California Governor signs child privacy law requiring online age checks
Get ready for face scans, expanded surveillance, violated rights, and more, say critics
California Governor Gavin Newsom on Thursday signed AB 2273, legislation designed to protect children's online privacy by demanding information from everyone.
The California Age-Appropriate Design Code Act (AB 2273) was modeled after the UK's age-appropriate design code.
Approved last month by the State Senate, and previously by the State Assembly, the California law requires online platforms to consider the interests of children in the design of their services and to provide children with settings that default to privacy.
"We're taking aggressive action in California to protect the health and wellbeing of our kids," said Governor Newsom (D) in a statement. "As a father of four, I'm familiar with the real issues our children are experiencing online, and I'm thankful to Assemblymembers Wicks and Cunningham and the tech industry for pushing these protections and putting the wellbeing of our kids first."
As a father of four, I'm familiar with the real issues our children are experiencing online
The Age-Appropriate Design Code (AADC) Act forbids online service providers that offer service to children from using the personal information of children in a way that's detrimental, from gathering, selling, or storing a child's geo-location, from profiling by default, and from soliciting children to provide their information. It also requires privacy policies and related terms be accessible and enforced.
Jim Steyer, founder and CEO of Common Sense Media, a content-rating service for patents, applauded the approval of the law.
"We recognize that this bill is just one step in a long-term effort to protect kids online," said Steyer in an emailed statement. "But it is a very important step, and time is of the essence – we must continue the momentum to expand platform accountability and online protections for children across California and the rest of the country."
While there's general agreement that children could be better protected online, the approach called for under AB 2273 would require that covered websites – those that could be used by minors – somehow verify the age of visitors. Despite Newsom's nod to ostensible tech industry support, technology rights advocates dislike the age-checking mandate, claiming it will expand surveillance in the name of privacy.
"The bill is so vaguely and broadly written that it will almost certainly lead to widespread use of invasive age verification techniques that subject children (and everyone else) to more surveillance while claiming to protect their privacy," said Fight the Future, in a statement.
"...Requiring age verification also makes it nearly impossible to use online services anonymously, which threatens freedom of expression, particularly for marginalized communities, human rights activists, whistleblowers, and journalists."
Via Twitter, Evan Greer, director of Fight the Future, characterized AB 2273, and AB 587, a related state social media law signed earlier this week, as unconstitutional messes.
Santa Clara University School of Law professor Eric Goldman has also written extensively about the shortcomings of the AADC.
The AADC delivers a 'hidden' payload of several radical policy ideas that sailed through the legislature without proper scrutiny
In a blog post on Thursday, he wrote, "Despite its purported goal of helping children, the AADC delivers a 'hidden' payload of several radical policy ideas that sailed through the legislature without proper scrutiny.
"Given the bill’s highly experimental nature, there’s a high chance it won’t work the way its supporters think – with potentially significant detrimental consequences for all of us, including the California children that the bill purports to protect."
Specifically, Goldman argues the bill does away with the "permissionless innovation" model that gave rise to the internet by requiring business to prepare impact assessment before launching new features children might access. He expects the consequence of this will be businesses designing products to avoid the regulatory headaches of dealing with children – products that might have benefited children.
The law, he argues, disempowers parents by foisting the government's interpretation of appropriate barriers onto all. He argues the law shifts the fiduciary duty of companies to favor the interests of children over other considerations. And he expresses concern that the law will encourage the adoption of facial scans as a means of age determination, despite the well-known privacy problems with face scanning.
- FTC signals crackdown on ed-tech harvesting kid's data
- America edges closer to a federal data privacy law, not that anyone can agree on it
- Big Tech loves talking up privacy – while trying to kill privacy legislation
- Stupid law of the week: South Carolina wants anti-porno chips in PCs that cost $20 to disable
"The California Age-Appropriate Design Code Act changes the ground rules for technology companies yet again, adding a new layer of privacy legislation for companies whose online products or services are likely to be accessed by minors under the age of 18," said Christine Lyon, partner and global co-head of data privacy and security at law firm Freshfields, in an email to The Register.
Lyon said the law will affect companies not subject to COPPA, the federal data privacy law focused on children under 13.
"Although they have nearly two years before the act goes into effect, technology companies will need this lead time to assess which of their products or services are likely to be accessed by users under 18 and to modify their covered products/services for those users, including by limiting collection and use of data about those users, configuring default privacy settings to a high level for them, and performing formal data protection impact assessments that must be provided to the California Attorney General upon request," she said.
"Ultimately, this law will dramatically reshape how technology companies approach online products and services not targeted to children, but still may be likely to be accessed by minors under the age of 18." ®