Anna Washenko, reporting for Engadget Thursday:

Today the US Senate unanimously passed proposed legislation known as COPPA 2.0. This measure, fully named the Children and Teens’ Online Privacy Protection Act, aims to create new protections for younger users online, such as blocking platforms from collecting their personal data without consent.

COPPA 2.0 is a modernized take on the Children’s Online Privacy Protection Act of 1998, attempting to address recent changes in common online activities, like targeted advertising, that could prove harmful to minors. Lawmakers have made several attempts to get this bipartisan bill through. While it has made varying amounts of headway in the Senate, none of the COPPA 2.0 bills to date have gotten past the House of Representatives. Industry groups such as NetChoice have previously opposed COPPA 2.0 and other measures around minors’ online activity such as KOSA, the Kids Online Safety Act. NetChoice members include Google, YouTube, Meta, Reddit, Discord, TikTok, and X.

COPPA 2.0 is a better law than the fundamentally flawed KOSA, but it’s still a bad, ambiguous law. Some of the provisions are good, like the one that raises COPPA’s enforcement age to 17, but others are entirely ambiguous, like the age verification provision, which is what I want to focus on. The original COPPA only says that a company must adhere to the law — or be punished under it — only if it has actual knowledge that a user is under 13. This means that by including a checkbox on their site that asks users if they’re old enough to use the site, social media companies satisfy this requirement and cannot be punished, because technically they have no way of knowing that an underage user might be lying when they click that checkbox.

COPPA 2.0 significantly strengthens this provision. According to the Senate’s version of the law, which passed on Thursday, companies can be punished if they have “actual knowledge or knowledge fairly implied on the basis of objective circumstances.” The “or” there is doing a lot of heavy lifting, as the law doesn’t explain what an objective circumstance is. If there were to be a child safety lawsuit after this law clears Congress and is signed into law, social media companies would have to prove in court that they couldn’t have inferred a user’s age. Documents produced by these companies in recent years show that Meta, Roblox, and others are decent at implying users’ ages, so disproving that they can’t would be challenging. Notably, the bill does not ask whether a company has indeed inferred an age — it just says that a company can be punished as long as it has the capability to infer a user’s age.

The ambiguity of this provision, however — the fact that companies can be punished based on whether a court concludes that a platform could have inferred a user’s age — means that social media conglomerates won’t be taking any risks with their users’ ages any longer. If this bill passes despite their objection, they will all begin implementing identity verification procedures to protect themselves against this provision. There would be no ambiguity as to whether or not a company could infer a user’s age if the company has verifiable evidence of their age to begin with. If this doesn’t make sense, my point is that the bill is a legal liability for the companies. No literal obligation to verify users’ ages will be imposed, but an ambitious, implied one will be. If a company is thought to be able to infer a user’s age, they’re open to punishment. These corporations’ legal departments probably won’t want to play with fire — the fire being a $50,000 loss per underage user.

This bill is clearly crafted not to encourage surveillance — it’s ambiguous in that regard! — but to punish technology companies. You can feel however you want about that, but that’s an objective truth. It places a burden on the companies and doesn’t explain how they can absolve themselves of it — that’s some of the most anti-company regulation the government can pass, except for literally ruling its behavior is illegal (like the European Union did). I have faith that this bill won’t pass, but it doesn’t change the fact that the government ought to be passing data privacy laws that protect users’ identification cards and other sensitive information. And I also don’t think it’s a bad idea for the market to self-regulate to prevent onerous, anti-consumer legislation. In particular, I think Apple, Google, and Microsoft should step up and position themselves as true verifiers of users’ ages. By encouraging parents to enter their children’s ages correctly at device setup — or inferring a user’s age by the age of their Gmail or iCloud account — then sharing that data anonymously with developers, I believe most of these problems can be alleviated. No IDs required.