Dear California Law Makers: How The Hell Can I Comply With Your New Age-Appropriate Design Code?

from the stop-the-nonsense dept

I really don’t have time for this kind of thing, but I wanted to pass along that it appears that the California legislature is very, very close to passing AB 2273, “The California Age-Appropriate Design Code Act.” As far as I can tell, it has strong support in the legislature and very little opposition. And that’s incredibly dangerous, because the bill is not just extremely problematic, but at the same time it’s also impossible to comply with. I hope Governor Newsom will veto it, but it seems unlikely.

Earlier this year, Professor Eric Goldman provided a long and detailed analysis of the many, many problems with the bill. As far as I can tell, since then, the California legislature has made a few adjustments to the bill, none of which fix any of Professor Goldman’s concerns (one pretends to), and some of which make them worse — and also create serious 1st Amendment problems for this bill. Oh, yeah, and they also carved out the one set of businesses with the longest record of actually abusing consumer privacy: telcos and broadband providers. Hilarious. It is astounding to me that the legislature appears to have just wholly ignored all of Goldman’s clearly laid out and explained problems with the bill.

This is a bill that, as is all too typical from politicians these days, insists that there’s a problem — without the evidence to back it up — and then demands an impossible solution that wouldn’t actually fix the problem if it were a problem. It’s the ultimate in moral panic lawmaking.

The bill is a “for the children” bill in that it has lots of language in there claiming that this is about protecting children from nefarious online services that create “harm.” But, as Goldman makes clear, the bill targets everyone, not just children, because it has ridiculously broad definitions.

We already have a federal law that seeks to protect children’s data online, the Children’s Online Privacy Protection Act (COPPA). It has serious problems, but this bill doesn’t fix any of those problems, it treats those problems as features and expands on them massively. COPPA — sensibly — applies to sites that are targeted towards those under 13. This has had some problematic side effects, including that every major site restricts the age of their users to over 13. And that’s even though many of those sites are useful for people under the age of 13 — and the way everyone deals with this is by signing up their children for these services and lying about their age. Literally a huge impact of COPPA is teaching children to lie. Great stuff.

But 2273 doesn’t limit its impact to sites targeting those under 13. It targets any business with an online service “likely to be accessed by children” who are defined by “a consumer or consumers who are under 18 years of age.” I’m curious if that means someone who is not buying (i.e., “consuming”) anything doesn’t count? Most likely it will mean consuming as in “accessing / using the service.” And that’s… ridiculous.

Because EVERY service is likely to have at least someone under the age of 18 visit it.

After Goldman’s complaints, the California legislature did add in some clarifying language which awkwardly implies a single person under the age of 18 won’t trigger it, but that’s not at all clear, and the vagueness means everyone is at risk, and every site could be in trouble. The added language says that “likely to be accessed by children” means that “it is reasonable to expect, based on the following indicators, that the online service, product or feature would be accessed by children.” It then lists out a bunch of “indicators” that basically describe sites targeting children. But if they mean it to only apply to such sites, they should have said so explicitly, a la COPPA. Instead, the language that remains in the bill is still that “it is reasonable to expect… that the online service, product, or feature would be accessed by children.”

Let’s use Techdirt as an example. We’re not targeting kids, but I’m going to assume that some of you who visit the site are under the age of 18. Over the years, I’ve had quite a few high school students reach out to me about what I’ve written — usually based on their interest in internet rights. And that should be a good thing. I think it’s great when high schoolers take an active interest in civil liberties and the impacts of innovation — but now that’s a liability for me. We’re not targeting kids, but some may read the site. My kids might read the site because they’re interested in what their father does. Also, hell, the idea that all kids under 18 are the same and need the same level of protection is ludicrous. High schoolers should be able to read my site without difficulty, but I really don’t think elementary school kids are checking in on the latest tech policy fights or legal disputes.

Given that, it seems that, technically, Techdirt is under the auspices of this law and is now required to take all sorts of ridiculous steps to “protect” the children (though, not to actually protect anyone). After all, it is “reasonable” for me to expect that the site would be accessed by some people under the age of 18.

According to the law, I need to “estimate the age of child users with a reasonable level of certainty.” How? Am I really going to have to start age verifying every visitor to the site? It seems like I risk serious liability in not doing so. And then what? Now California has just created a fucking privacy nightmare for me. I don’t want to find out how old all of you are and then track that data. We try to collect as little data about all of you as possible, but under the law that puts me at risk.

Yes, incredibly, a bill that claims to be about protecting data, effectively demands that I collect way more personal data than I ever want to collect. And what if my age verification process is wrong? I can’t afford anything fancy. Does that violate the law? Dunno. Won’t be much fun to find out, though.

