• by Wendy Davis , Staff Writer @wendyndavis, May 22, 2024

The tech industry and privacy advocates may not always see eye to eye on thorny policy questions, but they agree on at least one thing: there isn't yet a good way for companies to determine users' ages without compromising their privacy.

“There is currently no privacy-protective way to determine whether a consumer is a child,” Maureen Mahoney, deputy director of policy and legislation at the California Privacy Protection Agency, wrote in a May 3 memo to the agency's board. The memo addressed proposed state legislation that would impose new restrictions on companies' ability to collect and use minors' data.

Currently, California requires companies to obtain consent from teens ages 13-16 (or parents of those teens) before collecting or selling data -- but only if the companies actually know the teens' ages. State Assembly Member Buffy Wicks recently proposed amending that law by requiring businesses to obtain opt-in consent from teens under 18 (or parents of teens) before collecting or selling their data.

Mahoney recommended that the California Privacy Protection Agency should only support the bill if it's amended in several ways -- including by specifying that the restrictions on data only apply if companies have “actual knowledge” of teens' ages, or alternatively, “knew or should have known” that users were under 18.

“Existing age verification options raise obvious problems, including privacy concerns,” the memo states.

“Use of payment cards or government ID to confirm age would not work in the context of a bill that seeks to provide children with additional protections, since most children do not have payment cards or government ID,” she writes, adding that requiring online sites to collect sensitive information could expose consumers to data breaches and other security risks.

The agency board voted earlier this month to accept Mahoney's recommendation.

On Wednesday, lawyers for the tech group NetChoice submitted that memo to the 9th Circuit Court of Appeals, which will soon hear arguments on a different California law regarding teen internet users -- the Age-Appropriate Design Code.

That statute, passed in 2022, requires online companies likely to be accessed by users under 18 to prioritize their “best interests” and “well-being,” and largely prohibits those businesses from collecting or sharing minors' personal information. A district court judge blocked enforcement last year.

NetChoice says the measure is unconstitutional for several reasons, including that a mandate to prioritize minors' well-being interferes with web publishers' ability to wield control over their editorial content. The organization also argues that requiring online companies to estimate their users' ages will undermine all web users' First Amendment rights.

“If a service chooses to age verify, individuals who wish to speak (or consume speech) anonymously or without providing their ages will be unable to access protected speech,” the group wrote in a brief filed in February.

California Attorney General Rob Bonta defended the law, arguing to the 9th Circuit that “multiple technologies exist for estimating age.”

NetChoice said Wednesday that Mahoney's memo “betrays the state’s contention” that age estimation is practical.

“To the contrary, the memorandum shows the state’s agents admitting that existing age verification systems are 'not sufficiently advanced to ensure accurate age verification while protecting privacy,'” the group wrote, quoting directly from the memo.