Opinion

California’s New Internet Law Is a Fucking Disaster

SO, SO BAD

In the name of protecting children, legislators have introduced a trove of requirements that are anti-privacy and almost impossible to comply with.

opinion
090222-Masnick-california-hero_fc0im0
Photo Illustration by Luis G. Rendon/The Daily Beast/Getty

For decades now, it has been a challenge for parents and others to make sure that children can experience the benefits of the internet without being exposed to its more harmful aspects. However, that concern for children can often be taken to such extreme levels that it does more harm than good.

In the 1990s, an exaggerated news story based on a quickly debunked report about online porn resulted in Democratic Sen. James Exon pushing through the Communications Decency Act. Exon, somewhat famously, printed out numerous pornographic images he found online, and put them into his “little blue book” to show other senators to urge them to vote for his law. Exon’s law was later struck down by the Supreme Court as unconstitutional, saying it would place an “unacceptably heavy burden on protected speech” that “threaten[ed] to torch a large segment of the Internet community.”

Moral crusading about the risks of the internet to kids never goes out of fashion, however.

ADVERTISEMENT

The latest version of this is driven by a British baroness, Beeban Kidron, a Hollywood film director who launched a nonprofit organization to push for laws to, ostensibly, protect children online. When people have pointed out the challenges of regulating the internet, she has pointed to China as a positive example.

Kidron’s group, the 5Rights Foundation, takes credit for the U.K.’s Age Appropriate Design Code (AADC)—which is not actually a law, but rather guidance for regulators on how to interpret the U.K.’s Data Protection Act. While 5Rights has submitted hundreds of complaints to U.K. regulators about websites under the AADC, the regulators have not taken action on any of them. That has not stopped 5Rights from taking credit for dozens of changes to various internet services.

Kidron has sought to export the AADC globally, and found a receptive audience within the California legislature, which brought forth a bipartisan bill, AB 2273 (“The California Age-Appropriate Design Code Act” or CAADC), loosely based on the U.K. AADC but with much more stringent requirements and enforcement. 5Rights is a sponsor of the bill in California.

090222-Masnick-california-embed1_eq7qag

Beeban Kidron.

Photo Illustration by Luis G. Rendon/The Daily Beast/Getty

While law professor Eric Goldman has done a thorough analysis of the many problems in the CAADC, we’ll cover just the biggest concerns.

First, despite the discussion and framing of it being “for the children,” it will impact everyone. The law applies to websites run by businesses that are “likely to be accessed” by children. Unlike the federal Children’s Online Privacy Protection Act (COPPA)—which applies to sites that are directed at children (in that bill, defined as those under the age of 13)—the “likely to be accessed” language casts a much wider net that means almost all websites will be covered by the law.

Second, the bill defines “children” and “child” as “a consumer or consumers who are under 18 years of age.” In other words, the bill treats 5-year-olds the same as 17-year-olds, despite the fact that those age groups are, obviously, extremely different. There are plenty of websites that are perfectly reasonable for high school students, but would be inappropriate for a preschooler.

Third, if your site is “likely to be accessed” by anyone under the age of 18, then you need to “estimate the age of child users with a reasonable level of certainty.” That almost certainly requires some sort of age verification system, which means that sites are going to have a limited set of privacy-intrusive options on their hands. The largest (by far) “age verification” service is actually run by the parent company behind Pornhub.

Thus, the end result of a law ostensibly designed to ‘protect children’ may, instead, result in kids having to share their information with the world’s largest porn company—one with a terrible history regarding children.

Thus, the end result of a law ostensibly designed to “protect children” may, instead, result in kids having to share their information with the world’s largest porn company—one with a terrible history regarding children.

There are some alternative age verification providers who wish to replace Pornhub’s age verification with a system that requires a facial scan with AI to estimate your age for every website you visit. Normalizing facial scans seems diametrically opposed to protecting privacy.

There are also questions about the reliability and accuracy of such technology. The age verification providers told me that to combat gaming, they may require a “liveness test,” where before you can access a site, you will be forced to take a video of yourself repeating a set of phrases to prove you’re a living person. Like a hostage video.

But none of that even touches on the main part of the bill, which would be a massive boon for privacy lawyers. Every website covered by this law would be required to produce a Data Protection Impact Assessment (DPIA) for every feature on their website. Most websites have dozens of features—things like search, advertisements, comments, sharing, etc.—and each one will require a legal analysis of how they might create “harm” for a child, including access to “harmful content” (much of which is protected under the 1st Amendment).

Notably, “harm” is not defined in the law. It seems to be left up to the imagination of California’s attorney general, who can bring claims under the law and fine companies for failures.

These DPIAs for every feature on every website need to be available within three days if the attorney general demands them. If the DPIA finds any “risk of material harm to children” (again, including on a website that is targeting adults, but is still “likely to be accessed” by anyone under 18), the site must “create a timed plan to mitigate or eliminate the risk before the online service, product, or feature is accessed by children.”

It is unclear how most websites could even comply with this.

Would a website where heated debates take place need to “create a timed plan” to no longer allow such strong language? After all, if a high schooler accesses the website, it could be deemed “harmful content.” This also seems to raise some serious 1st Amendment questions, and returns us to an "unacceptably heavy burden on protected speech" that "threatens to torch a large segment of the Internet community”—as the Supreme Court noted when discarding the Communications Decency Act.

The end result is a law that covers a very large number of websites, is nearly impossible to comply with, will require privacy-invasive verification techniques, and is almost certainly unconstitutional in its suppression of protected speech. And that’s only the top of the list of problems with the bill. This article would go on too long if I got into some of the other issues.

Unfortunately, the people and organizations who would normally push back on such a bill have been mostly quiet. In probing why, I’ve been told that anyone who pushes back on this bill will get attacked for not wanting to protect children—and at a time where there have been so many headlines about children at risk online, no organization wants to deal with the public relations fallout.

But the simple fact is that this bill will do nothing to actually help children. It may actually put them at greater risk due to the privacy-invasive verification techniques. It will be a massive boon for privacy lawyers (who are directly lobbying in favor of it), and it will fundamentally change how many people interact with the web.

Got a tip? Send it to The Daily Beast here.