Law would restrict social media platforms use of children’s data

The Messenger, Facebook and Instagram applications are seen in this illustration photo taken on 08 December, 2023 in Warsaw, Poland. (Photo by Jaap Arriens/NurPhoto via Getty Images) (Getty Images)

Modeled after a law passed in California, a bill likely to come before the Minnesota Legislature this session would place restrictions on businesses that offer online products or services that collect the data of child users.

The Minnesota Age-Appropriate Design Code Act would work alongside the Government Data Practices Act to increase protection of a child user’s data, while obligating a business operating in Minnesota to regulate the design and settings of a product to ensure protection while providing privacy notices for its users.

The law would apply to any business operating in Minnesota with annual gross revenues of $25 million that collects personal data of 50,000 or more consumers and derives 50% or more of its annual revenues from selling consumers' personal data.

It would limit the amount of data the business can collect and its allowable uses, while requiring the business to complete a "data protection impact assessment" that could be reviewed by Minnesota Attorney General Keith Ellison.

On Thursday, legislators convened as part of a Commission on Data Practices, speaking on the need to proactively protect Minnesota’s children. The bill’s sponsor, Sen. Erin Maye Quade (DFL-Apple Valley), focused on the perils of "addictive social media products" that can also be abused by sexual predators as the act’s intent – often referencing Meta’s social media platforms (the parent company of Facebook and Instagram).

"It’s important to remember Meta is explicitly working with products that specifically target child audiences," Maye Quade said on Thursday. "We would never allow a company to sell toys that are anywhere adjacent to sexual abuse problems… But yet when it comes to online products we are expected not to regulate them against these harms."

According to Maye Quade, the law would not require companies to moderate content or searches, but instead, "this gets upstream at the design phase by calling for safety by design, and privacy by default."

"Big tech hates this bill," Maye Quade said. "They don’t want to lose the profit margin of harvesting data from children."

"The lifetime value of a 13-year-old teen is roughly $270 per teen," said Casey Mock, with the Center for Human Technology, referencing an alleged internal Meta memo. "None of these companies will take action to protect your kids if it will reduce that lifetime value, nor will they spend more than that. It’s time that Minnesota delivered the message to these companies that our kids’ health and safety is not for sale."

In 1998, the Children’s Online Protection Act (COPPA) was adopted to regulate how websites accessible to children in the U.S. would approach data privacy for individuals under age 13 – largely credited with creating the concept of parental notifications and control.

In 2022, California became the first state to adopt similar protections for a child’s online data privacy, adopting the California Age-Appropriate Design Code Act. The law has since been challenged through litigation. 

Several GOP Senators expressed concerns about whether the act would stand up against its own legal challenges.

"We’ve heard from parent representatives that despite their best efforts, some of these [harmful] messages still get in front of kids, and I’m not quite sure how you stop that from a technical perspective," said Sen. Warren Limmer (GOP-Maple Grove).

If passed by lawmakers, the Minnesota Age-Appropriate Design Code Act would become effective July 1, 2024.

By July 1, 2025, a business will be required to complete a data protection impact assessment with the Minnesota Attorney General.