respond to the public when asked for personal information held about them, known as a Subject Access Request (SAR).”

The Estonian Information System Authority summarized “the cyber attacks against Estonian media portals based on information communicated to them…[and] [c]ompared to the last two years, the number of cyber attacks has increased.”

The United States Government Accountability Office (GAO) published a report titled “Nuclear Weapons Cybersecurity: NNSA Should Fully Implement Foundational Cybersecurity Risk Management Practices.”

The Australian Cyber Security Centre has published resources to help Australians manage the Optus data breach.

The United Kingdom’s National Cyber Security Centre (NCSC) published “tailored advice to support online retailers, hospitality providers, and utility services protect themselves and their customers from cyber criminals.”

The European Commission proposed “a European Media Freedom Act, a novel set of rules to protect media pluralism and independence in the European Union.”

United States (U.S.) Anna G. Eshoo (D-CA) “urged the National Security Advisor (NSA) and the Office of Science and Technology Policy (OSTP) to address the release of unsafe AI models that do not moderate content made on their platforms, specifically the Stable Diffusion model released by Stability AI on August 22, 2022.”

The European Data Protection Board (EDPB) “adopted its opinion on the EuroPrise certification scheme submitted to the Board by the German DPA of North Rhine Westphalia…[the] second EDPB consistency opinion on criteria for a nationwide certification scheme.”

The United Kingdom’s (UK) Information Commissioner’s Office offered advice on “the right of access…commonly known as making a subject access request (SAR)” based on complaints and how those complaints are resolved.

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) announced that “Protective Domain Name System (DNS), our latest shared service offering, is available to all federal civilian agencies…with modernized capabilities to detect and prevent threats in internet traffic and raise our collective cyber defense.”

The United Kingdom’s Digital Regulation Cooperation Forum (DRCF) published its response to the input on two papers “on the benefits and harms of algorithms, and on the landscape of algorithmic auditing and the role of regulators, respectively.”

The Commission Nationale Informatique & Libertés (CNIL) published advice for people whose personal information was accessed and leaked by hackers.

The United Kingdom’s (UK) Information Commissioner’s Office published guidance that “discusses the research provisions in the UK GDPR and the DPA 2018 in detail…aimed at DPOs and those with specific data protection responsibilities in organisations undertaking research, archiving or processing for statistical purposes.”

Tweet of the Day

Further Reading

Chinese hacking group targeting US agencies and companies has surged its activity, analysis finds” By Sean Lyngaas — CNN

Tech companies are gaming out responses to the Texas social media law” By Elizabeth Dwoskin — Washington Post

Facebook And Instagram Are Full Of Violent Erotica Ads From ByteDance- And Tencent-Backed Apps” By Emily Baker-White — Forbes

Coding in a war zone: Ukraine’s tech industry adapts to a new normal” By John Beck — Rest of the World

Apple’s €1.1 Billion French Antitrust Fine Slashed by 66%” By By Gaspard Sebag — Bloomberg

Elon Musk Offered to Buy Twitter at a Lower Price in Recent Talks” By Kate Conger and Michael S. Schmidt — The New York Times

From today, America and UK follow new rules on how they can demand your data from each other” By Thomas Claburn — The Register

Australian Man Arrested in Alleged Scam of Optus Hack Victims” By Keira Wright — Bloomberg

Russia and China are promoting US voting misinformation ahead of midterms, FBI warns” By Sean Lyngaas — CNN

Whatever Happened to Those Self-Service Passport Kiosks at Airports?” By Heather Murphy — The New York Times

Experts: Russia finding new ways to spread propaganda videos” By David Klepper — Associated Press

Taiwan Pledges to Keep Advanced Chips From Chinese Military” By Debby Wu ­­­— Bloomberg

Satellite Billboards Are a Dystopian Future We Don’t Need” By George Dvorsky — Gizmodo

U.S. crafting new rules aimed at curbing China’s advanced computing” ­By Ellen Nakashima and Jeanne Whalen — Washington Post

Russian court fines TikTok for not deleting LGBT content” — Associated Press

CYBER: How Corporations and Governments Use Games to Control Us” by Matthew Gault — Vice

Micron Pledges Up to $100 Billion for Semiconductor Factory in New York” By Steve Lohr — The New York Times

Former Uber Security Chief Found Guilty of Hiding Hack From Authorities” By Cade Metz — The New York Times

Seattle hacker gets probation for $250M Capital One data breach” By Corin Faife — The Verge

Political Advertisers Say They Are Stuck Using Facebook Even Though It Kinda Sucks” By Mack DeGeurin — Gizmodo

Facebook Is the Only Game in Town for Digital Political Ads” By Anna Edgerton — Bloomberg

TikTok Seen Moving Toward U.S. Security Deal, but Hurdles Remain” By Lauren Hirsch, David McCabe, Katie Benner and Glenn Thrush — The New York Times

LA School District Says Hackers Accessed Massive Database” By Margi Murphy — Bloomberg

Can Smartphones Help Predict Suicide?” By Ellen Barry — New York Times

Suspected Chinese hackers tampered with Canadian chat program: researchers” By Raphael Satter and Christopher — Reuters

Coming Events

§ 11 October

o   The European Data Protection Board will hold a plenary meeting.

o   The United Kingdom’s (UK) House of Commons’ Digital, Culture, Media and Sport Committee will hold a formal meeting (oral evidence session) as part of its inquiry “Connected tech: smart or sinister?”

§ 12 October

o   The United Kingdom’s (UK) House of Commons’ Science and Technology Committee will hold a formal meeting (oral evidence session) in its inquiry “R&D Policy one-off.”

§ 13 October

o   The United Kingdom’s House of Lords’ Communications and Digital Committee will hold a formal meeting (oral evidence session) in its inquiry “A creative future.”

§ 19 October

o   The United States (U.S.) Federal Trade Commission (FTC) will hold a virtual event “to examine how best to protect children from a growing array of manipulative marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media” with this agenda.

§ 20 October

o   The European Parliament’s special committee on Pegasus spyware will hold a hearingtitled “The impact of Spyware on Fundamental Rights.”

§ 26 October

o   The United States (U.S.) Information Security and Privacy Advisory Board (ISPAB) will hold a meeting.

§ 27 October

o   The United States (U.S.) Information Security and Privacy Advisory Board (ISPAB) will hold a meeting.

§ 1 November

o   The United States (U.S.) Federal Trade Commission (FTC) will hold PrivacyCon.

Photo Credits

Photo by Jeremy Bishop on Unsplash

Photo by Mike Ko on Unsplash

Photo by Daniel Olah on Unsplash

Photo by Adrien Olichon on Unsplash

Photo by Alex Rodríguez Santibáñez on Unsplash

Photo by Luca Bravo on Unsplash