When does a kid become an adult? It’s an elusive question that developmental psychologists, philosophers and parents might answer differently.
But lawmakers can’t work with ambiguity. So in the late 1990s, Congress decided that — at least when it comes to surfing the web — kids are people under 13.
Last week, California legislators said: Nope. Kids are people under 18. And if Gov. Gavin Newsom signs a bill they just passed, kids under 18 in California will get many more privacy rights online.
What young people encounter on apps and the web has become a source of mounting concern for parents, fed by alarming headlines and new research. So a bipartisan group of legislators pushed forward the California Age-Appropriate Design Code Act, also known as AB 2273. Passed unanimously out of the Legislature last week, the bill could become a model for other states — or provide a roadmap for Congress, which is considering its own privacy bill.
“Social media is something that was not designed with children in mind,” said Emily “Emi” Kim, an 18-year-old who lives in Porter Ranch, near Los Angeles.
Kim splits her time being legislative director for Log Off Movement, a youth-led organization that advocated for the bill, while also attending college classes and working at Chipotle.
Here’s what the bill would do
If it gets signed into law, California businesses that provide online services or products likely to be accessed by kids under 18 would have to provide greater privacy protections by default starting in July 2024. Specifically the bill would:
- Require companies to assess potential harm in how they use kids’ data in new services or features, and create a plan to reduce the risk before the feature is rolled out.
- Prohibit companies from using kids’ information in a way that the business knows (or has reason to know) is “materially detrimental” to their wellbeing — like pushing kids to photos of skinny supermodels after they search for weight loss information.
- Generally prohibit companies from collecting, selling, sharing or keeping any personal information on a kid, unless it’s necessary to provide the service the kid is directly using.
- Ban companies from collecting, selling, or sharing precise location data for kids by default, unless it’s strictly necessary for the feature, and only then for a limited time.
- Require the product to make it obvious to kids when they are being tracked, if the company allows parents or adults to track kids online.
If some of those requirements sound vague, the bill also creates a new working group — made up of experts in kids’ data privacy, computer science, mental health and more — to make recommendations to the Legislature.
The bill would be enforced by the state attorney general, who could bring civil lawsuits that could result in penalties of up to $7,500 per kid for intentional violations.
Karla Garcia, a parent of an 11-year-old in the west Los Angeles neighborhood of Palms, supports the bill because she hopes it will rein in the algorithms that suck her son, Alessandro Greco, into YouTube. “He knows it’s an addiction,” she said of her son’s America’s Got Talent binges, which keep him from doing his homework. “Honestly, I have this fight every night with my child.”
“I want him to have his independence, but this is stronger than him,” Garcia said.
How the law has worked elsewhere
The idea was borrowed from a U.K. law, which went into effect in September 2021. Since the law passed, tech companies have made changes, including the following:
- YouTube turned off autoplay — the feature that plays videos continuously— for users under 18.
- Google made SafeSearch the default for users under 18, and stopped tracking kids’ location data.
- TikTok stopped sending push notifications to teenagers late at night. Teens 13-15 don’t receive push notifications after 9 p.m., and 16- and 17-year-olds don’t receive push notifications after 10 p.m. The company also disabled direct messages for users under 16.
Who gets to be a kid?
The bill faced pushback from lobbying organizations representing tech companies and other businesses, including the California Chamber of Commerce, Entertainment Software Association and TechNet. TechNet counts Amazon, Google, Meta (formerly known as Facebook) and Uber among its members. The organizations argued that the bill would apply to more sites than necessary.
“It’s another example of why we need a federal privacy law that includes universal standards to protect kids online instead of a patchwork of state laws that creates confusion and compliance complications for businesses,” said Dylan Hoffman, TechNet’s executive director overseeing California and the Southwest, in a statement.
One of the main changes the groups pushed for was lowering the bill’s definition of a kid from 18 to 13, as in the federal law. Then they advocated for 16, which is a threshold in a California privacy law, said Hoffman. But the business groups weren’t successful in that push.
“Any parent, to be honest any grandparent, any sister, brother, would tell you that a 13-year-old is not an adult,” said Baroness Beeban Kidron, a member of the U.K.’s House of Lords, who spearheaded the effort to pass the U.K. law, and founded of 5Rights Foundation, which sponsored the California bill. “You can’t ask a 13-year-old to make adult decisions,” Kidron said.
What happens next?
First, Newsom will decide whether he wants to sign the bill into law, or veto it. If he signs it, most of the measure’s requirements won’t go into effect until 2024.
But companies would have to start identifying and mitigating risks to children immediately, said Nichole Rocha, head of U.S. affairs at 5Rights Foundation. In other words, if the bill is signed into law, companies might start rolling out changes well before 2024.
What if companies don’t want to comply? Would the threat of a potential lawsuit from California’s attorney general be enough to prod them into action?