California’s online privacy bill for kids would force tech companies to redesign services

California’s Legislature passed the Age-Appropriate Design Code Act this week. The bill would add design and age-verification requirements for apps and websites likely to be used by kids under the age of 18.

Marketplace’s Kimberly Adams discusses it with Jen King, a privacy and data policy fellow at Stanford’s Institute for Human-Centered Artificial Intelligence. The following is an edited transcript of their conversation:

Jane King: The key thrust of the bill is to get companies to redesign the way they present their products and services for children. This could also have an impact on how they present their services to adults as well. But the core area that it’s proposing to do is to really focus on the privacy part of things. And so one of the major goals is to make sure that the highest level of privacy settings are available to kids by default.

Kimberly Adams: Some of the critics of this bill say that it would open the door to more sensitive data collection, when kids are going through that user-verification process. How much of a concern is that?

King: The fact that here in the US, the arguments against it so far have focused so heavily on just the age-gating issue — that’s essentially a gate like you might imagine at an amusement park, and if you don’t reach the height requirement, you don’t get in. Same thing here, if you’re not over the age of 18, then you can’t actually enter a site — I think misses this larger point of what the design changes are that this bill may bring up and may force companies into adopting.

Adams: What are some of the design changes that this bill could force companies into adopting?

King: This bill is really focused primarily on issues of privacy by design. That is the idea that companies actually think about privacy from the moment they’re designing a product and not at the final stages of implementation. And what a bill like this could potentially do, is to really empower the designers at these companies to start thinking about how to better design their products and services in a way that ensures both privacy but potentially also thinks about the ways in which we engage with these things in an unhealthy manner.

Adams: If this legislation was signed into law by Gov. Gavin Newsom, the law would take effect starting in 2024. So between now and then, what kind of changes might we see on websites and apps?

King: Looking to what we’ve already seen happen in the UK is the best example. Some of the features that have been under attack on the large platforms for potentially promoting addictive or compulsive behavior, some of those features have disappeared in UK versions of these products and services, such as YouTube’s Autoplay. That’s now off by default.

Adams: Now, this is a California-specific measure, but what does it mean for the rest of the country?

King: Well, that’s a very interesting question because we now have two privacy laws on the books here in California. And yet, so far, what we’ve seen is that when the companies that are affected by this law in California interact with consumers, for the large part, they are checking the consumers’ [Internet Protocol] address when they visit the site to exclude non-Californians from the impact of our new law, like the CCPA, the California Consumer Privacy Act. So if you’re visiting a California-based website from North Dakota, you’re not likely to see the different privacy notices that are now in place that Californians see. So for the most part, while I think there was a lot of assumptions that the passage of our privacy bill in California would lead to higher levels of privacy for everyone, that hasn’t been the case. That said, this is a bill that has a possibility of not just being something where people can ply around the edges — I mean, I think they can — but I think it really could shift fundamental design principles and the way companies approach and design their products and services. That’s something that’s much less likely to be filtered through someone’s IP address because you may finally just decide that offering multiple versions of your product across the country just doesn’t make financial sense.

Here is the entirety of the California Age-Appropriate Design Code Act.

For a breakdown of the legislation that’s a bit easier to read, the legal website JD Supra has a nice explanation of which companies are covered under the act and what they can and can’t do.

The New York Times has a look at the debate around the scope of the California bill and how it plays into a larger push for federal online privacy legislation.

And finally, Axios has a story about how the tech industry has been working to shape privacy legislation in California, including by spending hundreds of thousands of dollars to lobby state leaders.

Leave a Comment

Your email address will not be published.

%d bloggers like this: