A California Law Designed To Protect Children’s Digital Privacy Could Lead to Invasive Age Verification

While the California Age-Appropriate Design Code Act was hailed as a victory for digital privacy, critics warn of a litany of unintended consequences.

The California Age-Appropriate Design Code Act was signed last month by California Gov. Gavin Newsom (D). The law requires that online businesses create robust privacy protections for users under 18.

However, critics of the law have raised concerns about its vague language, which leaves unclear what kinds of business might be subject to the law’s constraints and what specific actions companies must take to comply with the law.

For instance, due to the law’s strict age requirements, online businesses may resort to invasive age verification regimes—such as face-scanning or checking government-issued IDs. While digital privacy protections are important, particularly for children, California’s Age-Appropriate Design Code Act could have unintended consequences in its vague, sweeping attempt to accomplish that end.

The law applies to any “business that provides an online service, product, or feature likely to be accessed by children” and mandates that these businesses act in the “best interests of children.” Tech companies must conduct a rigorous Data Protection Impact Assessment, judging whether their products have the potential to “harm” children. Further, businesses must estimate the age of child users, configure children’s default settings to have a high level of privacy, and provide and enforce privacy policies and other information in child-friendly language. The law also mandates that businesses make it obvious to children when they are being monitored or location-tracked (by a parent, guardian, or any other consumer) and provide accessible means for children or their guardians to report privacy concerns.- READ MORE