---

The Age of the Age-Appropriate Design Code

My colleague Keir asked in his blog “Five Big Questions” for the U.S. state privacy landscape in 2023 if we have entered the “Age of the Age-Appropriate Design Code”… and all signs continue to be a resounding yes. Following California’s lead, New York, New Jersey, Oregon, and most recently Connecticut have introduced similar bills (of note: Oregon’s bill, as written and if it were to pass, would go into effect at the same time as California’s law), and we expect even more to follow in the coming months. In short: states aren’t waiting around for Congress to act on children’s privacy.

If you are catching up on all things AADC, I worked on two resources with my colleague Chloe Altieri late last year that may be helpful to you: a comprehensive overview and analysis of the California AADC and a comparison of the California and UK versions. A key takeaway from our comparative analysis is that the UK’s code is generally a good bit more specific than California’s version, leading some companies to look at it for guidance as we await further information from California. Another step in that direction worth noting: the UK Information Commissioner’s Office (ICO) recently released design tests that, while not an official assessment, can help companies gauge their level of compliance with their AADC.

One of the big questions that California’s AADC (and similar legislation) raises is just how an online service provider is supposed to determine a child’s age - a long-running challenge that raises the age-old issue of balancing privacy and security. While policymakers in the US and UK continue to include age verification in a variety of legislative proposals, the French data protection agency, CNIL, viewed by some as “generally seen as the most aggressive and most thorough in its data protection/data privacy work,” recently declared “no current solution” was acceptable, noting they can all “can easily be circumvented” and pose privacy risks. CNIL took issue with many of the most often-discussed potential solutions, too. It remains to be seen if “nerding harder” will lead to better alternatives. In the meantime, companies continue to innovate: Meta recently expanded its age verification testing to Facebook Dating.

One other key question: as more kids’ privacy bills incorporate a “best interests of the child” standard - who determines what content is in the best interests of kids, and what isn’t? And what happens when states disagree on that determination? I talked about this issue and others with CyberScoop.

---

Ongoing Data Security Challenges

Data security continues to be a very real problem for schools, districts, and edtech companies alike; despite a renewed focus on combating the threat, schools sustained approximately the same number of cyberattacks in 2022 as they did in 2021. Warning that “[a] continuing drumbeat of cyber intrusions is threatening the nation’s ability to educate our children while also placing personal information and school data at risk,” the Cybersecurity and Infrastructure Agency (CISA) released a new report and toolkit for schools that builds on its recommendations.

Attacks continue to impact schools of all shapes and sizes - from large K-12 districts to smaller colleges like Knox College in Illinois where the attackers sent intimidating emails directly to students. In early December, the Little Rock School District board voted to negotiate with the hackers who launched an attack against the district’s computer network, ultimately approving a $250,000 payment that the school district described in a letter as a “final agreement.”

Meet one of the more active “ransomware gangs” targeting the education sector, Vice Society. While the group is “continually evolving” and has “shaped their campaigns to take advantage of the school year” (the start and end of the year are the most vulnerable for schools) a recent report by Palo Alto Networks’ Unit 42 threat research team does point to one reason to be optimistic. While noting it is often an underutilized advantage, the report concludes that in a school setting, “There are many educators who can help inform trainings for both staff and students to learn what they need to do to maintain security for everyone in the organization.”

---

A Global Interest in Protecting Kids’ Privacy

While a year-end push to enact federal child privacy legislation led in part by Sen. Markey faced an “uphill climb” and ultimately came up short, a January 11 Wall Street Journal op-ed by President Biden calling for federal privacy protections quickly became the talk of the town. President Biden highlighted the importance of special protections for children, writing, “protections should be even stronger for young people, who are especially vulnerable online. We should limit targeted advertising and ban it altogether for children.”

An ABC News segment from early December featuring a joint interview between the bipartisan leaders of the House Energy & Commerce Committee, Rep. Frank Pallone and Rep. Cathy McMorris Rodgers, highlighted the provisions of the ADPPA that would protect kids 17 and under. And I also presented on this topic at the Connecticut Data Privacy Task Force meeting on December 7; catch my presentation starting around the 30-minute mark.

