Minnesota’s Attempt to Copy California’s Constitutionally Defective Age Appropriate Design Code is an Utter Fail (Guest Blog Post)
by guest blogger Jess Miers, Legal Advocacy Counsel at Chamber of Progress
[Eric’s intro: last year I blogged about Minnesota’s flirtation with mandatory age verification. That proposal died, but it’s a new year and legislatures around the country are back with a bumper crop of proposals to kill the Internet.]
This year is a glaring reminder of the consequences of passing terrible Internet policy through state legislatures. Despite the California Legislature’s blunder last year with AB 2273 (the Age Appropriate Design Code), many states, including Minnesota, are stubbornly pushing for nearly identical laws.
The MN AADC bill was included in the House Commerce omnibus bill but not in the Senate commerce omnibus bill. Recently, the Senate Judiciary Committee heard the bill for informational purposes. The bill is currently pending approval by both chambers.
If passed, the bill goes into effect July 1, 2024 with the first round of DPIAs due July 1, 2025. Enforcement is limited to the MN AG. Since this bill is substantially similar to the California AADC, I recommend reading Eric Goldman’s post for more in-depth coverage. I will reiterate some of the major lowlights in this post.
Towards the end of last year, NetChoice mounted a constitutional challenge against the California AADC (NetChoice v. Bonta). Among their targets were the Data Protection Impact Assessment requirements, which NetChoice argued amounted to prior restraint and compelled speech. Additionally, NetChoice challenged the overbroad, vague, and undefined terms such as “materially detrimental” and “best interest of children,” as well as the burdens placed on interstate commerce and the potential preemption of COPPA and Section 230.
The District Court is scheduled to hear oral arguments in the Bonta case on July 27th. Given the outcome of this case may set an important legal precedent for future AADC laws, other states might be wise to pause their legislative efforts.
Bill Requirements
Identical to the California AADC, the bill applies to a “business that provides an online service, product, or feature likely to be accessed by a child.” “Child” is defined as any user under 18. As Eric Goldman put it, “the bill treats teens and toddlers identically.”
The bill describes the following obligations for in-scope businesses:
Data Protection Impact Assessments. Produce and maintain data protection impact assessments (DPIAs) before launching any new products, services, or features that are likely to be accessed by a child. The DPIAs must: “document any risk of material detriment to children that arises from the data management practices of the business identified in the data protection impact assessment.” Businesses must also turn over DPIAs within five days of a request from the AG.
Any website can be accessed by a child and all websites carry a nonzero risk of harm to children. Hence, DPIA requirements effectively operate as a prior restraint on speech, chilling Internet services from developing new products and features—even products and features that could materially benefit and improve safety for children—to avoid future litigation risks associated with their DPIAs. In an attempt to address this concern, Minnesota offers some protection by maintaining the confidentiality of information subject to attorney-client privilege. However, this safeguard is insufficient in practice as not all DPIA-required information falls under this privilege, and judges can choose to waive-in certain privileged information for discovery purposes. Plus, DPIAs pose potential security risks due to the sensitive and confidential nature of the information contained within the reports. The information could be leaked or mishandled by the businesses conducting the assessments or the AG.
Indeed, requiring online services to disclose information raises several First Amendment concerns, as discussed here. Furthermore, if Internet services are obligated to provide DPIAs to the state without due process, the AADC may enable unlawful searches in violation of the Fourth Amendment.
Mandatory Age Verification. Implement age verification measures to “estimate the age of child users with a reasonable level of certainty,” but a service must also not use “any personal data collected to estimate age or age range for any purpose” other than to fulfill the age assurance requirement.
Default Privacy Settings. “Configure all default privacy settings provided to children by the online service, product, or feature to settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children.” Similar to California, it remains unclear what this provision actually requires as “high level” of privacy is left undefined.
