The ADCA does include a carve-out, stipulating that if a site or app affords a high level of data protections (eg, it doesn’t sell user data, doesn’t use targeted ads), it doesn’t need an age- estimation mechanism at all.
Let’s say there’s a website called Fake-website.com. If Fake-website.com is found to have a “significant” number of routine visitors who are teenagers, then it would be subject to regulatory control under the ADCA. At this point, Fake-website.com has two options: If it uses targeted ads or sells users data, then it would have to install an age estimation mechanism, like a prompt for users to enter their birthday, so that it does not offer targeted ads to users who identify themselves as under 18. Fake-website.com then can’t use the user data point (their birthday) in any other way, and must delete it as soon as possible. If it does not use targeted ads or sell users’ data, then there’s nothing more to be done. Supporters say that the relevant clause (“apply the privacy and data protections afforded to all children to all consumers”) is the heart of the bill, and the mechanism by which the ADCA could actually incentivize making the internet safer for all users.
That is, if it can be enforced. Others worry that the bill’s ambiguities, including the age estimation clause, are too vague to be implemented at all. “My guess is it will probably just be ignored by tech companies,” says Justin Brookman, the director of technology policy at nonprofit Consumer Reports. “It feels like sloppy policymaking.”
Supporters, however, say that the ambiguity is purposeful. The law will create a new regulatory agency tasked with hammering out the bill’s specifics, including the age-estimation requirement. It’s meant to work with companies on a case-by-case basis to determine how they might comply with the law, which would go into effect in July 2024.
The ADCA is not without precedent—the bill is modeled after similar UK legislation that went into effect in 2021. It’s unclear whether the UK Design Code has had much impact. It has yet to be enforced, despite being enforceable for a year. The country’s information commissioner, John Edwards, told Bloomberg that his office is “looking into how over 50 different online services are complying with the code.”
While Governor Newsom has not yet given a public stance on the ADCA, he’s expected to sign it, which he must do by the end of September. Once enacted, the bill could have further-reaching consequences than just the kids of California. Although the law is enforceable only for users and businesses based in California, companies might opt to offer higher data protection privacys for all kids, rather than geofencing protections for California. For example, when Europe passed GDPR, Microsoft chose to extend GDPR’s protections to all users.
As Wicks put it in a press conference on Tuesday: “It is my absolute hope that if this bill gets signed into law, it will become, effectively, the law of the land.”