One privacy provision of note that did make it into the omnibus and become law: a TikTok ban on federal devices over growing security concerns. This follows the action from an increasing number of states to ban TikTok on state-owned devices and in some cases, WiFi networks, impacting students at some public universities. 

Across the pond, a controversial online safety bill long in the works in the UK but that had been put on hold during the governing party’s leadership transition is back with two noteworthy changes. One: the bill’s “legal but harmful” clause has been removed, a provision that would have tasked online platforms and tech companies with removing content that was legal but deemed harmful from their platforms, a prospect that had free speech advocates concerned. The second big change: a January 17 agreement to add in criminal charges including jail time of up to two years for tech executives who "consent or connive" to ignore the new rules. The BBC reports the bill, which has been “repeatedly altered” as it has progressed, now faces “what is expected to be a lengthy journey through the House of Lords.”

---

“A National State of Emergency”

“The need is real, the need is dire,” Alberto Carvalho, the superintendent of Los Angeles Unified School District, told the Washington Post about the deepening student mental health crisis. Schools continue to face a shortage of counselors and doctors are warning - again - about a “national emergency.” Students are acting out; 60 percent of schools reported an increase in classroom disruptions due to student misconduct and 40 percent of schools reported an increase in physical fights. Test scores have dropped to a level not seen since 1999.

How Schools Are Responding 
One potential avenue that many schools are turning to is teletherapy. While the telehealth format presents some privacy and accessibility challenges for students who may not have access to the right tech and/or private space at home, early research into the potential efficacy of teletherapy for children is encouraging, including lower no-show rates for underserved children compared to traditional in-person visits. One potential concern we’re keeping an eye on is that many schools are paying for these services with COVID relief dollars or other one-time grants, rightly raising questions about sustainability. 

What else are schools doing to support students? Some are investing in social-emotional learning and/or implementing mental health days off for students. Surveys and mental health screenings can be an effective way to better understand student needs but come with their own privacy risks. “In the wrong hands, the very information schools need to support students can threaten students’ reputation and well-being,” warns the Education Commission on the States (ECS). One state the ECS report does applaud is Utah (we agree!).

Another avenue that the FPF Youth & Ed team has long kept an eye on is student monitoring technology. Online monitoring programs such as the one implemented in Chicago Public Schools this fall are often presented as “key in efforts to prevent violence and self-harm,” but to date, there is no independent evidence linking the use of monitoring tools to either outcome. To address school safety, states continue to pass a wide range of legislation; The Education Commission of the States again has a good recap of the key trends and developments within the dozens of school safety bills that states adopted in 2022.

Seattle Public Schools recently took things a step further by filing a federal lawsuit against the companies behind the major social media platforms, arguing in part that the design of social media platforms is inherently dangerous to kids, and that the district doesn’t have the resources to contend with a growing mental health crisis that social media is making worse.

Resources for Parents 
If you are a parent wondering what to do, a few resources that may help: the Washington Post breaks down how to make a school mental health day work for their child and family, and if you are worried about setting screen time limits, this parenting expert makes a case for teaching your child “screen smarts” instead.

---

The Latest On Online Proctoring

On the heels of a federal court ruling last fall that found a public university’s use of room-scanning technology during a remotely proctored exam violated a student’s Fourth Amendment right to privacy (read more from my colleague Lauren on that case), the international community is weighing in. The Netherlands Institute for Human Rights recently issued an interim judgment finding that online proctoring software can discriminate, regardless of developers' intent, siding with a student who brought the case after facial recognition software failed to recognize her face as she was taking an exam. Universities must now pre-emptively show that the software does not discriminate before it is used. Read more (in Dutch, with Google Translate available). 

The French data protection commission, CNIL (the “Commission Nationale de l’Informatique et des Libertés”) recently closed a public “consultation” in response to its growing awareness of “particularly intrusive practices and tools” used in online proctoring. Read more (in French, with Google Translate available).