Lawmakers in California this week passed a bill that would restrict data collection by operators of websites “likely to be accessed” by minors under 18.
Among other requirements, the California Age-Appropriate Design Code Act (AB 2273) would prohibit online sites "likely to be accessed" by minors from collecting or sharing their personal information, unless necessary to provide a specific service the minor is actively using, or unless collecting or sharing the information is in minors' best interests. The measure would also require those sites to implement the most privacy-protective default settings for minors, unless the sites can show a compelling reason for a less privacy-protecting setting.
Governor Gavin Newsom hasn't yet signed the bill.
Currently, the federal Children's Online Privacy Protection Act prohibits websites from knowingly collecting personal information from children under 13 without their parents' permission. California's Age-Appropriate Design Code, by contrast, would go much farther by restricting data collection from teens as well as children. The California measure also doesn't contain any provisions that would allow parents (or teens) to consent to sharing the information.
The advocacy group Fairplay cheered news of the California bill's passage, with executive director Josh Golin stating that the legislation marks “a huge step forward toward creating the internet that children and families deserve.”
But others are raising concerns that the measure would effectively force many websites visited by adults to implement age-verification procedures, given that teens often read the same sites and use the same services as adults. Age verification procedures in themselves could hinder privacy, for instance by requiring people to provide government-issued identification, or submit to facial recognition scans.
The bill provides that a site is considered “likely to be accessed” by minors where there are indications that it is marketed to minors, or has a "significant" number of young users.
Critics, including Techdirt's Mike Masnick, say that definition could sweep in a huge variety of websites not specifically aimed at children and teens -- including Techdirt.
“We’re not targeting kids, but I’m going to assume that some of you who visit the site are under the age of 18. Over the years, I’ve had quite a few high school students reach out to me about what I’ve written -- usually based on their interest in internet rights. ” he wrote last week. “I think it’s great when high schoolers take an active interest in civil liberties and the impacts of innovation -- but now that’s a liability for me”
He adds: “Given that, it seems that, technically, Techdirt is under the auspices of this law...Incredibly, a bill that claims to be about protecting data, effectively demands that I collect way more personal data than I ever want to collect.”
Santa Clara University law professor Eric Goldman wrote in an op-ed that the bill would “harm both kids and adults alike” by effectively requiring businesses to verify the ages of their online users.
“Mandatory age authentication would change how everyone uses the Internet,” he writes.
“Currently, we casually go from site to site, seamlessly moving between services,” he continues, adding that after enactment of the law, “users will first be required to prove their age before they can visit any new site -- even if they just plan to visit for a second, and even if they never plan to return.”
Why only minors? If it can be done for 'minors' (easily side-stepped with a false age or DOB) why can't it be done for users who wish to restrict having their data collected?