An Interview Regarding AB 2273/the California Age-Appropriate Design Code (AADC)

I did a media interview regarding AB 2273 that I thought was worth sharing here. For more on the bill, see my prior coverage:

Can the existing UK Age-Appropriate Design Code tell us anything about what AB 2273 might look like in practice?

Not much. The UK’s regulatory environment differs dramatically from the US. Two key differences. First, many UK regulations expect businesses and government agencies to cooperate to develop and implement the rules. This allows the UK to enact rules that are not very detailed or specific because the regulators will accept businesses’ good-faith efforts towards compliance, even if the business is not fully compliant. That model differs radically from the US, where such cozy business-regulator relationships are highly disfavored and usually legally prohibited. Second, the UK does not have the Constitutional limits that apply in the US. So it’s likely that the rules permitted in the UK are not permitted in the US. This means any “lessons learned” in the UK do not extend to the US because the law literally cannot be implemented in the same way.

At least one blogger fears that the law might lead to intrusive age verification. Do you think those fears are valid?

Businesses could always “dumb down” their offerings so that adults are treated like children. The bill even encourages that. Assuming businesses do not want to intentionally degrade their value proposition to adults, then they have no alternative other than to authenticate the age of all of their customers and then segregate adults from children, with different offerings for each.

[Terminology note: age assurance is functionally a euphemism for age authentication. There are minor differences that have no important legal consequence.]

I understand that the alternative to such face scanning would be some sort of widespread data collection. What might that entail?

If age authentication isn’t done through a review of the user’s face, then typically users must present documents that authenticate their ages. That could include things like driver’s licenses or other government-issued documents that contain substantial additional sensitive personal information beyond the person’s age. That creates a different, but not less problematic, vector for privacy and security violations.

Do you think websites might try to get around the law by geoblocking, as currently happens wrt GDPR?

I doubt it. The bill applies to businesses that “do business in California.” Many major businesses will have to comply with the law because they in fact do business in California. If they don’t do business in California, they can ignore it. The only circumstance where it would make a difference is if having an online presence causes a business to “do business in California” where it would not otherwise qualify. In those circumstances, it could be advantageous to geoblock California, but only if the risk management is more valuable than the loss of revenue. Plus, given the imperfections of geoblocking, it may be safer and more reliable to just do age authentication.

Trying to evade California law is also short-term thinking. As a practical matter, other states will copy California’s template, so businesses will face the same obligations across the nation unless the law is stopped.

Whom do you think (if anybody) would actually benefit from AB 2273?

The bill’s winners are few and far between, and definitely not the constituents that the California legislature should be trying to help. I’m sure the age authentication industry is ecstatic about the government mandating that the entire California economy must adopt their technology. I imagine a few privacy lawyers will send their kids to even more expensive private schools based on the profits they make from providing compliance services. I’m sure the cybercriminals and enemy foreign governments are licking their chops contemplating how the California legislature has made it easier for them to steal personal information from insufficiently secure authentication services.

We can say with confidence that consumers–i.e., California’s voters–will be completely screwed by this law. As for children, most services will simply close their doors to them rather than gamble on the liability imposed by the law. As a result, the Internet will shrink dramatically for California children. A degraded Internet does not provide the foundation that California children need to acquire the digital competence essential for their long-term personal and professional success. As for adults, they will be irritated by the constant requirements to authenticate their ages, especially by sites they aren’t sure if they should trust or not. As a result, adults will curtail their online activities to sites they know and trust, and they will not be willing to explore new or unknown services. The Internet will become less useful for them.

This is why I call the bill a “neutron bomb” for the Internet. It will depopulate the Internet and turn many services into ghost towns.