Only one of these online safety bills will keep kids safe
My first child was born seven weeks ago, and like many parents around the country, I am worried about what their future will hold. We have already asked ourselves questions like, “Will there be fouryear colleges in 18 years?” and “Will there be dry land in 18 years?”
Some of the questions revolve around technology. When is it safe for children to look at screens? Play video games? Go on Youtube? And, most scarily, join social media?
The urge to protect children online is strong and understandable, and I’m grateful that governments across the world are finally grappling with the problem. But the more I review the proposed solutions, the more I understand that the devil is in the details.
Take New York, which unveiled two very different laws to protect children online. The first, the Child Data Protection Act, was written in a way that treats children with respect and autonomy while protecting them from exploitation. The law would prevent tech companies from collecting and selling children’s data without their consent — a huge win. Selling anyone’s data without consent is wrong, but it’s particularly problematic when children’s data is made widely available. Each of us is creating an online digital identity, which cannot be edited or deleted, available to the highest bidder. That permanent record should not start with data collected from non-consenting children.
Another law, the Stop Addictive Feeds Exploitation (SAFE) for Kids Act, has the laudable goal of preventing children from being exposed to harmful, addictive social media applications, but in practice it is a surveillance nightmare that puts LGBTQIA+ children at serious risk.
Take one major difference between these measures: The CDPA prevents selling data of users that a company has actual knowledge is a minor. This is a sensible rule, as the largest tech companies make their money by knowing the ages of their users. But, at the same time, it does not require tech companies to engage in extra snooping — forcing tech companies to identify every user would mean the end of anony
mous internet browsing, and it would be a cybersecurity nightmare. However, the SAFE for Kids Act requires social media companies to use “commercially reasonable efforts” to find out the ages of their users. In practice, this means that no one can use a social media application without proving their identity.
How is this to be implemented? Gov. Kathy Hochul has already ruled out setting one’s own birthday and ID verification, so the leading remaining option is to require every social media user to set up biometric surveillance on themselves and report their biometric data every time they create a social media account. The privacy and the cybersecurity risks are immense, and they will be felt by everyone, not just children.
Take another major difference between the CDPA and the SAFE for Kids Act — parental notification. The CDPA has no parental notification provision. The SAFE for Kids Act would require social media companies to report to parents every time a minor — anyone under 18, including college students and emancipated teenagers — tries to join a social media site. This includes Trevorspace, a social media platform for LGBTQIA+ youth. New York is on the cusp of outing thousands of queer children to potentially homophobic and transphobic parents, putting them at risk.
My child, Eden, is just a few weeks old, but I know that they will be online before I’m ready. But just as I worry about jobs, education and the climate, I am worried about what “online” will look like. I hope the government can create a safe environment for children, one that respects their privacy while preventing the harms we see mounting every day. But New York is giving me no assurances.
Now that the SAFE For Kids Act has passed, we urge Gov. Hochul to veto it. And we urge her to sign the Child Data Protection Act.
David Siffert is the legal director at the Surveillance Technology Oversight Project.