A landmark California bill aimed at promoting children’s digital welfare became law on Thursday, as Gov. Gavin Newsom announced he had signed the legislation imposing strict requirements on websites “likely to be accessed” by kids.
“We’re taking aggressive action in California to protect the health and wellbeing of our kids,” Newsom said in a statement.
The law marks a defeat for tech giants that had spent hundreds of thousands of dollars lobbying on the bill, which establishes new prohibitions on how companies can collect and use personal data, and new requirements in their approach to children.
For example, the law prohibits the tracking of children’s geolocation, unless that data is essential for providing a website’s service, and requires websites to default to the most privacy-protective settings available for children. It bans so-called “dark patterns” that use manipulative design techniques that may dupe kids into giving up their personal information. And it requires businesses to determine the rough ages of its young users.
Companies subject to the law, known as the California Age-Appropriate Design Code Act, may not sell children’s personal data and must perform a so-called “data protection impact assessment” before offering any new service that is likely to be accessed by children.
According to a factsheet on the law shared by its supporters, the legislation covers the same range of businesses that must comply with California’s main privacy law, which is considered the toughest in the nation.
For-profit businesses that earn $25 million in revenue or more per year, or that buy or sell personal information of at least 100,000 users, or that make at least half of their revenue in a year from sharing or selling personal information, must comply with the new law if young people make up a significant share of their users, according to the factsheet.
Accountable Tech, an advocacy group that has criticized large tech platforms, called the bill’s signing “a monumental win.”
“This new law will upend the status quo and take real steps to stop pervasive surveillance, profiling, and manipulation of kids online,” said Nicole Gill, the group’s executive director. “It also will serve as a transformative model for other states and countries, so that every child is protected from Big Tech’s abuse and exploitation – not just those in California.”
Other civil society groups backing the law include the privacy advocacy organization EPIC, the Center for Countering Digital Hate, the Center for Digital Democracy and the National Hispanic Media Coalition.
But even as the law is poised to take effect in 2024, opponents, including some who’ve been critical of large tech platforms themselves, have warned it may be unworkable or even dangerous in practice.
Critics have said that in order to comply with the law’s various requirements, websites will be forced to screen users by age. That could mean asking users to hand over even more personal information, potentially including biometric data such as face scans, that they currently are not required to provide.
“It’s radical to motivate businesses to turn face scanning of children into a routine activity — especially in a privacy bill,” wrote Eric Goldman, a law professor at Santa Clara University, in a blog post Thursday.
Fight for the Future, a consumer advocacy group that has blasted Amazon, Google and other tech giants for their business practices in the past, warned Thursday the law risks harming young LGBTQ+ individuals, human rights activists, whistleblowers and journalists by making it harder to stay anonymous online.
“It’s immoral and dangerous for lawmakers to continue using children as pawns to advance poorly-drafted legislation that does more harm than good,” the group said.
Others have said the law’s expectation that businesses predict whether children may be “likely” to access their services is a departure from existing federal protections for children’s privacy, which largely kick in only when a service has “actual knowledge” they are collecting data from children.
“Few websites and apps can reasonably expect that under-18s will NEVER use their services,” wrote the longtime technology journalist Mike Masnick in a June blog post.