California bill would tighten privacy protections for minors

A proposed California law which passed the state senate this week could drastically boost online privacy protection for minors, but major platforms like Google and Meta have called the bill “too broad,” warning that the work involved in complying with the law would be onerous and have unintended consequences.

The essence of the bill, called the California Age-Appropriate Design Code Act, is that tech companies that collect data on children would be required to treat that data differently than data on other users, and to enact a range of other safeguards designed to protect children’s privacy when using online platforms.

Among the bill’s specific provisions are requirements that all optional privacy settings be set to their highest values by default for child users, all privacy information and terms of service be presented in language easy for children to understand, and to complete a data protection impact assessment before adding new services or features, to ensure that those services won’t result in harm to children.

“As children spend more of their time interacting with the online world, the impact of the design of online products and services on children’s well-being has become a focus of significant concern,” the bill stated. “There is bipartisan agreement at the international level, in both the United States and in the State of California, that more needs to be done to create a safer online space for children to learn, explore, and play.”

Critics predict unnecessary regulatory overhead

The measure is not without its critics – the California Chamber of Commerce, along with industry groups that include Google, Apple and Amazon, wrote a letter to state legislators in June, saying that the bill’s focus is over-broad and likely to create regulatory overhead for companies that the bill did not intend to target.

“’Likely to be accessed by a child’ is an overinclusive standard and would capture far more websites and platforms than necessary and subject them to this bill’s requirements,” the letter read in part. “It is also an unfamiliar standard that will present problems for companies trying to determine whether they are in the scope of the bill.”

Child privacy act to have broad impact

According to Dan Novack, chair of the New York state bar commission on media law, whatever the bill’s specific effects on regulated companies are, they’re likely to be felt widely, as California is essentially the “highest common denominator” among U.S. states where privacy is concerned.

“California is so big and services so many people,” he said. “It’s unlikely that most businesses will want to geo-filter California kids,” which means that largely everyone will move to comply with the measure, should California Governor Gavin Newsome sign it into law.

What form that compliance takes can be complex as well – huge platforms like Facebook and Google will devise their own solutions and assert compliance, but Novack said that the terms of the proposed law are quite broad, and that different companies will move to comply with the law in different ways.

“To me, the obvious concern is all the language about ‘the best interest of the child,’” he said, noting that such language is vague.