Communications Litigation Today was a Warren News publication.
‘Great Caution’

New York AG Considers Sweeping Telecom Into Age-Verification Rules

New York Attorney General Letitia James (D) is considering regulating telecommunications companies with age-verification rules that normally are reserved for social media platforms.

The state is developing rules for two kids’ online safety laws: the Stop Addictive Feeds Exploitation (Safe) for Kids Act and the Child Data Protection Act (see 2408010011). A questionnaire for the Safe Act asks how the state could protect privacy if it collected age-verification information from telecom companies, smartphone operators, email services and banks. Comments were due Monday on Advanced NPRMs for the two laws.

Congress, too, is grappling with proposals concerning kids’ online safety and age verification. The Senate version of the Kids Online Safety Act (S-1409), which the chamber passed in July (see 2407300042), specifically exempts common carriers, broadband providers and email services from its list of covered platforms.

The Software and Information Industry Association urged caution if New York decides to rely on data from telecoms, email services, cellphone providers and banks. “These companies and the data they are charged with collecting and protecting are subject to a variety of state and federal privacy laws,” said SIIA. “Using data in this manner may be far outside the scope of what those privacy laws allow. Any effort to rely on these entities should be done with great caution.”

NCTA and CTIA have registered lobbyists on issues related to the Kids Online Safety Act, according to filings with the Senate Lobbying Disclosure database. Neither group commented Tuesday. USTelecom, which lists privacy but not KOSA among its lobbying issues, didn’t comment.

In response to the question about collecting data from telecoms and smartphone operators, Common Sense Media suggested the AG rely on “trusted third-party verifiers” to deliver the required data to covered platforms. “Using this method is a way to limit the number of entities that hold age information and presumably could mean that data collected is in fewer -- and possibly more trustworthy -- hands,” it added. Verifiers could “pass information on to the site or service requiring age assurance -- and this information that is passed could be very limited, including through ‘zero knowledge proofs’ that do not do anything other than indicate whether a user is or is not a certain age.”

Meta suggested New York shift the age-verification burden to app stores like Google Play and Apple’s App Store. Relying on them could provide a “commercially reasonable method for age verification and parental consent.”

Meanwhile, the Computer & Communications Industry Association warned New York against regulating social media like "cigarettes, alcohol, and gambling.” Don’t presume algorithmic feeds have only negative effects, said CCIA: They can help users prioritize content they want to see and to identify inappropriate content.

The AG requested comments as part of its pre-rulemaking stage for implementing the two laws. The Safe Act requires obtaining parental consent when algorithms sort feeds for minors, while the kids’ privacy bill bans websites from collecting and sharing minors’ personal data without informed consent. In the Safe Act ANPRM, the AG office asked how it should identify commercially reasonable and technically feasible age-verification methods, how it should implement a parental consent mechanism and how to determine whether a social media platform is addictive. In the kids’ privacy bill ANPRM, the AG office asked about factors relevant to determine that a website is primarily directed at minors, young teenagers and older teens.

Meta urged the state not to inadvertently “exempt any platforms widely used by teens,” and to clarify that the law’s processing restrictions don’t stop “businesses from ensuring the safety, integrity or functioning of the service.” Meta pointed the AG office toward its announcement last month about new teenager-focused accounts on Instagram.

Each method of age-verification has pros and cons, said the Future of Privacy Forum. Asking users to declare their age “offers the lowest degree of privacy risks and the lowest degree of accuracy to the service provider,” because users can easily lie about their age, said FPF. Age estimation through tools that analyze biometrics or user behaviors online is more effective but may have higher privacy risk, it noted. Finally, age verification using government IDs or other sensitive information, FPF said, provides the most accuracy but carries the highest risk to privacy.

Kids’ Privacy ANPRM

New York should make its children’s privacy rules interoperable with the Children’s Online Privacy Protection Act (COPPA) to avoid legal issues and confusion for businesses, said CCIA. State rules should consider differences between teenagers and younger children, it added. Also, “regulations should specifically lay out that any anonymized or deidentified data that is not re-linked to a specific individual should be treated differently, as this would still allow websites and online services to use such data for product development or consumer feedback that could be used to improve the user experience.”

Don’t adopt too narrow an interpretation of what kind of data processing is “strictly necessary” to be permissible without requiring consent, because that could make it harder to provide a safe experience for young users, CCIA added. Also, “requests for consent from teen users [should] balance effectively conveying information to users without overwhelming users with excessive information or requests.”

Since New York hasn’t enacted a comprehensive law -- but 20 other states have -- the AG “should consider emerging trends in U.S. privacy law in developing regulations to support robust, interoperable privacy rights and protections for young people and lay a foundation for the development for subsequent, generally applicable privacy frameworks in New York,” said FPF. Also, the group recommended developing robust guidance on defining “strictly necessary” to avoid inconsistent interpretations of the law.

TechNet agreed that New York should harmonize kids’ privacy regulations with COPPA rules and other state privacy laws. “Deviating from [COPPA] precedent would create unnecessary confusion for operators and users without any corresponding benefit,” TechNet said.