OK, so the headline is a bit of a hook because at this point, it is only a bill, but if it passes, it will be a nightmare for anyone who does business in California, which is good for my company, bad for everyone else. While this is not in my personal best interest, I hope the bill does not become law.
CA AB 2273 pretends to protect children and that is good in an election year. Who could be against motherhood, apple pie and protecting the children?
If passed, websites will, unless they can show that they are not attractive to kids, have to verify the age of everyone who visits the website.
That means that businesses will need to collect personal data (and keep it) for everyone who visits their website. It also means no more anonymous web surfing because they won’t be able to tell your age if they don’t know who you are.
It is also based on a UK age appropriate law. In Europe, you can get an A if you try hard, even you don’t succeed. In the U.S., you can get an F, even if you do succeed. That will be a problem.
The bill also delves into content moderation, which would turn the California Privacy Protection Agency into the California Internet Regulator Agency.
Some pieces of the bill:
It applies to business that provide an online services or feature likely to be accessed by a child – whatever that means. A child is anyone under 18, so that means you have to treat a 5 year old and a 17 year old the same. Under the current law, COPPA, businesses are affected if they KNOW that users are under 13 or specifically direct their services to those under 13. If it is reasonable to expect that one person, aged 17 years and 364 days will visit your website, you must comply.
It says that businesses should consider the best interests of children in the design of their website. SHOULD? That is different than must. This will keep lawyers employed for a long time.
The bill also tries to say that businesses owe a duty of loyalty or a fiduciary duty to their customers. Other than certain financial advisors, accountants, lawyers, etc. this does not exist today. Great for lawyers, not so good for businesses.
It would require businesses to do a data protection impact assessment. We do those. It is not cheap because it is a lot of work.
Establish the age of consumers with a reasonable level of certainty. How do you do that? What is reasonable?
Configure default settings to a “high level of privacy protection”. No more collecting or selling data. There goes that business model. And what is a high level, anyway?
This feature might be good. Disclosures must use language that is age appropriate, so maybe we could all understand that legalese on web sites.
Provide an “obvious signal” if parents can monitor their kids’ activities online. Huh? How?
Enforce published terms, policies and community standards – not just for kids.
And it goes on for a long time.
The good news is that this is not law yet. If you do business in California, you probably need to watch this bill. If you live there, get involved.
Credit: Professor Eric Goldman