Skip to main content

The California Effect Seen Through Children’s Online Privacy

After unanimous approval by the California Legislature, Gov. Newsom recently signed into law AB 2273- California Age-Appropriate Design Code Act, requiring businesses providing online services for children under 18 to enhance privacy protections. This comes after months of deliberation in Congress on two bills similarly targeting children’s online privacy. Taking effect in 2024, the new law requires businesses to take extra precautions if a website is likely accessed by children. It requires businesses to perform data protection impact assessments to help assess potential risks and prohibits the unnecessary collecting, selling, or sharing of children’s personal information. As the first mover on the issue, the law coming out of Sacramento will likely set the tone for future efforts to protect children’s privacy and safety online.

California Effect

Many California businesses will likely satisfy these additional restrictions and requirements due to the stringency of the law, but whether this will influence businesses operating outside California or other state legislatures to embrace these measures, and to what extent, is uncertain. The influence of California’s laws beyond its own state borders has historical precedent, most notably exemplified in California’s regulation of car emission standards in the 1970s. When California adopted stricter rules than the national Clean Air Act standard, about a dozen states adopted California’s measures, as did automobile manufacturers throughout the entire country. Furthermore, when the European Union considered its own standards, German car manufacturers who had already complied with California advocated for higher standards to retain a competitive advantage. A phenomenon known as the “California Effect,” coined by University of California at Berkeley professor David Vogel, explains why standards introduced in California often become the standard across U.S. states. Similar to the “Brussels Effect,” the California Effect happens when businesses choose to offer products within the confines of the most stringent regulation, rather than adapting their products for different markets. It can be simpler and more cost-effective for a business to ‘up-regulate,’ depending on the type of product sold. This effect can also occur if other jurisdictions adopt similar rules and regulations, legally requiring businesses to comply with California’s standards outside the state’s borders.

The California Effect transpires in the digital space. It is easier to customize a website for users in different geographic regions than an assembly line for car parts, but it is still advantageous to create one standardized set of practices for consistency of internal business practices, cost effectiveness, and public trust and reliability. This is demonstrated through security breach notification laws: California was the first state to enact a data breach notification law in 2002, requiring entities to notify consumers exposed to a security breach. This led to an emergence of numerous state and federal bills, and by January 2012, 46 states and the District of Columbia enacted laws modeled after California’s. Researchers continue to consider whether and to what extent a California Effect takes place today or will persist in the privacy issues.

Even when states deviate, California spotlights the issue and anchors the conversation. In 2018, California became the first state to pass a comprehensive consumer privacy law. At least four states have since followed California in passing their own privacy law—sometimes, but not always, following California’s lead. Of these states, only Colorado followed California in giving an agency rulemaking authority (Colorado gave power to the Attorney General, while California established a new privacy agency). California introduced the concept of a data protection assessment but left the details to its new privacy agency to clarify, while other states took advantage of this gap in regulation to adopt their own regulation: the Attorney General can request an assessment at any time in Colorado, but only when “relevant to an investigation” in Connecticut and when “pursuant to an investigative civil demand” in Virginia. Other states made important distinctions in requirements or definitions that impact business compliance, but California set the stage to begin the conversation.

Influence on Federal Legislation

This latest momentum from California lawmakers could be the push Congress needs to pass a comprehensive privacy bill and send it to the President’s desk. Two bipartisan privacy bills, S.3663- Kids Online Safety Act and S.1628- Children and Teens’ Online Privacy Protection Act, have advanced through the U.S. Senate Commerce Committee but have not come up for a vote by the full chamber.

Protecting teens from harms online has already been discussed in the federal government. In his first State of the Union Address, President Biden stated it was time to strengthen children’s privacy. Many members of Congress have accused social media companies of putting children’s well-being at risk. At a hearing last year focused on social media’s role in misinformation, Energy and Commerce Committee ranking member Rep. Cathy McMorris Rodgers (R-WA) stated, “big tech needs to be exposed and completely transparent for what you are doing to our children so parents like me can make informed decisions.” In his opening statement at a hearing this year on holding big tech accountable, Energy and Commerce Committee Chair Frank Pallone noted, “Another part of tech accountability is protecting people’s privacy, especially our children’s privacy, as more and more apps are used by and targeted to our kids.” Republicans have even signaled that child privacy concerns will be on the agenda for the next Congress. Their agenda includes expanding the Child Online Privacy Protection Act of 1998 (COPPA) to hold technology companies accountable for how they target advertising to children online and improving transparency and resources around children’s mental health and well-being.

With no comprehensive federal privacy law thus far, tech businesses must navigate this patchwork of state laws, making universal compliance difficult to achieve. Although the notion of a national data protection law seems unifying, there are many differing opinions about its implementation. As we saw with the proposed federal privacy consumer privacy bill, the American Data Privacy and Protection Act (ADPPA), the preemption of state laws has been a sticking point in the debate. While a national law would provide a clear standard for everyone to follow, a group of nine state Attorneys General (AG) wrote a letter advocating for “legislation that respects—and does not preempt—more rigorous and protective state laws,” creating a federal “floor” upon which states could build additional protections. On September 1, House Speaker Nancy Pelosi (D-CA-12) denied the ADPPA a floor vote, saying it “does not guarantee the same essential consumer protections as California’s existing privacy laws.”

Areas Still Up for Debate

As lawmakers look to enhance safety and privacy measures to protect children using social media and other online products and services, they must consider many other issues. Some new debates have emerged since the passing of California’s law, such as the age of consumers considered under the law. COPPA designates children under 13, whereas California’s law extends to anyone under 18. Under the new California Age-Appropriate Design Code Act, businesses must take reasonable measures to verify a person’s age, but this is one of the major challenges up for debate. Age restrictions are difficult to enforce and easy for consumers to circumvent – one investigation in Texas found consumers under the age of 21 had twice the success rate purchasing alcohol through delivery service apps than they did through traditional methods. Some experts have found that current protections insufficiently protect children online. The sensitivity of this information due to the vulnerabilities of children also raises debates around how to best address their safety and privacy online. While some provisions in California’s law may be more stringent than other bills, some argue the law does not go far enough to protect children online. For example, the civil liberties group Electronic Frontier Foundation worries the bill’s language incentivizes invasive age verification systems that could put children at even greater risk. Three non-profit organizations released a comprehensive guide to understand how California’s law compares to a proposed national standard to protect children online, including sensitive data collection and data minimization practices.

Conclusion

California may have sparked the consumer protection conversation, but policymakers from both parties across the country must continue these conversations to address consumer privacy issues. The privacy needs of both children and other vulnerable populations that might experience particularly harmful effects should be primarily considered in the conversation. Momentum is growing in Congress to address these concerns, but they must pay attention to states leading these efforts to understand what works, what does not, and what might be coming around the corner.

Share
Read Next

Support Research Like This

With your support, BPC can continue to fund important research like this by combining the best ideas from both parties to promote health, security, and opportunity for all Americans.

Give Now
Tags