I apparently need to rewrite all of our terms, privacy policy, and community standards in “clear language suited for children.” Why? Do I need to hire a lawyer to rewrite our terms to then… run them by my children to see if they understand them? Really? Who does that help exactly (beyond the lawyers)?

But then there’s the main part of the law — the “Data Protection Impact Assessment.” This applies to every new feature. Before we can launch it, because it might be accessed by children, we need to create such a “DPIA” for every feature on the site. Our comment system? DPIA. Our comment voting? DPIA. Our comment promotion? DPIA. The ability to listen to our podcast? DPIA. The ability to share our posts? DPIA. The ability to join our insider chat? DPIA. The ability to buy a t-shirt? DPIA. The ability to post our stories to Reddit, Twitter, Facebook, or LinkedIn? DPIA (for each of those, or can we combine them? I dunno). Our feature that recommends similar articles? DPIA. Search? DPIA. Subscribe to RSS? DPIA. DPIA. DPIA DPIA. Also, every two years we have to review all DPIAs.

Fuck it. No more Techdirt posts. I’m going to be spending all my time writing DPIAs.

We’re also working on a bunch of cool new features at this moment to make the site more useful for the community. Apparently we’ll need to do a data protection impact assessment of all those too. And that’s going to make us that much less likely to want to create these new features or to improve the site.

The DPIAs are not just useless busy work, they are overly broad and introduce massive liability. The Attorney General can demand them and we have three business days to turn over all of our DPIAs.

Many of the DPIAs are crazy intrusive and raise 1st Amendment issues. The DPIA has to analyze if a child was exposed to the feature would it expose them “to harmful, or potentially harmful, content on the online product, service, or feature.” Um. I dunno. Some of our comment discussions get pretty rowdy. Is that harmful? For a child? I mean, the bill doesn’t even define “harmful” so basically… the answer is I have no fucking clue.

We also have to cover whether or not a child could witness harmful conduct. We’ve written about police brutality many times. Some of those stories have videos or images. So, um, yeah? I guess a kid could potentially witness something “harmful.”

So, now basically EVERY company with a website is going to have to have a written document where they say “yes, our service might, in some random way, enable a child to witness harmful content.” And that’s kind of ridiculous. If you don’t say that, then the state can argue you did not comply with the law and failed to do an accurate DPIA. Yet, if you do say that, how much do you want to bet that will be used against companies as a weapon? There is some language in the bill about keeping the DPIAs confidential, but especially from the big companies they’re going to leak.

I can already predict the NY Times, WSJ, Washington Post headlines screaming about how “Big Tech Company X Secretly Knew It’s Product Was Harmful!” That will be misleading as anything, because the only way to fill out a DPIA is to say “um, yes, maybe a child could possibly witness “harmful” (again, undefined in the bill!!) content on this service.” Because that’s just kind of a fact of life. A child might witness harmful content walking down the street too, but we figure out ways to deal with it.

And, you have to imagine that DPIA’s will be open for discovery and subpoenas in lawsuits, which will then be turned around on companies to insist that they had “knowledge” of the harms that could happen, and therefore they’re liable, even if the actual harm was not connected to the actual workings of the site, but the underlying content.

Part of the DPIA then is that once we’ve identified the potential harm, we have to “create a timed plan to mitigate or eliminate the risk before the online service, product, or feature is accessed by children.”

So, um, how do we mitigate the “harm” we might provide? We can’t report on police brutality any more? We can’t have comments any more? Because some undefined “child” (including high school students) out there might access it and witness “harmful” content? How is that possible?

I literally don’t know how to comply with any of this. And, doesn’t that violate the 1st Amendment? Having the government demand I document and mitigate (undefined) “harm” from my site or the content on my site seems like it’s a content moderation bill in disguise, requiring me to “mitigate” the harms (i.e., take down or ban content). And, well, that’s a 1st Amendment problem.

The enforcement of the bill is in the hands of the Attorney General. I doubt the AG is going to go after Techdirt… but, I mean, what if I write something mean about them? Now they have a tool to harass any company, demanding they hand over all their DPIAs and potentially fining them “a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation.”

So… if a class of 20 high schoolers decide to visit Techdirt to learn about their civil liberties under attack in California… the AG could then effectively fine me $150,000 for not having mitigated the “harm” they may have endured (the AG would likely have to give me 90 days to “cure” the violation, but as discussed above, there is no cure).

