California lawmakers approve online privacy law for kids. Which may turn websites into identity checkpoints

California lawmakers have approved a major online safety bill to protect children – and critics worry the legislation will turn websites into identity checkpoints.

The California Age-Appropriate Design Code Act was passed by the State Senate on Monday by a vote of 33-0, and was previously approved by the State Assembly. To be enacted, it requires only the signature of Governor Gavin Newsom, who has not yet taken a public position on the bill.

The AADC (AB 2273) was proposed to protect children online. It was introduced by California State Assembly members Buffy Wicks (D) and Jordan Cunningham (R).

Wicks marked the bill's passage on Twitter by urging people not to be fooled by last-minute efforts to derail the legislation.

The bill, she said, "has been in print since February and we have worked diligently with stakeholders to address their practical concerns. It has been reviewed by dozens of lawyers and privacy experts, and is already established law in the UK — where it’s already proven to work," although opinion is divided on that last point

The AADC requires online businesses that provide products or services to those under 18 years old to prioritize the safety of children in the design of their offerings. It restricts data collection, requires privacy settings to be maximized by default, and forbids efforts to encourage kids to roll those settings back, among other things.

It requires businesses with online products or services likely to be accessed by children to conduct a Data Protection Impact Assessment that addresses: whether the product/service could lead children to be exposed to potentially harmful content, contacts, or conduct; whether any algorithms or targeted ads could harm children; and whether the product/service uses any engagement mechanism that prolongs use.

"Today California took a massive step forward in securing a future in which the internet is fundamentally designed around the best interests of young people," said Nichole Gill, executive director and co-founder of advocacy group Accountable Tech in a statement.

"The California Age-Appropriate Design Code will ensure Big tech platforms prioritize the safety, wellbeing, and privacy of children and teens, and put an end to the pervasive tracking, targeting, and manipulation they face online."

Supporters of the bill point to changes made to online services in the UK [PDF] as an example of the anticipated impact in the US. These include product changes like: Google making SafeSearch the default browsing mode for those under 18; YouTube disabling autoplay for those under 18; and TikTok and Instagram disabling direct messages between children and adults they do not follow.

To accomplish its goals, the Californian bill requires websites to determine the age of visitors or to afford adults the same level of heightened privacy as children – which more or less precludes surveillance capitalism. The bill says online businesses must: "Estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers."

And therein lies much of the controversy.

Unintended consequences

Critics of the law, such as Santa Clara University School of Law professor Eric Goldman, argue that mandatory age verification will harm the internet for everyone. Although the bill has been proposed for California, legislation adopted in the state will be felt throughout the US and beyond due to the size of California's economy and the reach of the tech businesses based there.

"Though this bill claims to protect children, the bill will affect the Internet usage of both adults and children," Goldman wrote in a blog post earlier this month.

"By requiring age authentication of all users, the bill would change the Internet’s fundamental architecture from an environment where we freely transit the Internet to one where everyone must authenticate their age every time they go to a site."

In other words, if you hate dealing with cookie permission dialog popups, you're going to really hate having to verify your age at many of the website you visit.

• California's attempt to protect kids online could end adults' internet anonymity
• Tech world may face huge fines if it doesn't scrub CSAM from encrypted chats
• British intelligence recycles old argument for thwarting strong encryption: Think of the children!
• Russian ChessBot breaks child opponent's finger

Age verification is likely to require the submission of personal data, to check against an identity database, or a face scan that estimates age. Goldman argues neither process is foolproof and either imposes costs that will harm businesses. And, he contends, the data sharing required to make age verification work itself represents a privacy risk.

NetChoice, a trade group representing internet companies, opposes the bill and has urged Newsom not to sign it. Jennifer Huddleston, policy counsel for NetChoice called AB 2273 "overly burdensome regulation that harms families and violates the First Amendment."

NetChoice has participated in lawsuits against constitutionally dubious social media laws in Florida and Texas, and could pursue a similar legal challenge in California, if its members are sufficiently troubled by the compliance burden.

Consumer Reports, which in April offered qualified support for the bill, also took issue with the identify verification requirement.

"Mandated identity verification would require invasive and expensive data collection and eliminate consumers’ right to read and speak anonymously, undermining the bill’s fundamental objectives," said Justin Brookman, director of technology policy at Consumer Reports, in a letter [PDF] to lawmakers.

California Governor Gavin Newsom has until September 30, 2022 to sign the bill into law. ®