California Age-Appropriate Design Code final passage brings mixed reviews
While U.S. Congress is working to devise appropriate regulations for children’s online privacy and content moderation, finalization is not on the immediate horizon. The inaction led the California Legislature to take matters into its own hands with final passage of Assembly Bill 2273, the California Age-Appropriate Design Code Act.
The bill, which awaits enactment by Gov. Gavin Newsom, D-Calif., after unanimously passing the State Assembly and Senate, is an online safety bill containing unique privacy requirements to protect minors age 17 and under. If enacted, the bill would enter into force Jan. 1, 2024.
A covered entity under the bill is defined as a business “that provides an online service, product, or feature likely to be accessed by children shall take all,” but application relies on thresholds defined under the California Privacy Rights Act. Specific privacy requirements include privacy-by-default settings, data protection impact assessments within a 72-hour window upon request from the California attorney general, and standards to assess whether services are likely to be accessed by minors. The bill includes a 90-day cure provision for companies to rectify violations.
The attorney general’s office will assume enforcement powers after previous versions of the bill left enforcement to the California Privacy Protection Agency. The bill establishes the California Children’s Data Protection Working Group, a 10-member group appointed by branches of state government and the CPPA to consider best practices for implementing the law.
State Assemblywoman Buffy Wicks, D-Calif., a co-sponsor of the bill, said during a press conference touting the bill’s passage, that it was inspired by the U.K. Age-Appropriate Design Code and the Big Tech deterrence that framework created. Wicks noted Google, TikTok and YouTube were among the companies that made changes responding to the U.K. law and its move to ensure online services for kids are “created by design and by default.”
“I really do these bills selfishly because I know when (my kids) are 7, 8, 10, 15 and they start engaging more in the digital world, I want to make sure we have set up the right tools to make sure they have the guardrails,” Wicks said. “We know they are going to be digital natives and we welcome that. It’s a modern era where California is home to the tech innovation space and we welcome all it brings. But I also want to make sure our children are safe and right now they are not safe. Our fundamental job is to keep our community safe above anything else.”
AB 2273 is part of a two-pronged children’s online safety overhaul by the California Legislature. AB 587, the Social Media Accountability and Transparency Act, also passed both chambers with overwhelming majority votes. The social media transparency bill aims to clarify platforms’ terms of services, including privacy notices, with requirements for more specific disclosures and general information.
“We have to get this right. California has to get this right,” State Sen. Jordan Cunningham, R-Calif., said. “These are not big things to ask Big Tech companies to step up and do, but they’re necessary things for our kids. … There is stuff running in the background, influencing their minds and the very development of their brain, and you have no ability to control. Most parents aren’t software engineers or have the capacity to counteract what’s being done online.”
Line in the sand
Most digital policymaking leaves little middle ground for stakeholder views and AB 2273 is no different. The bill and its new standard for protecting youth online has the complete support of civil society while industry is grappling with potentially over-broad compliance measures that it thinks may ultimately put kids in a different type of risk.
“This is absolutely a massive shift in what many — if not most — companies will be required to do,” Public Interest Privacy Consulting founder and President Amelia Vance said. “‘General audience’ companies have largely avoided having any responsibilities under the Children’s Online Privacy Protection Act. This is a whole new ballgame, and compliance is likely to be a nightmare for any company that hasn’t already started to bring their products into compliance with the U.K. Children’s Code.”
Vance pointed to the DPIA requirement for any new service deemed accessible to children as an immediate compliance hurdle for non-global companies that aren’t in line with EU General Data Protection Regulation children’s data processing requirements. However, Vance indicated the bill may be “less scary than portrayed” based on its use of CPRA coverage thresholds.
“This will be difficult for many businesses to operationalize and reduce the quality of online services for adults,” Sanchez said. “The exact implications are unclear because the bill leaves many important questions unanswered. It is challenging to verify someone’s age without collecting sensitive personal information.”
Monument Advocacy Principal Jeff Gary argued AB 2273 may leave privacy unaddressed to a degree without an appropriate verification mechanism, which doesn’t exist under the bill as currently constituted, setting up “compliance landmines where data collection is both required and prohibited.”
“The law doesn’t provide a mechanism for complying with that requirement, so most likely, every covered company will collect and verify each user’s birthday,” Gary said. “We know from COPPA that actual age verification requires highly intrusive data collection, and risks destroying anonymity online and off. Without that data, consumers will simply lie about their ages.”
But while companies may find hardships as they digest the bill, the improvements to children’s protections are unquestioned. Common Sense Media Policy Counsel Irene Ly said the bill forces companies to re-prioritize, focusing more on kids’ health and well-being over profits and engagement.
“This is a necessary step to help relieve the burden on parents who would otherwise have to navigate dozens, if not hundreds, of long, difficult to understand privacy policies and website and app settings in an attempt to better protect their kids from online harms,” Ly said, adding the next step is legislation that “requires companies to make, and holds them accountable for, safer design choices.”
As California goes, so goes the nation?
In addition to children’s online privacy and safety bills being considered in the U.S. Senate, the proposed American Data Privacy and Protection Act being considered by the U.S. House has provisions for minors age 17 and under while attempting to better address the COPPA actual knowledge issues.
California’s bill tries to tie in a lot of the conversations being had at the federal level. Data minimization requirements, prohibitions on geolocation data collection, use and sale, and a ban on “dark patterns” that promote the submission of unnecessary personal data are a few of the shared topics.
Vance suggested that AB 2273 and the federal proposals share the same goal of pulling the curtain back on companies that “purposely stick their heads in the sand” regarding children on their websites. While common intents and purposes are positive, the potential for a growing number of states acting before U.S. Congress creates further patchwork issues that make a federal law that much harder to craft.
“As we approach the conclusion of another U.S. Congressional session with no updates to children’s privacy or safety, states have made it clear they will fill the void.” Sanchez said. “This bill takes a novel approach in responding to parents’ and lawmakers’ very real concerns that young people are not sufficiently protected online. It’s the first child-centered design bill we’ve seen in the U.S. If enacted, many expect that we will see other variations introduced by other state legislatures next year.”