Dear California Law Makers: How The Hell Can I Comply With Your New Age-Appropriate Design Code?
from the stop-the-nonsense dept
I really don’t have time for this kind of thing, but I wanted to pass along that it appears that the California legislature is very, very close to passing AB 2273, “The California Age-Appropriate Design Code Act.” As far as I can tell, it has strong support in the legislature and very little opposition. And that’s incredibly dangerous, because the bill is not just extremely problematic, but at the same time it’s also impossible to comply with. I hope Governor Newsom will veto it, but it seems unlikely.
Earlier this year, Professor Eric Goldman provided a long and detailed analysis of the many, many problems with the bill. As far as I can tell, since then, the California legislature has made a few adjustments to the bill, none of which fix any of Professor Goldman’s concerns (one pretends to), and some of which make them worse — and also create serious 1st Amendment problems for this bill. Oh, yeah, and they also carved out the one set of businesses with the longest record of actually abusing consumer privacy: telcos and broadband providers. Hilarious. It is astounding to me that the legislature appears to have just wholly ignored all of Goldman’s clearly laid out and explained problems with the bill.
This is a bill that, as is all too typical from politicians these days, insists that there’s a problem — without the evidence to back it up — and then demands an impossible solution that wouldn’t actually fix the problem if it were a problem. It’s the ultimate in moral panic lawmaking.
The bill is a “for the children” bill in that it has lots of language in there claiming that this is about protecting children from nefarious online services that create “harm.” But, as Goldman makes clear, the bill targets everyone, not just children, because it has ridiculously broad definitions.
We already have a federal law that seeks to protect children’s data online, the Children’s Online Privacy Protection Act (COPPA). It has serious problems, but this bill doesn’t fix any of those problems, it treats those problems as features and expands on them massively. COPPA — sensibly — applies to sites that are targeted towards those under 13. This has had some problematic side effects, including that every major site restricts the age of their users to over 13. And that’s even though many of those sites are useful for people under the age of 13 — and the way everyone deals with this is by signing up their children for these services and lying about their age. Literally a huge impact of COPPA is teaching children to lie. Great stuff.
But 2273 doesn’t limit its impact to sites targeting those under 13. It targets any business with an online service “likely to be accessed by children” who are defined by “a consumer or consumers who are under 18 years of age.” I’m curious if that means someone who is not buying (i.e., “consuming”) anything doesn’t count? Most likely it will mean consuming as in “accessing / using the service.” And that’s… ridiculous.
Because EVERY service is likely to have at least someone under the age of 18 visit it.
After Goldman’s complaints, the California legislature did add in some clarifying language which awkwardly implies a single person under the age of 18 won’t trigger it, but that’s not at all clear, and the vagueness means everyone is at risk, and every site could be in trouble. The added language says that “likely to be accessed by children” means that “it is reasonable to expect, based on the following indicators, that the online service, product or feature would be accessed by children.” It then lists out a bunch of “indicators” that basically describe sites targeting children. But if they mean it to only apply to such sites, they should have said so explicitly, a la COPPA. Instead, the language that remains in the bill is still that “it is reasonable to expect… that the online service, product, or feature would be accessed by children.”
Let’s use Techdirt as an example. We’re not targeting kids, but I’m going to assume that some of you who visit the site are under the age of 18. Over the years, I’ve had quite a few high school students reach out to me about what I’ve written — usually based on their interest in internet rights. And that should be a good thing. I think it’s great when high schoolers take an active interest in civil liberties and the impacts of innovation — but now that’s a liability for me. We’re not targeting kids, but some may read the site. My kids might read the site because they’re interested in what their father does. Also, hell, the idea that all kids under 18 are the same and need the same level of protection is ludicrous. High schoolers should be able to read my site without difficulty, but I really don’t think elementary school kids are checking in on the latest tech policy fights or legal disputes.
Given that, it seems that, technically, Techdirt is under the auspices of this law and is now required to take all sorts of ridiculous steps to “protect” the children (though, not to actually protect anyone). After all, it is “reasonable” for me to expect that the site would be accessed by some people under the age of 18.
According to the law, I need to “estimate the age of child users with a reasonable level of certainty.” How? Am I really going to have to start age verifying every visitor to the site? It seems like I risk serious liability in not doing so. And then what? Now California has just created a fucking privacy nightmare for me. I don’t want to find out how old all of you are and then track that data. We try to collect as little data about all of you as possible, but under the law that puts me at risk.
Yes, incredibly, a bill that claims to be about protecting data, effectively demands that I collect way more personal data than I ever want to collect. And what if my age verification process is wrong? I can’t afford anything fancy. Does that violate the law? Dunno. Won’t be much fun to find out, though.
But then there’s the main part of the law — the “Data Protection Impact Assessment.” This applies to every new feature. Before we can launch it, because it might be accessed by children, we need to create such a “DPIA” for every feature on the site. Our comment system? DPIA. Our comment voting? DPIA. Our comment promotion? DPIA. The ability to listen to our podcast? DPIA. The ability to share our posts? DPIA. The ability to join our insider chat? DPIA. The ability to buy a t-shirt? DPIA. The ability to post our stories to Reddit, Twitter, Facebook, or LinkedIn? DPIA (for each of those, or can we combine them? I dunno). Our feature that recommends similar articles? DPIA. Search? DPIA. Subscribe to RSS? DPIA. DPIA. DPIA DPIA. Also, every two years we have to review all DPIAs.
Fuck it. No more Techdirt posts. I’m going to be spending all my time writing DPIAs.
We’re also working on a bunch of cool new features at this moment to make the site more useful for the community. Apparently we’ll need to do a data protection impact assessment of all those too. And that’s going to make us that much less likely to want to create these new features or to improve the site.
