Headline
The US May Soon Learn What a ‘Kid-Friendly’ Internet Looks Like
The California Age-Appropriate Design Code would launch a huge online privacy experiment. And it won’t just affect children.
No one would describe the internet as “kid-friendly.” Parents fret over how to keep their kids safe from the internet’s myriad dangers, from bullies to predators to surreptitious surveillance. A new California bill is poised to remove some of the burden from parents—and force tech companies to take more responsibility to protect kids online.
This week, the California legislature voted unanimously to pass the California Age-Appropriate Design Code Act. Once Governor Gavin Newsom signs the bill into law, the code will require sites and apps that serve users under 18 to “consider the best interests of children when designing, developing, and providing” their products. The ADCA could be the United States’ biggest step toward comprehensive online protections for kid users yet.
The ADCA comes amid growing scrutiny of the time kids spend online, what kind of data is collected about them, and how all that screen time might cause harm. Buffy Wicks, a Democrat spearheading the bill and parent of two young children, says the bill isn’t meant to clamp down on young people’s internet experience. “I am raising digital natives and children who are comfortable being online,” she says. “I feel it’s our moral obligation to keep them safe as they learn and grow.” Tech companies, on the other hand, are not financially incentivized to design a healthy, data-protective internet for kids.
The ADCA’s main pillars regulate the privacy policies of any company whose web products serve users under 18. These companies would be required to offer a high level of privacy for child users by default. If parents, say, don’t want their children to receive messages from a stranger over a social media platform, they shouldn’t have to click around for a tiny “settings” tab; that option should already be turned on. It also aims to give kids more digital agency over their internet exploration. Companies would be required to offer transparent information on their privacy policy in kid-friendly language and allow kids to log their privacy concerns with the company.
If enacted, the law would also impose stricter rules around what companies can and can’t do with kids’ personal information. Under the legislation, companies wouldn’t be able to collect or share data beyond what’s strictly necessary for the site to function. They would have to complete a “Data Protection Impact Assessment,” a survey that would basically force them to detail how kids’ data will be used. They would also have to disclose whether the product uses addictive design mechanisms, like autoplay or gamified nudges that reward spending more time on an app.
Most notably, the bill would apply to sites and apps that aren’t specifically directed at children, but are “likely to be accessed by” them. That means the regulatory controls will extend beyond the usual suspects of mobile games or teen social media hubs. The rules could apply to, among other sites, Google Search, retail sites, and news websites like this one. If a company violates the ADCA, they have 90 days to come up with a fix, or the California Attorney General’s office could exact a fine of up to $7,500 per affected child.
Supporters say that the ADCA would compel tech firms to proactively design products that protect children, rather than reacting to harms they’ve already inflicted. “It’s not meant to fix a problem after the fact,” says Nicole Gill, cofounder and executive director of the nonprofit Accountable Tech. “It’s meant to encourage design that is safe and healthy and fosters a safe experience online for kids.” Accountable Tech supports the bill, along with organizations like Common Sense, Fairplay, and the American Academy of Pediatrics, California.
The status quo for kid safety on the internet is universally disappointing. A recent study by software company Pixalate found that thousands of kid-directed apps transmit users’ GPS data and residential IP addresses to ad companies. The habit-forming nature of social media apps has raised concerns about the relationship between social media and teens’ mental health. The primary law governing kids’ privacy online is COPPA, the federal Children’s Online Privacy Protection Rule. But COPPA, which Congress has updated only a handful of times since 1998, has a limited reach: It applies only to sites and apps directed to children under the age of 13. The ADCA, which applies both to anyone under 18 and to online products that are “likely to be accessed by children” but may not be specifically directed to children, would be far more expansive.
Some of the bill’s critics argue that the ADCA’s scope is overinclusive. Opponents include the video game trade group Entertainment Software Association and Technet, a group whose members include Google, Meta, and Snap. The News/Media Alliance has also lobbied against the bill, citing concerns that it would raise the cost of publishing news online. (Condé Nast, WIRED’s parent company, is a member, and its CEO sits on News/Media Alliance’s board.)