At the very least, this bill would make me extremely nervous about ever criticizing California’s Attorney General (especially if they seem like the vindictive type — and there are plenty of vindictive AGs in other states), because they now have an astounding weapon in their toolbox to harass any company that has a website. As such, this bill — just by existing — suppresses my speech in that it leads to us being less willing to criticize the Attorney General.

Eric Goldman keeps posting about how this blows up the internet. My guess is that it’s actually going to be almost entirely ignored… until it’s used to bash a company for some other issue. It’s impossible to comply with. It creates a massive amount of busy work for almost all companies with a website, almost all of which will ignore it. The biggest companies will send off their legal teams to write up a bunch of useless DPIAs (that only will create legal liability for them). More mid-sized companies may do the same, though they may also significantly decrease the kinds of features they’ll add to their websites. But every smaller company is going to just totally ignore it.

And then, any time there’s some other issue that politicians are mad about, the AG will have this stupid thing in their back pocket to slam them with. It’s performative lawmaking at its absolute worst.

And no one can explain how any of this will actually help children.

Here’s the thing that’s particularly stupid about all of this. The underlying premise of the bill is completely disconnected from reality. It’s premised on the idea that most websites don’t have any incentive to be careful with children. Are there some egregious websites out there? Sure. So write a fucking bill that targets them. Not one that wraps in everyone and demands impossible-to-comply with busy work. Or, JUST USE THE AUTHORITIES THAT ALREADY EXIST. COPPA exists. The California AG already has broad powers to protect California consumers. Use them!

If there are credible sites that are nefariously harming kids, why not use those powers, rather than forcing impossible-to-comply with busy work on absolutely everyone just in case a bunch of teenagers like the site?

The whole thing is the worst of the worst in today’s tech policymaking. It misunderstands the problem. Has no clue about what its own law will do, and just creates a massive mess. Again, I think the end result of any such law is that it is mostly ignored. And we shouldn’t be passing a law if the end result is that it’s going to be ignored and basically have everyone violate it. And that just creates a massive liability risk, because eventually, the AG is going to go after companies for this while everyone is ignoring it, and then there will be a flurry of concern.

Honestly, seeing my home state pass a law like this makes me think that California no longer wants internet businesses to be opening up here. Why would you?

But, California politicians need headlines about how they’re “taking on big tech” and “protecting the children” and so we get this utterly disconnected from reality nonsense. No one can possibly comply with it, so now the California Attorney General can target any business with a website.

That just doesn’t seem wise at all.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Dear California Law Makers: How The Hell Can I Comply With Your New Age-Appropriate Design Code?”

Subscribe: RSS Leave a comment
70 Comments
This comment has been deemed insightful by the community.
Samuel Abram (profile) says:

I remember when I was a teenager in the 1990’s and my dad took me to see The People vs. Larry Flynt (at my request) and that made me became a civil libertarian, after which I followed the ACLU web site religiously.

What California is doing is denying the tools to become an active citizen of a democracy to the next generation that I was fortunate to have because I was born at the right time. I really hope this farce of a bill is struck down by a sane court.

Geekoid says:

Re: No, it isn't.

The bill is fine and not impossible to implement.
Damn modern programs just hate anything moderately complex they can’t build with point and click IDEs.
Shame full.
This law is much needed and will be fine. Since you are to busy trying to figure out simple programming tasks, you probably haven’t notice the increase in attack and misinformation focused on people, usually boys, under 13.

Your alarmist rant is bad, and you should feel bad.

This comment has been deemed insightful by the community.
That One Guy (profile) says:

'They paid us off so of course they don't have to follow the rules!'

Oh, yeah, and they also carved out the one set of businesses with the longest record of actually abusing consumer privacy: telcos and broadband providers. Hilarious.

Nothing says ‘this bill is a grossly dishonest PR stunt’ like exempting certain industries for violations of the very problem those involved in the bill want to claim are super serious.

Given the only way to prevent children from seeing ‘harmful’ content would be to either ban it entirely(oh look, forced moderation) or force even visitors to the site to provide sufficient personal data so as to ensure that only people ‘old enough’ are accessing the site, therefore utterly destroying the ability to even access the site anonymously, to call this bill effectively impossible to comply with does not strike me as hyperbole.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re:

or force even visitors to the site to provide sufficient personal data so as to ensure that only people ‘old enough’ are accessing the site,

And just how do you achieve that, where you cannot see the person submitting the details? Any half competent teenager could provide the details of a parent, up to and including credit card details?

This comment has been flagged by the community. Click here to show it.

This comment has been deemed insightful by the community.
Samuel Abram (profile) says:

Re:

How has this bill gotten this far without Google and Facebook squashing it?

