Can you prove no one under 18 uses your app?
If you follow tech news you might already be aware of California Age-Appropriate Design Code Act. The bill is intended to flip the baseline for kids online; making digital service providers responsible for providing maximum protections as default, and preventing kids from accessing content or tools that might harm or upset them. While the goal sounds noble, the law casts a net wide enough to make things like comment systems, peer-to-peer communication, advertising and data collection, or sharing disturbing news content illegal if kids can access it. If you can conceive of a possible harm, you must prevent it from happening. It is modeled on a proposal that has stalled in the UK, and is championed in California by baroness Beeban Kidron, a member of the UK House of Lords.
Having passed in both houses of the California legislature, the bill is inches away from becoming law. While backed by child privacy advocates, it gets poor marks from lawyers for its lack of clarity, from internet advocates who fear it harms adults online more than it protects children, and from the tech industry because it is unclear how a business can possibly comply.
The obvious unintended consequence is that companies will either need to implement a robust (no, you can’t take their word for it) age-gating and identity verification system so that you can keep adults and minors separate, or re-engineer your service to “prioritize the privacy, safety and well-being of children over commercial interests” (where ”children” means everyone unless you prove otherwise). This will be an industry-wide issue, and you can count on the 17 year olds to make the program a challenge. Think that through: you’ll need to robustly confirm the age, and consequently the identity of every one of your users in some verifiable way.
This is a BIG DEAL, and while we support privacy protections for children we cannot support a bill this vague that indirectly mandates the universal collection and verification of age and identity.
The law borrows some from California’s other privacy laws in that the smallest companies have more latitude to comply, but the mandated privacy assessments (for every new feature) will eventually burden any firm with a growth plan. You can read more about the bill and its ramifications in the New York Times or on Techdirt, or let us know what you think / ask questions in the links below.