The bill outlines several indicators for what might constitute a site’s “likelihood” of being accessed by children, including some clear-cut indicators, such as whether a site features advertisements targeted to kids. But other indicators are ambiguous, like whether a site is “routinely assessed by a significant number of children.” (How often is “routine,” and what number is “significant”?)
Critics have particularly seized on the ADCA’s requirement that companies “estimate the age of child users with a reasonable level of certainty.” The bill itself does not lay out how companies ought to estimate the age of child users. So how could that work? Will online services start asking users to furnish driver’s licenses or credit cards, as some critics have stated? Doesn’t estimating age invite more data collection, not less?
Supporters of the bill say that age estimation methods don’t have to be invasive. A report from the 5Rights Foundation, which sponsored both the California and UK Design Codes, suggests that users could, for example, self-report birthdays, use a third-party age assurance provider, or complete a “capacity test” (solving a puzzle that helps indicate an age range). Companies that absolutely need to verify that their users are adults, like dating sites, would ask for hard identifiers like driver’s licenses. Under the ADCA, companies will also be allowed to build a profile of all users’ online activity or keep the online profiles of users they already have—but these data profiles can be used only to estimate a user’s age. The age estimation profile cannot be kept longer than necessary or used in any other way. But it’s unclear how regulators would enforce these aspects of the statute.
The ADCA does include a carve-out, stipulating that if a site or app affords a high level of data protections (e.g., it doesn’t sell user data, doesn’t use targeted ads), it doesn’t need an age-estimation mechanism at all.
Let’s say there’s a website called Fake-website.com. If Fake-website.com is found to have a “significant” number of routine visitors who are teenagers, then it would be subject to regulatory control under the ADCA. At this point, Fake-website.com has two options: If it uses targeted ads or sells users data, then it would have to install an age estimation mechanism, like a prompt for users to enter their birthday, so that it does not offer targeted ads to users who identify themselves as under 18. Fake-website.com then can’t use the user data point (their birthday) in any other way, and must delete it as soon as possible. If it does not use targeted ads or sell users’ data, then there’s nothing more to be done. Supporters say that the relevant clause (”apply the privacy and data protections afforded to all children to all consumers”) is the heart of the bill, and the mechanism by which the ADCA could actually incentivize making the internet safer for all users.
That is, if it can be enforced. Others worry that the bill’s ambiguities, including the age estimation clause, are too vague to be implemented at all. “My guess is it will probably just be ignored by tech companies,” says Justin Brookman, the director of technology policy at nonprofit Consumer Reports. “It feels like sloppy policymaking.”
Supporters, however, say that the ambiguity is purposeful. The law will create a new regulatory agency tasked with hammering out the bill’s specifics, including the age-estimation requirement. It’s meant to work with companies on a case-by-case basis to determine how they might comply with the law, which would go into effect in July 2024.
The ADCA is not without precedent—the bill is modeled after similar UK legislation that went into effect in 2021. It’s unclear whether the UK Design Code has had much impact. It has yet to be enforced, despite being enforceable for a year. The country’s information commissioner, John Edwards, told Bloomberg that his office is “looking into how over 50 different online services are complying with the code.”
While Governor Newsom has not yet given a public stance on the ADCA, he’s expected to sign it, which he must do by the end of September. Once enacted, the bill could have further-reaching consequences than just the kids of California. Although the law is enforceable only for users and businesses based in California, companies might opt to offer higher data privacy protections for all kids, rather than geofencing protections for California. For example, when Europe passed GDPR, Microsoft chose to extend GDPR’s protections to all users.
As Wicks put it in a press conference on Tuesday: “It is my absolute hope that if this bill gets signed into law, it will become, effectively, the law of the land.”