Today, for better or worse, the Internet is a rather free range for children. Websites ask their users’ ages, sure. But virtually anyone who came of age around the rise of the Internet can probably relate a time or 20 when they gave a false birthdate.
A California law now in the works might bring that world to a crashing halt.
AB 2273, or the California Age-Appropriate Design Code Act, promises to make the Internet safer for children—in part by tightening age verification. Its opponents instead believe that, in the process, AB 2273 could completely decimate the existing Internet as we know it.
AB 2273 isn’t final just yet. To become California law, a bill has to pass both houses of the state legislature—the Assembly and the Senate—and then attain the signature of the governor. AB 2273 passed the Assembly on 29 August, and the Senate the next day, posting it to Governor Gavin Newsom’s desk. As of this writing, Newsom has yet to sign the bill. There’s little indication whether he will.
Suppose he does sign. Then, beginning on 1 July 2024, any website or app that “conducts business in California” and “provides an online service, product, or feature likely to be accessed by children” would need to follow yet-to-be-crafted code.
California wouldn’t be the first jurisdiction to tighten age-related design standards for websites. AB 2273 explicitly cites an existing law in the United Kingdom, which expects websites to comply with a bespoke age-appropriate design code. (In fact, both bills share a backer, one Baroness Beeban Kidron, a campaigner for children’s rights online.)
That U.K. law has already made ripples. YouTube disabled its autoplay feature for users under 18. Instagram started preventing adults from messaging under-18s who don’t follow them. TikTok stopped sending under-18s push notifications after a certain point each evening.
But according to Eric Goldman, a law professor at Santa Clara University and one of the bill’s harshest critics, in a U.S. regulatory environment that’s generally even less friendly to businesses, California’s code is likely to be stricter. “Any ‘lessons learned’ in the U.K. do not extend to the U.S. because the law literally cannot be implemented in the same way,” he says.
What does California’s AB 2273 require tech companies to do?
Though California’s code doesn’t yet exist, AB 2273 lays out a few requirements. For one, websites must report their data-management practices to a California government agency. Also, websites can’t collect or sell data on children (including geolocation) that isn’t absolutely necessary for children to use the website. And websites must tell a child when a parent or guardian is tracking their activity on that site.
Where AB 2273 becomes more than a little controversial is the requirement that, to determine which users ought to experience what, websites must “estimate the age of child users with a reasonable level of certainty.”
“Assuming businesses do not want to intentionally degrade their value proposition to adults, then they have no alternative other than to authenticate the age of all of their customers and then segregate adults from children, with different offerings for each,” says Goldman.
How a website will “estimate the age of child users” isn’t clear, and according to Techdirt, it might vary by website. A child entering a “high-risk” website, then, might need to submit an ID document for age verification. That failing, a child might literally have to scan their face. Not only is face recognition a technology whose reliability is questionable, mandating it could make websites inaccessible to people without a functioning camera.
And although the law champions privacy, it’s not clear that authentication along those lines could even be done in a privacy-conscious manner. Goldman says that websites might rely on insecure third-party services.
If AB 2273 passes, then its effects could spread well beyond the state’s borders. Websites will be left with two options: geolocating users in California (perhaps blocking them completely, potentially risking revenue), or applying the rules to all their users. Many websites will just find it easier to do the latter.
Then around the world, users might have to face the same age-authentication gauntlet that Californians would. And, according to Goldman, other jurisdictions might take after California in drafting their own laws.
But from many corners, the reaction has been less than positive. AB 2273 has garnered a wide range of opponents, including privacy advocates and big tech. Santa Clara’s Goldman likens the law to a neutron bomb. “It will depopulate the Internet and turn many services into ghost towns,” he says.
Of course, this is all still hypothetical. For now, the bill awaits Governor Newsom’s signature. Even if that happens, AB 2273 is hardly immune to lawsuits. NetChoice—an advocacy group that has helped take other laws passed in Florida and Texas to court—has already come out against the bill.