S. 836: Children and Teens’ Online Privacy Protection Act

S. 836 would significantly widen federal online privacy protections by extending them to "teens," defined here as people who have attained age 13 and are under age 17. That means the bill covers two groups: children already protected under existing youth privacy law and teens age 13 through 16 who have often fallen into a gray area. The bill also broadens what counts as personal information, including not just names, addresses, phone numbers, and Social Security numbers, but also persistent identifiers like IP addresses and device IDs, geolocation information precise enough to identify a street name and city or town, photos, videos, audio files, biometric data such as fingerprints, iris or retina scans, facial templates, DNA, and gait, plus information linked or linkable to a child, teen, or parent.

The bill takes direct aim at behavior-based ad targeting. It would make it unlawful for operators to collect personal information from children or teens in violation of FTC regulations, and it bars collection for "individual-specific advertising to children or teens" unless specifically authorized by law or consistent with the transaction or service requested. That advertising category is defined broadly: marketing to a specific child or teen, or their device, based on personal information, profiling, or unique device identifiers. But it does carve out exclusions for responses to specific user requests like search queries, contextual advertising, ad performance measurement and reporting, and ads directed to an adult profile on a shared household device.

The bill also creates new rights for teens and for parents of children. They could ask companies for a description of the data collected and the methods and purposes of collection, demand deletion of personal information or submitted content, challenge inaccurate information and have it corrected, and get a copy of collected information if available. Companies also could not retain personal information longer than reasonably necessary to complete a transaction or provide a service, and they would have to maintain reasonable security practices to protect data confidentiality, integrity, and accessibility. If data is stored or transferred outside the United States, operators must give direct notice to parents in the case of children or to the teens themselves.

Enforcement would hinge on whether a company had "actual knowledge or knowledge fairly implied on the basis of objective circumstances" that a user was a child or teen. Congress is telling the Federal Trade Commission to clarify that standard fast: the FTC must issue guidance within 180 days of enactment. The bill also sets a reporting schedule that would keep pressure on regulators. The FTC must submit an enforcement report 1 year after enactment and annually after that, plus an oversight report 3 years after enactment on how platforms ensure compliance for apps directed to children. The Government Accountability Office must separately report to Congress 1 year after enactment on privacy and mental health issues involving teens using financial technology products. State laws would only be displaced where they conflict with this federal law, and states would still be free to adopt stronger protections.