California Legislature OKs Landmark Bill to Protect Kids' Privacy

The legislation, now headed to the governor's desk, would create new protections for web users under 18, including mandating age-appropriate design.

We may earn a commission from links on this page.
Image for article titled California Legislature OKs Landmark Bill to Protect Kids' Privacy
Photo: SAVO PRELEVIC/AFP (Getty Images)

Today’s kids, more online than any generation before, are paradoxically beset by a digital world that isn’t the most kid-friendly. From creeps to depression-spurring algorithms to cyberbullying, experts often link web use to skyrocketing mental health issues in young people.

Thankfully, help might be on the way. On Monday, the California Senate overwhelmingly voted (33 to 0) to pass a comprehensive children’s privacy bill designed to protect kids from web platforms’ most noxious elements. The bill, known as the California Age-Appropriate Design Code Act or AB2273, would regulate the tech industry in ways it’s never been regulated before and would be the first law of its kind in the country. If enacted, the bill would force big platforms—Facebook, Twitter, TikTok, and others—to implement new age-sensitive protections for users under the age of 18. Firms would be required to refrain from a greater amount of data collection on those users and would be obligated to implement more comprehensive privacy protections for them. If passed, the bill would go into effect in 2024.

If that all sounds pretty good to you, know that the bill isn’t a law yet—and there’s a decent amount of controversy about its current format. A lot of details still need to be ironed out before we can truly understand whether AB2273 would be effective or not (we’ll explain more below). It also still needs to be signed by Gov. Gavin Newsom. The New York Times reports that Newsom has “not taken a public stance on the measure.” Gizmodo reached out to the governor’s office for comment and will update this story if he responds.

Advertisement

What the Bill Would Do

As it stands now, the California Age-Appropriate Design Code Act outlines a number of ways in which children’s data and user experience should be protected under the law.

Advertisement

Initially, the bill would create a California Children’s Data Protection Working Group tasked with studying the privacy issues at hand and delivering a report to the legislature on the best way to implement the bill’s lofty goals. That working group would ostensibly be staffed by people with expertise “in the areas of children’s data privacy and children’s rights,” the bill states. The working group would also “take input from a broad range of stakeholders, including from academia, consumer advocacy groups, and small, medium, and large businesses affected by data privacy policies” before ultimately delivering their recommendations to lawmakers, the bill says.

Most controversially, the bill would force tech companies to “estimate the age of child users with a reasonable level of line certainty,” in an effort to carve out protections for them. Critics fear that this provision could result in companies having to institute costly age verification mechanisms on their platforms—in an effort to identify who is a kid and who is an adult. Tech companies would also be obligated to design their products and platforms with “strong privacy protections by line design and by default” for younger users—a stipulation that many companies see as unfeasible.

Advertisement

The bill would authorize the California Attorney General to fine companies that do not abide by the provisions of the new law—whatever those provisions ultimately end up being. Violators of the law could be fined as much as “$2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation,” the bill text states.

Concerns Over Unintended Consequences

Some organizations are clearly happy with the law and what it purports to be doing for the web’s youngest users. Josh Golin, executive director of the child advocacy group Fairplay, put out a statement Tuesday congratulating legislators:

Advertisement

“The passage of an age-appropriate design code in California is a huge step forward,” he said. “For far too long, tech companies have treated their egregious privacy and safety issues as a PR problem... Now, tech platforms will be required to prioritize young Californians’ interests and wellbeing ahead of reckless growth and shareholder dividends.”

But not everybody is so enthused. Numerous critics see the law as a lofty proposition that will be a logistical nightmare to actually implement. In a searing takedown published last week, Mike Masnick, founder of the popular blog Techdirt, lambasted the legislation for its overly broad language and its inattention to detail. He makes note of the fact that the regulation would actually require web platforms (like Techdirt) to collect a whole lot more data on site visitors, not less. In particular, Masnick criticized the bill’s stipulation that websites that are “likely” to be visited by children implement age-verification mechanisms for users:

According to the law, I need to “estimate the age of child users with a reasonable level of certainty.” How? Am I really going to have to start age verifying every visitor to the site? It seems like I risk serious liability in not doing so. And then what? Now California has just created a fucking privacy nightmare for me. I don’t want to find out how old all of you are and then track that data. We try to collect as little data about all of you as possible, but under the law that puts me at risk.

Advertisement

Similar criticisms have been written by privacy focused organizations like the Electronic Frontier Foundation, which wrote to legislators in April out of concern for the way the bill would spur further data collection by platforms. When reached Tuesday, EFF said it couldn’t comment on the most recent version of the bill, as it had not finished reviewing it yet.

There is precedent for the bill to pass. In recent years, California has become the nation’s de facto leader when it comes to legislating consumer privacy protections. In 2018, it passed the California Consumer Privacy Act (CCPA), the first comprehensive state privacy law in the country. Not long afterward, a 2020 ballot initiative saw state residents vote to establish the California Privacy Protection Agency, which enforces the regulations related to CCPA and other privacy-related state ordinances. If passed, the California’s children’s privacy bill could spawn copycat bills in other states and encourage other legislatures to make similar moves to protect children’s interests.