Emphasize Enforcement Over More Laws, Kids Privacy Experts Say

“Putting someone in charge who can be looking into [existing laws], who can be enforcing [them], that, I think, is a better first step than just adding more [laws] that is going to be unfunded and unenforced,” said David Sallay, director of data privacy at Access 4 Learning (A4L).

Sallay said that while a lot of companies have papers or policies stating they do -- or don’t do -- certain things concerning data, there’s no further investigation to see if they’re following their policies.

The next step would be to “really pressure test our systems and see whether they are actually following what they say they're doing,” he added.

Miles Light from the Children’s Advertising Review Unit with Better Business Bureau National Programs said that things like the self-regulatory safe harbor program under the Children’s Online Privacy Protection Act (COPPA) can be another method of ensuring enforcement. The program helps with “technical testing and with understanding where the current privacy programs for companies are,” he said. “People are very willing to give you more information that allows you to see where the actual industry standards are, where there can be more improvement with individual companies that you're working with,” and also “you get a much better sense for how it is that some of these [cybersecurity incidents] can occur.”

There’s also a difference between enforcement in smaller companies and enforcement in bigger technology outfits, said Sara Kloek, vice president of education and children’s policy at the Software & Information Industry Association. Smaller companies “probably don't have a budget for a lawyer in every single state, [so] figuring out how to map your privacy compliance program to align to each state is difficult,” she said. As much as a federal law would help with enforcement, Kloek said she does not envision one being passed anytime soon.