The DPIAs are not just useless busy work, they are overly broad and introduce massive liability. The Attorney General can demand them and we have three business days to turn over all of our DPIAs.
Many of the DPIAs are crazy intrusive and raise 1st Amendment issues. The DPIA has to analyze if a child was exposed to the feature would it expose them “to harmful, or potentially harmful, content on the online product, service, or feature.” Um. I dunno. Some of our comment discussions get pretty rowdy. Is that harmful? For a child? I mean, the bill doesn’t even define “harmful” so basically… the answer is I have no fucking clue.
We also have to cover whether or not a child could witness harmful conduct. We’ve written about police brutality many times. Some of those stories have videos or images. So, um, yeah? I guess a kid could potentially witness something “harmful.”
So, now basically EVERY company with a website is going to have to have a written document where they say “yes, our service might, in some random way, enable a child to witness harmful content.” And that’s kind of ridiculous. If you don’t say that, then the state can argue you did not comply with the law and failed to do an accurate DPIA. Yet, if you do say that, how much do you want to bet that will be used against companies as a weapon? There is some language in the bill about keeping the DPIAs confidential, but especially from the big companies they’re going to leak.
I can already predict the NY Times, WSJ, Washington Post headlines screaming about how “Big Tech Company X Secretly Knew It’s Product Was Harmful!” That will be misleading as anything, because the only way to fill out a DPIA is to say “um, yes, maybe a child could possibly witness “harmful” (again, undefined in the bill!!) content on this service.” Because that’s just kind of a fact of life. A child might witness harmful content walking down the street too, but we figure out ways to deal with it.
And, you have to imagine that DPIA’s will be open for discovery and subpoenas in lawsuits, which will then be turned around on companies to insist that they had “knowledge” of the harms that could happen, and therefore they’re liable, even if the actual harm was not connected to the actual workings of the site, but the underlying content.
Part of the DPIA then is that once we’ve identified the potential harm, we have to “create a timed plan to mitigate or eliminate the risk before the online service, product, or feature is accessed by children.”
So, um, how do we mitigate the “harm” we might provide? We can’t report on police brutality any more? We can’t have comments any more? Because some undefined “child” (including high school students) out there might access it and witness “harmful” content? How is that possible?
I literally don’t know how to comply with any of this. And, doesn’t that violate the 1st Amendment? Having the government demand I document and mitigate (undefined) “harm” from my site or the content on my site seems like it’s a content moderation bill in disguise, requiring me to “mitigate” the harms (i.e., take down or ban content). And, well, that’s a 1st Amendment problem.
The enforcement of the bill is in the hands of the Attorney General. I doubt the AG is going to go after Techdirt… but, I mean, what if I write something mean about them? Now they have a tool to harass any company, demanding they hand over all their DPIAs and potentially fining them “a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation.”
So… if a class of 20 high schoolers decide to visit Techdirt to learn about their civil liberties under attack in California… the AG could then effectively fine me $150,000 for not having mitigated the “harm” they may have endured (the AG would likely have to give me 90 days to “cure” the violation, but as discussed above, there is no cure).
At the very least, this bill would make me extremely nervous about ever criticizing California’s Attorney General (especially if they seem like the vindictive type — and there are plenty of vindictive AGs in other states), because they now have an astounding weapon in their toolbox to harass any company that has a website. As such, this bill — just by existing — suppresses my speech in that it leads to us being less willing to criticize the Attorney General.
Eric Goldman keeps posting about how this blows up the internet. My guess is that it’s actually going to be almost entirely ignored… until it’s used to bash a company for some other issue. It’s impossible to comply with. It creates a massive amount of busy work for almost all companies with a website, almost all of which will ignore it. The biggest companies will send off their legal teams to write up a bunch of useless DPIAs (that only will create legal liability for them). More mid-sized companies may do the same, though they may also significantly decrease the kinds of features they’ll add to their websites. But every smaller company is going to just totally ignore it.
And then, any time there’s some other issue that politicians are mad about, the AG will have this stupid thing in their back pocket to slam them with. It’s performative lawmaking at its absolute worst.
And no one can explain how any of this will actually help children.
Here’s the thing that’s particularly stupid about all of this. The underlying premise of the bill is completely disconnected from reality. It’s premised on the idea that most websites don’t have any incentive to be careful with children. Are there some egregious websites out there? Sure. So write a fucking bill that targets them. Not one that wraps in everyone and demands impossible-to-comply with busy work. Or, JUST USE THE AUTHORITIES THAT ALREADY EXIST. COPPA exists. The California AG already has broad powers to protect California consumers. Use them!
If there are credible sites that are nefariously harming kids, why not use those powers, rather than forcing impossible-to-comply with busy work on absolutely everyone just in case a bunch of teenagers like the site?
The whole thing is the worst of the worst in today’s tech policymaking. It misunderstands the problem. Has no clue about what its own law will do, and just creates a massive mess. Again, I think the end result of any such law is that it is mostly ignored. And we shouldn’t be passing a law if the end result is that it’s going to be ignored and basically have everyone violate it. And that just creates a massive liability risk, because eventually, the AG is going to go after companies for this while everyone is ignoring it, and then there will be a flurry of concern.
Honestly, seeing my home state pass a law like this makes me think that California no longer wants internet businesses to be opening up here. Why would you?
But, California politicians need headlines about how they’re “taking on big tech” and “protecting the children” and so we get this utterly disconnected from reality nonsense. No one can possibly comply with it, so now the California Attorney General can target any business with a website.
That just doesn’t seem wise at all.