California’s new internet law is a fucking disaster

Ensuring that children can experience the benefits of the Internet without being exposed to its more harmful aspects has been a challenge for parents and others for decades. However, this concern for children can often become so extreme that it does more harm than good.

In the 1990s, overblown news based on a quickly debunked report of online porn led to Democratic Senator James Exon pushing through the Communications Decency Act. Exon famously printed out numerous pornographic images he found online and put them in his “little blue book” to show other senators how to urge them to vote for his law. Exon’s law was later struck down by the Supreme Court as unconstitutional because it would place an “unacceptably heavy burden on protected speech” that “endangers[ed] torching a large chunk of the internet community.”

However, moral crusades about the risks of the internet for children never go out of style.

The latest version of this is being pushed by a British baroness, Beeban Kidron, a Hollywood film director who set up a non-profit organization to push for laws supposedly protecting children online. When people pointed out the challenges of regulating the internet, she said pointed to China as a positive example.

Kidron’s group, the 5Rights Foundation, gives credit to the UK’s Age Appropriate Design Code (AADC) – which isn’t really a law, but a guide for regulators on how to interpret UK data protection law. Although 5Rights has submitted hundreds of complaints about websites to UK regulators under the AADC, regulators have not taken any action on any of them. That hasn’t stopped 5Rights from acknowledging dozens of changes to various internet services.

Kidron has attempted to export the AADC worldwide and found a receptive audience within the California legislature, which produced a bipartisan bill, AB 2273 (“The California Age-Appropriate Design Code Act” or CAADC), loosely based on the UK AADC based, but with much stricter requirements and enforcement. 5Rights is a sponsor of the California bill.

Photo illustration by Luis G. Rendon/The Daily Beast/Getty

While law professor Eric Goldman has conducted a thorough analysis of the many issues in the CAADC, we’ll address only the biggest concerns.

First, despite the discussion and wording that it’s “for the kids,” it will affect everyone. The law applies to websites operated by companies that children are “likely to access”. Unlike the federal Children’s Online Privacy Protection Act (COPPA) – which applies to sites that are addressed to Children (defined in this bill as anyone under the age of 13) – the language of “likely to access” casts a much wider net, meaning almost all websites are covered by the law.

Second, the bill defines “children” and “child” as “consumers or consumers under the age of 18.” In other words, the bill Treats 5 year olds the same as 17 year olds, although these age groups are obviously very different. There are many websites that are perfectly appropriate for a high school student but would be inappropriate for a preschooler.

Third, if your site is “likely to be accessed by persons under the age of 18,” then you must “Estimate the age of users of children with a reasonable level of confidence.” This will almost certainly require some sort of age verification system, meaning websites will have a limited set of privacy-invasive options at their disposal. The largest “age verification” service (by far) is actually operated by the parent company behind Pornhub.

Therefore, the end result of a law ostensibly designed to “protect children” may instead be children having to share their information with the world’s largest porn company – one with a terrible history when it comes to children.

There are some alternative age verification providers who want to replace Pornhub’s age verification with a system that requires a face scan using AI to estimate your age for every website you visit. Normalizing face scans seems diametrically opposed to protecting privacy.

There are also questions about the reliability and accuracy of such technology. Age verification providers told me that to combat gaming, they may require a “liveness test” where, before you can access a website, they force you to record a video of yourself repeating a series of phrases in order to to prove that you earn your living person. Like a hostage video.

But none of this touches even the body of the bill, which would be a huge boon for privacy advocates. Every website covered by this law would have to prepare a data protection impact assessment (DPIA). everyone function on their website. Most websites have dozens of functions – things like search, advertising, comments, sharing, etc. – and each one requires a legal analysis of how it works could cause “harm” to a child, including accessing “harmful content” (much of which is protected under the 1st Amendment).

In particular, “damage” is not defined in the law. It seems left to the imagination of the California Attorney General, who can make claims under the law and fine companies for defaults.

These DPIAs for each feature on each site must be available within three days when requested by the Attorney General. If the DPIA finds a “risk of material harm to children” (again also on a website targeted at adults but which is “likely to be accessed by anyone under the age of 18), the website must “establish a timed mitigation plan or eliminate the risk before children access the online service, product or feature.”

It is unclear how most sites could even comply with this.

Would a site that hosts heated debates need to “make a timeline” to stop allowing such strong language? Eventually, if a high school student accesses the site, it could be considered “harmful content.” This also appears to raise some serious First Amendment questions, and leads us to an “unacceptably heavy burden on protected expression” that “risks setting fire to much of the internet community” — as the Supreme Court found when it passed the Communications Decency Act discarded.

The end result is a law that covers a very large number of websites, is almost impossible to comply with, requires privacy-invasive screening techniques, and is almost certainly unconstitutional because it suppresses protected expression. And that’s just the beginning of the list of problems with the bill. This article would get too long if I went into some of the other topics.

Unfortunately, for the most part, the people and organizations who would normally resort to such a bill have been silent. When I researched why, I was told that anyone who opposes this law will be attacked for not wanting to protect children — and at a time when there are so many headlines about vulnerable children online, they want to No organization deal with the consequences of public relations.

But the simple fact is that this law will do nothing to really help children. It may actually put you at greater risk due to the privacy-invasive verification techniques. It will be a huge boon to privacy advocates (who advocate for it directly) and it will fundamentally change the way many people interact with the internet.