Today’s kids, more online than any generation before, are paradoxically beset by a digital world that isn’t the most kid-friendly. From creeps to depression-spurring algorithms to cyberbullying, experts often link web use to skyrocketing mental health issues in young people.
But help may be on the way. On Monday, the California Senate overwhelmingly voted (33 to 0) to pass a comprehensive children’s privacy bill designed to protect kids from web platforms’ most noxious and invasive elements. The bill, known as the California Age-Appropriate Design Code Act or AB2273, would regulate the tech industry in ways it’s never been regulated before and would be the first law of its kind in the country. If enacted, the bill would force big platforms — Facebook, Twitter, TikTok, and others — to implement new age-sensitive protections for users under the age of 18. Firms would be required to refrain from a greater amount of data collection on those users and to implement more comprehensive privacy protections for them. If passed, the bill would go into effect in 2024.
If that all sounds pretty good to you, know that the bill isn’t a law yet — and there’s a decent amount of controversy about its current format. A lot of details still need to be ironed out before we can truly understand whether this law would be effective or not (we’ll explain more below). It also still needs to be signed by Gov. Gavin Newsom. The New York Times reports that Newsom has “not taken a public stance on the measure.” Gizmodo reached out to the governor’s office for comment and will update this story if he responds.
What the Bill Would Do
As it stands now, the California Age-Appropriate Design Code Act outlines a number of ways in which children’s data and user experience should be protected under the law, though the details of those regulations are not yet clear and would need to be ironed out in the future.
Initially, though, the bill would create a California Children’s Data Protection Working Group tasked with studying the privacy issues at hand and delivering a report to the legislature on the best way to implement the bill’s lofty goals. That working group would ostensibly be staffed by people with expertise “in the areas of children’s data privacy and children’s rights,” the bill states. The working group would also “take input from a broad range of stakeholders, including from academia, consumer advocacy groups, and small, medium, and large businesses affected by data privacy policies” before ultimately delivering their recommendations to lawmakers, the bill says.
Most controversially, the bill would force tech companies to “estimate the age of child users with a reasonable level of line certainty,” in an effort to carve out protections for them. Critics fear that this provision could result in companies having to institute costly age verification mechanisms on their platforms — in an effort to identify who is a kid and who is an adult. Tech companies would also be obligated to design their products and platforms with “strong privacy protections by line design and by default” for younger users — a stipulation that many companies see as unfeasible.
The bill would authorise the California Attorney General to fine companies that do not abide by the provisions of the new law, once they’re worked out. Violators of the law could be fined as much as “$US2,500 ($3,471) per affected child for each negligent violation or not more than $US7,500 ($10,412) per affected child for each intentional violation,” the bill text states. Privacy breaches often affect hundreds of thousands or millions of users, so the fines could be steep, even for deep-pocketed Silicon Valley companies.
Concerns Over Unintended Side Effects
Some organisations are clearly happy with the law and what it purports to be doing for the web’s youngest users. Josh Golin, executive director of the child advocacy group Fairplay, put out a statement Tuesday congratulating legislators:
“The passage of an age-appropriate design code in California is a huge step forward,” he said. “For far too long, tech companies have treated their egregious privacy and safety issues as a PR problem… Now, tech platforms will be required to prioritise young Californians’ interests and wellbeing ahead of reckless growth and shareholder dividends.”
But not everybody is so enthused. Numerous critics see the law as a lofty proposition that will be a logistical nightmare to actually implement. In a searing takedown published last week, Techdirt founder Mike Masnick lambasted the legislation for its overly broad language and its inattention to detail. He makes note of the fact that the regulation would actually require web platforms (like Techdirt) to collect a whole lot more data on site visitors, not less. In particular, Masnick criticised the bill’s stipulation that websites that are “likely” to be visited by children implement age-verification mechanisms for users:
According to the law, I need to “estimate the age of child users with a reasonable level of certainty.” How? Am I really going to have to start age verifying every visitor to the site? It seems like I risk serious liability in not doing so. And then what? Now California has just created a fucking privacy nightmare for me. I don’t want to find out how old all of you are and then track that data. We try to collect as little data about all of you as possible, but under the law that puts me at risk.
Similar criticisms have been written by privacy focused organisations like the Electronic Frontier Foundation, which wrote to legislators in April out of concern for the way the bill would spur further data collection by platforms. When reached Tuesday, EFF said it couldn’t comment on the most recent version of the bill, as it had not finished reviewing it yet.
There is precedent for the bill to pass. In recent years, California has become the nation’s de facto leader when it comes to legislating consumer privacy protections. In 2018, it passed the California Consumer Privacy Act (CCPA), the first comprehensive state privacy law in the country. Not long afterward, a 2020 ballot initiative saw state residents vote to establish the California Privacy Protection Agency, which enforces the regulations related to CCPA and other privacy-related state ordinances. If passed, the California’s children’s privacy bill could likely spawn copycat bills in other states and encourage other legislatures to make similar moves to protect children’s interests.