Enforcement of Terms. “Enforce published terms, policies, and community standards established by the business, including but not limited to privacy policies and those concerning children.” Like California, MN’s intention to extend their data protection goals to protected publication decisions is evident. By mandating TOS enforcement, states can effectively gain unprecedented access to an online publisher’s editorial decisions. This means that if a state suspects an Internet service of deviating from its stated terms, it can invoke the AADC to compel the service to align with the state’s preferences, essentially giving the state a free pass to interfere with the service’s editorial discretion.
Dark Patterns. Avoid using dark patterns to “lead or encourage children to provide personal data beyond what is reasonably expected to provide that online service, product, or feature to forego privacy protections, or to take any action that the business knows, or has reason to know, is materially detrimental to the child’s physical health, mental health, or well-being.” All websites carry some risk of negatively impacting a child’s well-being. Businesses’ cannot determine how their services might affect a specific child.
Implications & Constitutional Defects
The problems with this bill are substantially identical to California’s. Some additional concerns below:
AADC Laws Are Still Facially Unconstitutional. As outlined in NetChoice v. Bonta, AADC laws impermissibly interfere with editorial discretion, compel speech, burden interstate commerce, and grant the State unlimited authority to define and enforce vague requirements imposed by the law. In other words, AADC laws structurally conflict with the constitution, and this bill is no exception.
AADC Laws Impermissibly Interfere with Parental Rights: The Supreme Court has long held that parents possess a constitutional liberty to control the upbringing of their children. Hence, substantive due process issues may arise when the state interferes with a parent-child relationship. AADC interferes with parents’ ability to choose how their children experience the web by requiring businesses to make generalized assumptions about age-appropriate content, precluding parents from making those decisions themselves.
Mandatory Age Verification Puts Everyone at Risk (especially kids). At least in the U.S., “age assurance” and “age verification” are synonymous. There is no way for a business to guess the age of a child with “reasonable certainty” without collecting highly sensitive and personally identifying information (such as facial recognition) from all users. Indeed, the very same policymakers who criticize Internet companies for potentially endangering children are mandating that these same companies collect and store even more sensitive information about minors.
Further, the penalty for incorrectly estimating a minor’s age outweighs any interest in preserving access to information. Chamber of Progress’ amicus brief supporting NetChoice in California highlights that AADC laws, including Minnesota’s, only encourage websites to restrict or eliminate crucial resources for kids, particularly those from marginalized communities. This is especially problematic for young people caught in the middle of the right-wing culture wars. For instance, LGBTQ+ teens living in conservative states may be unable to access information and resources about their sexuality or gender-affirming care; teens in need of life-saving reproductive health information may be prohibited from accessing any such information deemed age-inappropriate; and underprivileged children who rely on the Internet to supplement their educational needs may be adversely affected by AADC laws.
Conclusion
Minnesota parents and taxpayers have reason to be outraged by their legislature’s actions, which appear to run counter to their interests. Worse, in light of the similar flaws identified in the NetChoice case, it seems likely that AG Keith Ellison will face an expensive legal challenge on his home turf.
Click on the image to see the animation
Prior AADC coverage:
- Do Mandatory Age Verification Laws Conflict with Biometric Privacy Laws?–Kuklinski v. Binance
- Why I Think California’s Age-Appropriate Design Code (AADC) Is Unconstitutional
- Five Ways That the California Age-Appropriate Design Code (AADC/AB 2273) Is Radical Policy
- Some Memes About California’s Age-Appropriate Design Code (AB 2273)
- An Interview Regarding AB 2273/the California Age-Appropriate Design Code (AADC)
- Op-Ed: The Plan to Blow Up the Internet, Ostensibly to Protect Kids Online (Regarding AB 2273)
- A Short Explainer of How California’s Age-Appropriate Design Code Bill (AB2273) Would Break the Internet
- Will California Eliminate Anonymous Web Browsing? (Comments on CA AB 2273, The Age-Appropriate Design Code Act)
Pingback: Privacy Law Is Devouring Internet Law (and Other Doctrines)...To Everyone's Detriment - Technology & Marketing Law Blog()