California's attempt to protect kids online could end adults' internet anonymity
Websites may be forced to verify ages of visitors unless changes made
California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.
Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.
"First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."
The bill, Goldman argues, will put an end to casual web browsing, forcing companies to collect personal information they don't want to store and protect – and that consumers don't want to provide – in order to authenticate the age of visitors. And since age authentication generally requires identity details, that threatens the ability to use the internet anonymously.
Goldman also objects to this American state-level bill being modeled after the UK's Age-Appropriate Design Code (AADC) because European law makes compliance a matter of engagement and dialogue with regulators, in contrast to the US rules-based approach that allows more certainty about what is or not allowed.
Furthermore, he contends that the scope of the bill reaches beyond children's privacy and implicates consumer protection and content moderation. He thus considers the bill "a trojan horse for comprehensive regulation of Internet services" and would turn the California Privacy Protection Agency (CPPA) into a general internet regulation agency.
At the same time, it's clear that current laws to protect children fall short. In an April letter [PDF] to California lawmakers, Justin Brookman, director of technology policy for Consumer Reports, said that businesses frequently bypass the requirements of the Children’s Online Privacy Protection Act (COPPA), the federal law requiring parental consent for processing the data of children under 13. He pointed to 2018 research that found thousands of apps violating COPPA through the use of Software Development Kits (SDKs), code libraries for advertising and analytics that collect data about kids.
- Lockdown bidder block shock: Overzealous parental filters on Virgin Media and TalkTalk break eBay for UK users
- Clearview AI wants its facial-recognition tech in banks, schools, etc
- Feds raid dark web market selling data on 24 million Americans
- Millions of people's info stolen from MGM Resorts dumped on Telegram for free
Supporters of the California bill point to technical changes following from the UK AADC, like Google making SafeSearch the default browsing mode for everyone under 18 and TikTok and Instagram disabling direct messages between children and adults they do not follow, as examples of how the legislation might improve the internet for kids.
While the UK AADC may have led to worthwhile improvements in children's privacy, proposed legislation often entails collateral damage if not carefully devised. Both the UK and the EU, for example, have floated legal changes to protect children from abuse and exploitation by demolishing privacy and encryption.
Brookman, in a message to The Register, said, "I generally disagree with Eric on most things but I think he has a point here." And he pointed to his April letter in which he said Consumer Reports would support the bill if some changes were made.
He suggested the bill needs to make distinctions between how teens and children under 13 are treated, and to adopt clear rules-based language rather than ambiguous, aspirational mandates like directing websites to "maintain the highest level of privacy by default."
He also urged lawmakers to drop the age verification requirement.
"Mandated identity verification would require invasive and expensive data collection and eliminate consumers’ right to read and speak anonymously, undermining the bill’s fundamental objectives," he wrote in the letter. ®