States Following California’s Lead on Children’s Data Privacy

Once again, the California Legislature is proving to be a pioneer in lawmaking, as several states across the country, including Maryland and New Mexico, are looking to follow the Golden State’s lead and pursue comprehensive legislation to protect the digital privacy of youths.

California Passes First-in-the-Nation Law

In September California Gov. Gavin Newsom (D) signed into law AB 2273, otherwise known as the California Age-Appropriate Design Code Act, which requires any business serving up web pages likely to be accessed by California youths to consider the children’s best interests when designing their sites.

AB 2273 was explicitly modeled after the United Kingdom’s Age Appropriate Design Code, a sweeping piece of legislation vehemently opposed by tech companies and their trade groups.

California’s law, which goes into effect on July 1, 2024, is just as controversial. In December NetChoice, the trade group representing online businesses like Google, Meta, Yahoo! and TikTok, sued in federal court to block the law’s implementation.

Still, the tech industry’s opposition apparently has done little to dull state legislators’ enthusiasm for this issue.

Several States Considering Bills Like California’s

On February 2nd New Mexico state Sens. George Munoz (D), Siah Correa Hemphill (D) and Mark Moores (R) introduced legislation (SB 319) that would require tech companies to keep the needs of young people in mind when designing their products.

Days later companion measures were introduced in the Maryland House (HB 901) and Senate (SB 844) that were virtually identical to the New Mexico bill.

“We applaud lawmakers in Maryland for joining California and other states in trying to put the necessary guardrails in place for kids online,” said Common Sense, a nonprofit organization dedicated to providing trustworthy information to children and their families, in a press release about the bills. “The movement to create healthier digital spaces for young users continues to grow and the tech industry should pay attention.

The statement went on to say: “Every day, kids navigate the internet and are faced with manipulative designs and addictive features that cause them harm. The tech industry needs to stop being allowed to just put the burden on parents to protect kids online. This legislation requires companies to address harmful practices, like utilizing recommendation algorithms and late-night push notifications, that have gone on for too long and finally prioritize the mental health and well-being of Maryland’s kids and teens.”

Bills that borrow elements from the California and U.K. laws have also been introduced in New Jersey (AB 4919/SB 3493), New York (AB 936/SB 2324 and SB 3281) and Oregon (SB 196)—and similar proposals are expected in Minnesota and Nevada.

The issue is drawing support from both sides of the aisle and in red states as well as blue. Along with the previously mentioned bills, a measure prefiled in Florida this month (HB 591) would require social media platforms to disclose to users that they employ “addictive design features” like auto play and infinite scrolling. And in Ohio, Gov. Mike DeWine (R) has proposed a budget calling for social media companies to obtain parental consent before letting those under the age of 16 access their platforms.

California’s Law Would Have Far-Reaching Implications

Authored by Assemblymembers Buffy Wicks (D) and Cottie Petrie-Norris (D) and former Assemblymember Jordan Cunningham (R), AB 2273 creates a litany of new requirements for California businesses operating online, not the least of which is a mandate to verify every visitor’s age before allowing them access to a website. 

The impact of that requirement won’t just be felt by children or by businesses that will have to change the way they operate. Age verifications will apply to all Internet users, requiring adults to suddenly become comfortable with providing their ages to countless websites.

AB 2273 also requires any business, before offering new services on its website, to complete a “Data Protection Impact Assessment” to determine what risks to children are likely to arise from the new features and how the company intends to mitigate them. Businesses are required to make the assessments available to the California Attorney General within five days of a written request.

Tech Industry Ready to Fight California Law

NetChoice, in its suit to block AB 2273, argues that the bill is overly broad and places tremendous burdens on businesses, as well as violates the First Amendment and online privacy of families. It also says that the Data Protection Impact Assessment requirements “will pressure businesses to identify distant or unlikely harms—and to self-censor accordingly.”

To drive home its point, NetChoice quotes in its complaint an August 2022 column in Techdirt by Mike Masnick, who complained that any change made to his website would likely require an assessment under the DPIA provision of AB 2273.

“Our comment system? DPIA,” writes Masnick. “Our comment voting? DPIA. Our comment promotion? DPIA. The ability to listen to our podcast? DPIA. The ability to share our posts? DPIA. The ability to join our insider chat? DPIA. The ability to buy a t-shirt? DPIA. The ability to post our stories to Reddit, Twitter, Facebook, or LinkedIn? DPIA (for each of those, or can we combine them? I dunno). Our feature that recommends similar articles? DPIA. Search? DPIA. Subscribe to RSS? DPIA.”

NetChoice is also concerned with AB 2273’s ban on the use of so-called “dark patterns.” By incorporation AB 2273 defines “dark patterns” as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice, as further defined by regulation.” NetChoice says that while the term is “calculated to sound nefarious,” dark patterns really just refer to “benign and widely used features such as ‘autoplay’ and ‘newsfeed’ functions that use programmed algorithms and machine learning to recommend personalized content.”

NetChoice’s aggressive opposition to AB 2273 suggests more legal fights could be in store in other states if these bills move forward. It appears the battle over “age-appropriate design” is just beginning.

—By SNCJ Correspondent BRIAN JOSEPH 

Correction (March 17, 2023): An earlier version of this article indicated that AB 2273 applies to any business with a website likely to be accessed by California children.  The law actually applies only to businesses covered by the California Privacy Rights Act (CPRA) "that provide an online service, product, or feature likely to be accessed by children." The CPRA defines a covered business as a "for-profit entity doing business in California that collects personal information of California residents and meets specific threshold criteria."

Please visit our webpage for more information on the bills mentioned in this article or to speak with a State Net representative about how the State Net legislative and regulatory tracking solution can help you react quickly to relevant legislative and regulatory developments. 

Children’s Data Privacy Bills Introduced in Ten States

At least 10 states have introduced legislation this year aimed at protecting children’s privacy online, according to data compiled by the National Conference of State Legislatures and other sources. Several of the bills are modeled after the children’s data privacy law passed in California (AB 2273) last year.