Because they’ll be the only web sites in existence because they’re the only ones who are big enough to be able to comply with the liability. This bill destroys their competition.

ML2 (user link) says:

Re: Re: There hasn't been much said about this bill tbh...

I could see Google or Facebook not saying anything for that reason, but normally one would expect other large sites to say something about this (Wikimedia, EFF, etc.)

I suspect this bill simply hasn’t been noticed by many people, groups, or corporations, especially all the other stuff going on in the world right now. It deserves a lot more attention, but that attention is currently being spent on other matters.

This comment has been deemed insightful by the community.
Anonymous Coward says:

A child might witness harmful content walking down the street too, but we figure out ways to deal with it.

I’ve said before (maybe even here on Techdirt): Reality is rated XXX (or higher).

I do recommend parents/guardians have a care what their charges are exposed to… however I do NOT recommend keeping them away from reality.

Anonymous Coward says:

Re:

Ban children from the Internet. Except for a few unfortunates, most people are adults for much longer than children.

Pass a national law that says children (i.e., those who in a specific state are too young to marry with parental permission or too young to be forced to give birth or too young to be sent to prison for life) cannot use the internet. Its absurd to define children as under 18 if they can get forced to give birth and raise a child at 10.

jojo_36 (profile) says:

Re: Re:

Well the plus side, if this bill does pass, it’ll go affect in the start of 2024, so anything could happen between then and now. I’m trying to be more optimistic about this, but considering how unopposed this bill has been in the Californian Congress, it’s hard to.

Personally, I think in worse case scenario, the bill will cause a ton of confusion with some opportunistic bad actors taking advantage. Will it “Blow up the Internet?” Personally I don’t think so. I usually agree with Eric Goldman, and I agree that AB 2273 is a bad and confusingly written mess with “OK boomer” vibes. Is it problematic? Yes. Is it confusing as all heck? Definitely. But is it on the same level as Article 13/17? No. AB 2273 is so atrociously written I don’t think anyone would know how to implement it or everyone will ignore it altogether. I’m no fortune teller.

But then again, like I said, anything could happen between then and now.

This comment has been deemed insightful by the community.
denvermichael (profile) says:

The companies that would really make some cash from this law are those who will whip up boilerplate DPIAs. Like whoever sells the breakroom posters outlining the minimum wage rules and other stuff employers are required to show their workers.

Web sites will then fill out DPIAs like Mad Libs. “This site’s goat customization feature uses cookies to maintain users’ choices between online sessions.” Just think – when other states and countries inevitably require parallel but different versions, there’ll be folders full of DPIA-ish documents for every jurisdiction.

Dumb, dumb, dumb.

This comment has been deemed insightful by the community.
This comment has been deemed funny by the community.
Anonymous Coward says:

Look, complying with this new law is a lot easier than you’re making out. Right after the law is passed, add a new landing page that has one and only one thing on it:
Are you accessing this site from California? Click YES or NO.

If you click NO, it proceeds to the normal TechDirt site. If you click NO, you get a sad trombone sound and a page that reads,
I’m sorry, this site is not available in California because it cannot comply with “The California Age-Appropriate Design Code Law.”

This comment has been deemed insightful by the community.
This comment has been deemed funny by the community.
Norahc (profile) says:

The Harm of Techdirt

So, um, how do we mitigate the “harm” we might provide?

The harm this site provides is teaching children to question and think for themselves. Obviously, parents are too busy to do this for their children, so the legislature feels the need to do it for them.

This comment has been deemed funny by the community.
BernardoVerda (profile) says:

Weird synergy, between the latest stories...

… or maybe Techdirt is trying to displace The Onion

Techdirt: Wed, Aug 24th 2022 11:59am
Dear California Law Makers: How The Hell Can I Comply With Your New Age-Appropriate Design Code?

Techdirt: Wed, Aug 24th 2022 10:45am
Spending Too Long Pooping At School? There’s A (Government) App For That

I’m not the only one seeing a pattern here, right?

Bill Dimireo says:

This is a state law!

Why is everyone so concerned. This is California law. Congress did not pass this. President Biden did not sign this into law the Governor of California did. These websites will just pick up and leave California and go to another state and pay there taxes so it’s California loss if this law goes into effect. Why is everyone so worried? Can someone explain how a California law will effect the entire internet and would not the company’s just leave California and go somewhere else if this law went into effect. Please explain the worry about this state law to me?

Anonymous Coward says:

Re:

Can someone explain how a California law will effect the entire internet and would not the company’s just leave California and go somewhere else if this law went into effect.

