A state measure meant to increase protections for young people online is seeing pushback from some children's privacy experts.

The Age-Appropriate Design Code Act, or AB 2773, passed in the California State Senate this week. The bill limits platforms' use of personal data from people under 18, including geolocation information. It also requires platforms to enable stronger privacy settings for minors by default and restrict the use of dark patterns, or techniques that manipulate users' behavior. Violators face financial penalties of up to $7,500 per affected child.

The bill mimics kids' online safety rules implemented in the United Kingdom that went into effect in 2021. Some view the effort as an overstep, even if its purpose is well-intended.

"[The bill] ended up with a misguided implementation in a way that unfortunately comes closer to repeating mistakes of COPPA," said Adam Kovacevich, head of the Chamber of Progress, a center-left tech industry policy group, referring to the established Children's Online Privacy Protection Rule.

Aging matters

Whereas the U.K.'s safety rules only offered guidance, the U.S. bill goes a step further by treating provisions as enforceable.

For instance, the U.K. design code encourages platforms and services to create varied protective services bearing in mind children's developmental phases, while AB 2773 implements a hard cutoff of 18 years for all safety measures. The COPPA rule ushered in by Sen. Ed Markey, D-Mass., some two decades ago uses age 13 as a cutoff.

The California bill risks repeating COPPA's mistake of incentivizing tweens to lie about their age in order to bypass restrictions for using certain platforms or sites, Kovacevich said, making it a double-edged sword for kids' online safety. The bill does not require formal age verification from platforms, but it directs them to not grant certain features to kids until they are of legal age.

"Age-appropriate design rules in the U.K., I think, correctly recognize that kids are going to be online at all ages," Kovacevich said in an interview with S&P Global Market Intelligence.

Next best thing

Some industry players view the California bill's age rules as a net positive.

Ron Kerbs — CEO of software startup Kidas, which works to implement digital safeguards for children — said that under current U.S. laws, Big Tech platforms and gaming companies tend to ignore children's age when offering services online. The bill serves as a method to standardize protections for young people, regardless of their age, Kerbs said.

Pushing back on views saying that age verification is difficult, Kerbs said machine-learning techniques already utilized by tech companies and related sites are more than enough to infer the age of a user. "The social media or gaming platforms would not decide one day to stop serving kids between the ages of 13 to 18 anymore," Kerbs said in an interview.

Kerbs still sees shortfalls in the bill. He told Market Intelligence it does little to address the information kids may share with platforms. Additionally, Kerbs wishes the bill required platforms to open up their analytical techniques and data collection practices to researchers and parents.

Look-ahead

Several shortcomings of the California law may be addressed in a blanket federal privacy bill, but whether or not such sweeping legislation reaches President Joe Biden's desk this year is unknown as midterm elections approach.

The federal-level American Data Privacy and Protection Act, which is waiting for a vote in the House and Senate, would grant the Federal Trade Commission the authority to craft privacy rules and create new protections. Specifically, the bill calls for regulations that block discriminatory use of Americans' data and requires platforms such as Meta Platforms Inc. and Alphabet Inc.'s Google LLC to minimize the amount of user data collected for their products and services to function. It also grants users the ability to opt out of targeted advertising and furthers data protections for children and minors.

While the bill passed out of the House Energy and Commerce Committee, House Speaker Nancy Pelosi, D-Calif., said in a Sept. 1 statement that she did not support the current version of the bill, calling California's protections stronger. The announcement stalls the bill even further in an already polarized Congress.

The FTC in August initiated its own rulemaking to clamp down on surveillance practices. One of the topics the consumer protection agency is gathering information about is how platforms market and push content to kids.

The efforts from state and federal enforcers follow months of investigations into children's wellbeing online after a whistleblower report from a former Facebook employee. The whistleblower revealed that the company knew some young users experienced mental harm when using its platforms.

Dylan Hoffman, tech industry coalition TechNet's executive director of California and the Southwest, told Market Intelligence in a statement that the group supports the intent of the state bill but added that it must be implemented responsibly and effectively.

"It's another example of why we need a federal privacy law that includes universal standards to protect kids online instead of a patchwork of state laws that creates confusion and compliance complications for businesses," Hoffman said.

California Gov. Gavin Newsom has not yet indicated whether he will sign the Age-Appropriate Design Code Act into law.