The California Legislature is aggressively pursuing several wide-sweeping and radical proposals to regulate the Internet. One especially problematic bill is AB 2273, the California Age Appropriate Design Code Act (AADC). Framed as a protect-kids-online bill, the AADC would radically reshape the Internet — and harm both kids and adults alike.
The AADC requires businesses to adopt protective practices for children. On the surface, this sounds pretty good. However, to achieve this outcome, businesses must know which users are kids. This would require businesses to authenticate all of their users’ ages — and that is bad news for everyone.
Mandatory age authentication would change how everyone uses the Internet.
Currently, we casually go from site to site, seamlessly moving between services. Post-AADC, users will first be required to prove their age before they can visit any new site — even if they just plan to visit for a second, and even if they never plan to return.
Knowing that each click to a new site will involve an unwanted hassle, users will stop clicking around as freely. The Internet will lose some vibrancy as a result.
The actual process of age authentication usually involves either (1) an interrogation of personal details or (2) evaluating the user’s face so that software can estimate the age. Neither process is error-free, and either imposes costs that some businesses can’t afford.
More importantly, the authentication process is highly invasive. Most people won’t want to share their sensitive details with every new site they visit, especially if they don’t know yet if they can trust the site.
Profligate sharing of such data increases the risks that it will be captured and misused both by shady sites and authentication services as well as by malefactors who intercept or steal the data. AB 2273 claims to protect kids’ privacy, but instead it counterproductively puts children’s sensitive data at greater privacy and security risks.
To avoid making their users repetitively authenticate their age with each visit, many sites will authenticate users’ identity so they can recognize return visitors. But universal identity authentication creates even more problems. It prevents anonymous or pseudonymous browsing—something that’s critical to vulnerable communities with sensitive information needs, like LGBTQ individuals or people with medical or psychological conditions that they don’t want others to know about.
Identity authentication also discourages people from sharing criticism, such as negative consumer reviews, or whistleblowing about wrongful conduct.
Finally, the AADC’s overreaching obligations impose extraordinary liability risks on businesses, which businesses can manage only by closing their doors to minors altogether. In other words, the AADC will dramatically shrink the Internet for kids.
In a digital era where Internet expertise is essential for most jobs, AADC sends a regressive message that California kids should grow up digitally naïve. That will put California minors at a comparative professional disadvantage for the rest of their lives—another way AADC counterproductively hurts kids.
To recap: the AADC would erect digital barriers throughout the Internet for everyone; drive some businesses out of the industry entirely; expose everyone, including children, to greater privacy and security risks; strip vulnerable users of access to sensitive information they need; create chilling effects that discourage critical and whistleblower content; shrink the Internet for California minors; and put California minors at a permanent professional disadvantage.
With all of these terrible consequences, it’s hard to believe the California Legislature didn’t instantly reject it. It’s a reminder that we should be skeptical when legislators say they want to protect kids online.
As the AADC shows, their protect-the-kids solutions could do far more harm than good. If the legislature is foolish enough to pass a bad bill like this, Gov. Newsom should veto it.
Crossposted from Capitol Weekly