Because most governments claim that their laws apply to a website if residents in that government’s jurisdiction are able to view the website. IE, if someone in California can view the website, California will claim that its laws are applicable to the site. While that might not affect people outside the US too much, there are various laws that describe how the laws of one state can apply to parties in another state.

btr1701 (profile) says:

Re: Re:

Because most governments claim that their laws
apply to a website if residents in that government’s
jurisdiction are able to view the website.

Good luck trying to make some guy in New Hampshire write a DPIA for every feature on his website because a bunch of clowns in California that he’s never heard of and certainly didn’t vote for say he has to.

Naughty Autie says:

Potential solution.

Every company whose business revolves mainly around the Internet should just up sticks and move from Silicon Valley to Silicon Forest. Because this PoS bill is a state law, it won’t be in effect in Oregon, so let California legislators learn through higher unemployment and fewer taxes. Horrible for the people involved, but if this bill is signed into law, there won’t be any other option.

This comment has been deemed insightful by the community.
Raziel says:

Re:

An even better solution is to pull a SOPA 2.0. If Mike was to code a bot that can detect visitors’ IP addresses and put up a message for those in California, said message reading: “Hi. We’ve noticed you’ve accessed this site from a state which has passed impossible to follow laws ostensibly to protect children. If you wish to access this site, then please contact your local legislators and ask them to repeal AB 2273.” Get every website in the country, and as many as you can from abroad, to join in on the act, and this horrendous bill might just share SOPA’s fate.

Klvino says:

Retailers and apps

Retailers may need to set age restrictions on which product categories may be visible, an extension of the age verification required by beer, wine, and spirits websites.

Virtually all apps will need to enforce age verification.

Will these companies simply geo restrict content to California so only a single state experiences the additional age restriction prompts or will companies roll out this poor user experience nationwide. TBD.

Now imagine if you were in a country where you need a VPN to access the open web. And you switch your VPN to US geo only to be faced with massive content blocking and restrictions, the irony.

Naughty Autie says:

Re:

TBF, I think Mike’s pointing out the irony of parents raising their children to not lie, then having to teach them to do just that in order to gain access to educational materials online. The problem with many politicians is they believe that education takes place only in schools and colleges, etc., and don’t realise that learning occurs in any and all settings.

Thomas Raven (user link) says:

legislation as campaign ad

We’re getting more and more legislated nonsense just so politicians can mention these new laws in their ads. No one who supports these ridiculous laws believe that they will ever get enforced. But since they’re actually LAWS, they’re extremely dangerous and can be wielded like your uncle’s wallhanger katana on a drunken Saturday night.

Rich says:

Clean your own shit first

I have seen kids get very traumatized by watching online videos of violent acts against other children, some taking place in schools, committed by gangs of angry thugs, so I do agree that something should be done.
I would suggest that a different angle might be better.
So, State of California, perhaps the safety and well-being of kids would be better served if you stopped hiring heavily armed maniacs to harass, punch, tase, choke, and sometimes shoot other kids and family members, who are often the subjects of the content you pretend to be so worried about.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re:

Of course, Techdirt has long had an editorial policy in favor of more FCC control of the Internet,

Techirt promote FCC control over ISP’s, that is access to the Internet, as common carriers. It is also for platforms controlling the content they allow, but that is no government control.

Ron Currier (profile) says:

Think of the children

Like all of these “save the children” laws, they are just ways to absolve parents from doing their job. If you don’t want your kid going to TechDirt or PornHub, just block the website. All modern browsers have blocking lists as does the firewall on your internet router. Don’t know which ones to block, then block them all and whitelist Disney (nope, Disney has shows with same-sex kisses now. And non-white people). Or just have discussions about topics that they might be searching for. Or just keep them off the internet completely and assure that they will never have any opinions other than yours. Be a damn Parent. And, yes, I have kids.

Josh says:

simple solution

footer : “are you under 18?” with a yes button that takes you immediately to youtube and sets a cookie blocking you from this website

popup on first visit “do you agree to tell the truth?”
second popup “are you over 18?”
sets a cookie and/or sends you to youtube

The defense here is that we are assuming children never lie and are telling the truth. The oppositional argument is that in the interest of protecting children, i have to assume that children are lying and that everyone claiming to be over 18 might actually be a child, in which case the bill becomes indefensible because it requires me to profile children.

mechtheist (profile) says:

Think of the children!

We live in a country where horror at the thought that some child might see the bare breast of a woman or even someone’s exposed butt is commonplace and not ridiculed. This makes the idea of “potentially harmful” absurdly broad and open to the most extreme interpretations. It would definitely be a nightmare to attempt to comply with such BS.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...