The US may soon learn what a ‘kid-friendly’ internet looks like

The ADCA includes a disclaimer, stating that if a site or app offers a high level of data protection (e.g., it doesn’t sell user data, doesn’t use targeted advertising), it doesn’t need of an age- estimating mechanism at all.

Let’s say there is a website called Fake-website.com. If Fake-website.com is found to have a “significant” number of routine visitors who are teenagers, then it would be subject to regulatory scrutiny under the ADCA. At this point, Fake-website.com has two options: if it uses targeted ads or sells user data, it will need to install an age estimation mechanism, such as a prompt for users to enter their birthday, so that it does not serve targeted ads to users who identify as under 18. Fake-website.com then cannot use the user’s data point (their birthday) in any other way and must delete it as soon as possible. If it’s not using targeted ads or selling user data, there’s nothing left to do. Proponents say the relevant clause (“apply the privacy and data protection afforded to all children to all consumers”) is at the heart of the bill and the mechanism by which the ADCA could actually push for making Safer internet for all users.

That is, whether it can be applied. Others worry that the bill’s ambiguities, including the estimated age clause, are too vague to implement. “I guess it will probably just be ignored by tech companies,” says Justin Brookman, director of technology policy at nonprofit Consumer Reports. “It looks like shoddy policy.”

Proponents, however, say the ambiguity is deliberate. The law will create a new regulator to spell out the details of the bill, including the age estimate requirement. He is supposed to work with companies on a case-by-case basis to determine how they might comply with the law, which would come into force in July 2024.

The ADCA isn’t unprecedented – the bill is modeled on similar UK legislation that came into force in 2021. It’s unclear whether the UK Design Code has had much of an impact. It has not yet been applied, although it has been enforceable for a year. The country’s Information Commissioner, John Edwards, said Bloomberg that his office “examines how well more than 50 different online services comply with the code”.

Although Governor Newsom has yet to take a public position on the ADCA, he is expected to sign it, which he must do by the end of September. Once enacted, the bill could affect more than California children alone. Although the law only applies to California-based users and businesses, businesses may choose to offer higher data privacy protections for all children, rather than geofencing protections for California. For example, when Europe adopted GDPR, Microsoft chose to extend GDPR protections to all users.

As Wicks said at a Tuesday press conference, “I have absolute hope that if this bill is passed into law, it will indeed become the law of the land.”

Comments are closed.