California is on the brink of first-of-it’s-kind legislation for children’s online safety.
The California Age-Appropriate Design Code Act, which would require online platforms to provide safeguards that mitigate risks for minors, took monumental and unopposed strides through the state Assembly and Senate floors last month. Put forth in a bipartisan effort from Assemblymembers Buffy Wicks (D-Oakland) and Jordan Cunningham (R-Templeton), the bill now awaits final signature from Gov. Gavin Newsom, whose opinion on the matter remains unclear.
The California Age-Appropriate Design Code Act’s overarching goal is clear: to uphold the “best interests of children” and “prioritize the privacy, safety, and well-being of children over commercial interests.” If signed, the legislation would position the Golden State at the forefront of sweeping changes for tech design and the way children engage with the internet in the state–and likely the country. But the breadth and uncertainty of those changes have also provoked some concern about the bill.
The California bill joins a wave of legislative pushes in the states and at the federal level following leaked Facebook documents that exposed the extent of mental health harms for teens on Instagram, specifically. Many of these bills have stalled out, making California’s success striking.
Many laud it as a long-awaited and lifesaving step forward in children’s privacy. Jim Steyer, Founder and CEO of Common Sense Media, wrote in a statement that it “sends an important signal about the need to make children’s online health and safety a greater priority for lawmakers and for our tech companies.”
“People are starting to understand how pervasive this issue is, how we are in this health crisis with youth wellbeing,” adds Emma Lembke, a 19-year-old digital wellness advocate and the founder of LOG OFF.
The bill took inspiration from the Age Appropriate Design Code (or Children’s code) in the U.K. that fully rolled out a year ago. Baroness Beeban Kidron, founder of the 5Rights Foundation, led the U.K. effort, which has inspired similar reviews of children’s privacy in Europe, Canada, Australia, and California, according to the Information Commissioner’s Office.
Tech companies have also made a number of global changes since the U.K. code went into effect (though Kidron notes that the companies have not credited the code, specifically, for inspiring those changes). YouTube turned off autoplay for users under 18 and made “take a break” reminders a default setting, Google made SafeSearch the default browser for people under 18, Nintendo only allows users over 16 years old to set up their own accounts and preferences, and TikTok and Instagram prevented direct messaging between children and unknown adult users, to name a few changes.
California’s bill would empower the state’s Attorney General with the authority to make similar demands. And while the California bill shares many similarities with the U.K. code, it also demonstrates some major departures. The U.K. Children’s code and even previous U.S. federal legislation in the U.S.—the 1988 Children’s Online Privacy Protection Act (COPPA)—pertains to services “obviously detrimental to children’s physical or mental health and wellbeing” or “directed to children.” The California bill expands this to include any “online service, product, or feature likely to be accessed by children,” and expands the definition of a child to anyone under 18 from COPPA’s previous definition as those under 13.
The broadness of the bill’s stipulations greatly expands its possible purview compared with other children’s privacy legislation. And therein lies its critics’ chief concern.
TechNet, an association with members from across the tech industry, argues that a “patchwork of state laws” would create further confusion and says a federal privacy law is necessary. In a formal letter to the California Senate Judiciary Committee chair, TechNet’s executive director, Dylan Hoffman, writes that the bill sets an “overinclusive standard” that would leave companies confused about whether the bill even pertains to them.
The Center for Democracy and Technology (CDT) echoed those concerns: “Because child is defined as under 18, that’s nearly all services,” says Aliya Bhatia, policy analyst for the Free Expression Project at CDT. “Older teens are using news sites, they’re searching for colleges, they are questioning their identity.”
Bhatia also pointed to the bill’s stipulation that privacy information be communicated to children in an understandable manner—”How do you write a privacy policy for a seven year old?”—as well as concerns that data companies may need to gather to verify a user’s age, “somewhat counter intuitively.” All of this means a heavier lift for smaller tech companies in particular, Bhatia argues.
The bill undoubtedly places an onus on tech companies, but in a different way than some previous legislation, says John Perrino, a policy analyst at the Stanford Internet Observatory. “The passing of this legislation really shows a change from focusing on content specific legislation, such as Section 230 and efforts to update that legislation, to something that really goes to address the architecture of potential harm online,” he says. “The design is less political.”
Indeed, the proactive nature of the bill would require companies to take a hard look at their policies and the way that children utilize their services and set up “guardrails,” as Wicks calls them. “We know that [children] are going to be digital natives, and we welcome that. It’s a modern era,” Wicks said in a press conference. “But we also want to make sure our children are safe.”
The bill does give companies space and time to time their wrongs. First, if the bill is signed, it wouldn’t go into effect until July 1, 2024. After that date, once companies are notified of a violation, they would have 90 days to amend it and avoid civil penalty. Otherwise, there are consequences: up to $2,500 per negligent violation and up to $7,500 per intentional violation.
The geographical weight of this decision is clear: California is the home base for many of the companies that would be most affected. Steyer says the bill would make California a leader in the nation and establish the state’s role in a global effort, one that Common Sense Media actively supports.
That’s just what advocates have been waiting for, and just what opposers like TechNet and the CDT caution against as they call for amends. Now, all that’s left is Newsom’s signature.
“He better sign it,” Steyer says. “If he wants to uphold his legacy and his reputation as a leader.”