Children and Teens’ Online Privacy Protection Act

This bill updates federal online privacy rules for young people by expanding protections beyond children under 13 to now also cover teens from 13 through 16. It clearly defines key terms such as “teen,” “personal information,” “connected device,” “mobile application,” and “individual-specific advertising to children or teens.” Personal information is broadened to include things like persistent identifiers, precise location, biometric data, and photos, videos, or audio files showing a child’s or teen’s image or voice, with a narrow exception for short-lived voice recordings used only to carry out a request. The bill makes it unlawful for an operator of a website, online service, online app, mobile app, or connected device that is directed to children, or that knows a user is a child or teen, to collect personal information in ways that break the Federal Trade Commission (FTC) rules. Operators may not collect, use, share, or keep a child’s or teen’s personal information for individual-specific advertising, and they may not let others do so. Operators can only collect personal information when it fits with the context of the service or is required by law. They must not keep the information longer than reasonably needed to provide the requested service and must give notice if they store or transfer a child’s or teen’s personal data outside the United States. The bill strengthens consent and control. It redefines “verifiable consent” so that, for children, parents must approve data practices, and for teens, the teens themselves must approve, after receiving clear notice. Operators must clearly explain on their sites what data they collect from children and teens, how they get it, and how they use, share, and retain it. Parents and teens gain rights to see what data has been collected, to delete it, to stop further collection and use, and to correct inaccurate information. Operators must maintain reasonable security practices to protect these data. For education technology, the bill allows schools and educational agencies to stand in for parents or teens in giving consent, but only under a written agreement with an operator. That agreement must limit the operator’s data use to educational purposes, forbid other commercial uses, explain what data are collected and why, link to the operator’s privacy notice, and give the school a way to review, delete, or stop further collection of student data at a parent’s or teen’s request. The school must also disclose which operators it uses and share the operator’s notices with parents and teens on request. The bill directs the FTC to update its regulations to reflect these changes. It requires rules that allow parents or teens to ask for deletion or correction of data without losing access to a service, if the service can run without that information. It also clarifies that deletion requests do not override legal recordkeeping duties, law enforcement needs, or security functions, and lets operators keep minimal records to prove they complied with deletion requests. The FTC must study whether a shared “common verifiable consent” system is workable and, if so, can issue rules to allow such a system for multiple related services. Enforcement powers are also clarified. State attorneys general, along with the FTC and banking regulators for insured depository institutions, can enforce the updated rules. The bill explains how regulators should decide whether a company has “knowledge fairly implied” that a user is a child or teen, using a totality-of-the-circumstances test, but it states that companies do not have to add age-verification systems or collect extra age data they do not already gather. The FTC must issue nonbinding guidance on what counts as implied knowledge, and all new regulations must include an analysis of impacts on small businesses. Beyond direct rules, the bill orders several studies and regular reports. The FTC must report annually to Congress on its enforcement of the children’s privacy law, including numbers of investigations, actions, complaints, and any policy or legislative recommendations to improve protections. Within three years, the FTC must also report on how app platforms oversee apps aimed at children and whether those apps follow the law and FTC rules on unfair or deceptive marketing. Separately, the Government Accountability Office (GAO) must study how teens use financial technology products, what privacy risks they face, and whether existing laws are enough, and then report back with any legislative or regulatory recommendations. A severability clause ensures that if one part of the Act is struck down, the rest remains in effect.