A Short Explainer of How California’s Age-Appropriate Design Code Bill (AB2273) Would Break the Internet
It’s “burn-down-the-Internet” week on the blog, during which I will recap three bad California bills that the California legislature is poised to enact. Today’s bill is AB 2273, the most pernicious of the three. It’s styled as a “protect kids online” bill, but instead it would counterproductively put kids and adults at greater risk and would break the Internet’s architecture. For background on the bill and its voluminous problems, see this lengthy blog post. A quick summary of the bill’s lowlights:
* * *
Though this bill claims to protect children, the bill will affect the Internet usage of both adults and children. By requiring age authentication of all users, the bill would change the Internet’s fundamental architecture from an environment where we freely transit the Internet to one where everyone must authenticate their age every time they go to a site.
This dramatic and structural change to the Internet’s architecture has numerous downsides, including: (1) it adds barriers to using web services, which reduces people’s willingness to use services at all and degrades the Internet’s vibrancy, (2) it imposes substantial costs on every regulated service, which will drive some services out of the industry, (3) the age authentication process will create new privacy and security risks for all users, including the children who the bill is supposed to be protecting, and (4) to the extent that identity verification is deployed alongside age verification (which is the only way for a service to avoid repetitively authenticating the same person’s age), then it exposes users to even greater privacy and security risks and eliminates unattributed browsing, which hurts minority populations and hinders the production of socially valuable criticism and whistleblower disclosures.
Furthermore, the bill’s liability schemes cannot be managed or mitigated. The only profitable approach for businesses is to screen for users’ age and categorically deny services to any minors, period. So the Internet would likely shrink in size and quality for minors (this also happened with COPPA). This would severely hurt California’s youth. The Internet is an essential part of their maturation process and their vocational future, but they would be able to use only a small fraction of its resources to develop the necessary skills and knowledge while in school.
The delegation of additional work onto the California Privacy Protection Agency (CPPA) contradicts the voters’ clear instructions. Voters wanted the CPPA to focus on the CPRA, including developing rules on a timely basis. The CPPA cannot meet the voter-directed schedule. Furthermore, voters directed the CPPA to focus on privacy matters, but the bill would task the CPPA with non-privacy matters. Thus, the bill asks the CPPA to undertake work it doesn’t have the capacity to do, using expertise it doesn’t have.