California’s Age-Appropriate Design Code Act threatens the foundational principle of the internet
ID 211076492 © Tero Vesalainen | Dreamstime.com

Policy Brief

California’s Age-Appropriate Design Code Act threatens the foundational principle of the internet

The AADC’s age assurance requirement erects onerous barriers that would discourage internet use and chill protected speech.

Executive Summary

In September 2022, California Gov. Gavin Newsom signed Assembly Bill 2273, the California Age-Appropriate Design Code Act (AADC). The AADC is a far-reaching law that imposes many new requirements on most businesses in California.

Among other problematic provisions, the California Age-Appropriate Design Code Act imposes on websites an age-assurance requirement. Regulated businesses are required to estimate the age of their users with “a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business.” Alternatively, they must apply those privacy and data protections to all consumers.

In December 2022, NetChoice, an association of online services and platforms, filed a lawsuit seeking to overturn the law. NetChoice argues that the California law violates several amendments of the U.S. Constitution, as well as federal law designed to protect children online.

In fact, the AADC has a host of problems:

  • The requirements of the law are vague: Age assurance is fundamentally the same as age verification, and available age-assurance methods all have significant flaws and risks;
  • Age assurance requires children and adults alike to share—with virtually every website visited—sensitive personal information like identification documents or face
    scans that, should they fall into the wrong hands, can be used for identity theft and other nefarious purposes;
  • Age-assurance processes will slow down access to any website or app, which data show causes people to avoid using them, even more so when the slowdown is caused by sharing sensitive personal information. As a result, consumers will feel like they have less access to online information, goods, and services;
  • The law does not just limit consumers’ access to commercial speech. It equally creates a barrier to accessing all forms of constitutionally protected speech. By making it harder for consumers to access their speech, the law directly chills the free speech rights of publishers;
  • Moreover, the AADC also requires age assurance for websites or apps that allow users to publish any content online. This discourages the publication of user-generated content by making it harder to do so. It especially inhibits speech that requires anonymous or pseudonymous publication;
  • U.S. courts have repeatedly rejected federal and state laws seeking to impose age verification requirements as violations of the First Amendment; and
  • As the AADC’s age-assurance requirements slow down access to online information, goods, and services, it will severely hamper the increasingly online economy and discourage new entrants in the online marketplace for ideas as well as commerce.

Imagine if, to protect children from seeing or buying potentially harmful products, you had to share your government-issued ID and wait for verification before you could enter any retail store—groceries, gas stations, liquor stores, bookstores, garden supply, etc. That would be an extraordinary invasion of your private information just to do any shopping or browsing. And of course, children should be allowed to browse stores as well, even if they are not child-oriented stores, to find the items they are looking for. It makes no more sense for online businesses than for physical stores.

Introduction

In September 2022, California Gov. Gavin Newsom signed AB 2273, the California Age- Appropriate Design Code Act (AADC), a far-reaching law that imposes many new requirements on most businesses in California. Soon after, NetChoice, an association of online firms, filed a federal lawsuit seeking to overturn the law. NetChoice argues that the California law violates several amendments of the U.S. Constitution, as well as federal law designed to protect children online. 

A number of experts, including this author, have filed amicus briefs to this case, highlighting important legal and policy issues the court should consider as it evaluates this case.

As the U.S. Supreme Court previously declared in Reno v. ACLU, the internet is a “unique and wholly new medium of worldwide human communication.”

Among its many special properties, the internet makes it easy for users to navigate seamlessly between many websites operated by unrelated entities. The Supreme Court explained that “[L]inks from one computer to another, from one document to another across the internet, are what unify the Web into a single body of knowledge, and what makes the Web unique[.]”

Among its many special properties, the internet makes it easy for users to navigate seamlessly between many websites operated by unrelated entities.

California’s Age-Appropriate Design Code Act threatens this foundational principle of the Internet.

Enacted under the pretext of protecting children’s privacy, the AADC regulates businesses that develop and provide online services, products, or features that children are likely to access. Under the AADC, businesses preparing to launch new online services, products, or features are required to prepare a Data Protection Impact Assessment detailing how the feature’s design could expose minors to “potentially harmful” materials.

The Age-Appropriate Design Code Act also prohibits these online businesses from collecting, using, or distributing a child’s personal information in any way inconsistent with “the best interests of children.”

Crucially, the AADC imposes on these businesses an age-assurance requirement. Regulated businesses are required to estimate the age of their users with “a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business,” or in the alternative, they must apply those privacy and data protections to all consumers.

In other words, businesses must choose between assuring the age of all users (both minors and adults alike) or redesigning all of their online features to treat adults as though they are children. Violations of the AADC’s requirements can result in penalties of up to $7,500 per affected child, as well as injunctive relief.

Imagine if, to protect children from seeing or buying potentially harmful products, you had to give your government-issued ID and wait for verification before you could enter any retail store—groceries, gas stations, liquor stores, bookstores, garden supply, etc. That would be an extraordinary invasion of your private information just to do any shopping or browsing. And of course, children should be allowed to browse stores as well, even if they are not child-oriented stores, to find the items they are looking for. It makes no more sense for online businesses than for physical stores.

The AADC’s age assurance requirement erects onerous barriers that would discourage internet use and chill protected speech. These barriers to online communication will change how people use the internet in ways that will hinder the internet’s utility to society—and transgress basic constitutional principles as well.

In short, the California Age-Appropriate Design Code Act severely restricts free speech and, as the Supreme Court said when ruling against an age verification requirement law in 1997, “threatens to torch” a large segment of the internet community.

Full Policy Brief—California’s Age-Appropriate Design Code Act: A Desire to Protect Children Doesn’t Produce Good Law