California to Illinois: "Hold my beer..."

--------------------------------

https://www.techdirt.com/2022/08/24/dear-california-law-makers-how-the-hell-can-i-comply-with-your-new-age-appropriate-design-code/

I really don't have time for this kind of thing, but I wanted to pass along
that it appears that the California legislature is very, very close to passing
AB 2273, "The California Age-Appropriate Design Code Act". As far as I can
tell, it has strong support in the legislature and very little opposition. And
that's incredibly dangerous, because the bill is not only extremely
problematic, but it's also impossible to comply with. I hope Governor Newsom
will veto it, but it seems unlikely.

Earlier this year, Professor Eric Goldman provided a long and detailed
analysis of the many, many problems with the bill. As far as I can tell, since
then, the California legislature has made a few adjustments to the bill, none
of which fix any of Professor Goldman's concerns (one pretends to), and some
of which make them worse-- and also create serious 1st Amendment problems for
this bill. Oh, yeah, and they also carved out the one set of businesses with
the longest record of actually abusing consumer privacy: telcos and broadband
providers. Hilarious. It is astounding to me that the legislature appears to
have just wholly ignored all of Goldman's clearly laid out and explained
problems with the bill.

This is a bill that, as is all too typical from politicians these days, one
that insists that there's a problem without the evidence to back it up and
then demands an impossible solution that wouldn't actually fix the problem
even if the solution were possible. It's the ultimate in moral panic
lawmaking.
The bill is a "for the children" bill in that it has lots of language in there
claiming that this is about protecting children from nefarious online services
that create some unspecified and undefined "harm". But, as Goldman makes
clear, the bill targets everyone, not just children, because it has
ridiculously broad definitions.

We already have a federal law that seeks to protect children's data online,
the Children's Online Privacy Protection Act (COPPA). It has serious problems
but this bill doesn't fix any of those problems. It treats those problems as
features and expands on them massively. COPPA sensibly applies to sites that
are targeted toward those under 13. This has had some problematic side
effects, including inducing every major site to restrict the age of its users
to over 13, even though many of those sites are useful for people under the
age of 13. Of course, the way everyone deals with this is by signing up their
children for these services and lying about their age. Literally one of the
lasting impacts of COPPA is teaching children to lie. Great stuff.

But 2273 doesn't limit its impact to sites targeting those under 13. It
targets any business with an online service "likely to be accessed by
children" who are defined as "a consumer or consumers who are under 18 years
of age". I'm curious if that means someone who is not buying (i.e.,
"consuming") anything doesn't count? Most likely it will mean consuming as in
"accessing / using the service". And that's... ridiculous.

Because EVERY service is likely to have at least someone under the age of 18
visit it.

After Goldman's complaints, the California legislature did add in some
clarifying language which awkwardly implies a single person under the age of
18 won't trigger it, but that's not at all clear, and the vagueness means
everyone is at risk, and every site could be in trouble. The added language
says that "likely to be accessed by children" means that "it is reasonable to
expect, based on the following indicators, that the online service, product or
feature would be accessed by children". It then lists out a bunch of
"indicators" that basically describe sites targeting children. But if they
mean it to only apply to such sites, they should have said so explicitly, a la
COPPA. Instead, the language that remains in the bill is still that "it is
reasonable to expect... that the online service, product, or feature would be
accessed by children".

Let's use Techdirt as an example. We're not targeting kids but I'm going to
assume that some of you who visit the site are under the age of 18. Over the
years, I've had quite a few high school students reach out to me about what
I've written-- usually based on their interest in internet rights. And that
should be a good thing. I think it's great when high schoolers take an active
interest in civil liberties and the impacts of innovation-- but now that's a
liability for me. We're not targeting kids but some may read the site. My kids
might read the site because they're interested in what their father does.
Also, hell, the idea that all kids under 18 are the same and need the same
level of protection is ludicrous. High schoolers should be able to read my
site without difficulty but I really don't think elementary school kids are
checking in on the latest tech policy fights or legal disputes. Given that, it
seems that, technically, Techdirt is under the auspices of this law and is now
required to take all sorts of ridiculous steps to "protect" the children
(though, not to actually protect anyone). After all, it is "reasonable" for me
to expect that the site would be accessed by some people under the age of 18.

According to the law, I need to "estimate the age of child users with a
reasonable level of certainty".

Serious question: How?

Am I really going to have to start age-verifying every visitor to the site? It
seems like I risk serious liability in not doing so. And then what? Now
California has just created a fucking privacy nightmare for me. I don't want
to find out how old all of you are and then track that data. We try to collect
as little data about all of you as possible but under the law that puts me at
risk

Yes, incredibly, a bill that claims to be about protecting data, effectively
demands that I collect *way* more personal data than I ever want to collect.
And what if my age verification process is wrong? I can't afford anything
fancy. Does that violate the law? Dunno. Won't be much fun to find out,
though.

I apparently need to rewrite all of our terms of service, privacy policy, and
community standards in "clear language suited for children". Why? Do I need to
hire a lawyer to rewrite our terms... and then run them by my children to see
if they understand them? Really? Who does that help exactly (beyond the
lawyers)?

But then there's the main part of the law-- the "Data Protection Impact
Assessment". This applies to every new feature. Because it might be accessed
by children, before we can launch any new fearture, we need to create one of
these "DPIAs" for every new feature on the site. Our comment system? DPIA. Our
comment voting? DPIA. Our comment promotion? DPIA. The ability to listen to
our podcast? DPIA. The ability to share our posts? DPIA. The ability to join
our insider chat? DPIA. The ability to buy a t-shirt? DPIA. The ability to
post our stories to Reddit, Twitter, Facebook, or LinkedIn? DPIA (one DPIA for
each of those, or can we combine them? I dunno). Our feature that recommends
similar articles? DPIA. Search? DPIA. Subscribe to RSS? DPIA. DPIA. DPIA DPIA.
Also, every two years we have to review all DPIAs.

Fuck it. No more Techdirt posts. I'm going to be spending all my time writing
DPIAs.

We're currently working on a bunch of cool new features to make the site more
useful for the community. Apparently we'll need to do a data protection impact
assessment of all those, too. And that's going to make us that much less
likely to want to create these new features or to improve the site in the
future.

The DPIAs are not just useless busy work, they are overly broad and introduce
massive liability. The Attorney General can demand them and we have three
business days to turn over all of our DPIAs.

Many of the DPIAs are crazy intrusive and raise 1st Amendment issues. The DPIA
has to analyze any given feature would a child "to harmful, or potentially
harmful, content". Um. I dunno. Some of our comment discussions get pretty
rowdy. Is that harmful? For a child? I mean, the bill doesn't even define
"harmful" so basically... the answer is I have no fucking clue.

We also have to cover whether or not a child could witness harmful conduct on
the site. We've written about police brutality many times. Some of those
stories have videos or images. So, um, yeah? I guess a kid could potentially
witness something "harmful".

So, now basically EVERY company with a website is going to have to have a
written document where they say, "Yes, our service might, in some random way,
enable a child to witness harmful content." And that's kind of ridiculous. If
you don't say that, then the state can argue you did not comply with the law
and failed to do an accurate DPIA. Yet, if you do say that, how much do you
want to bet that will be used against companies as a weapon? There is some
language in the bill about keeping the DPIAs confidential, but especially for
the big companies they're going to leak.
I can already predict the NY Times, WSJ, Washington Post headlines screaming
about how "Big Tech Company X Secretly Knew It's Product Was Harmful!" That
will be entirely misleading because the only way to fill out a DPIA is to say
"Um, yes, maybe a child could possibly witness 'harmful' (again, undefined in
the bill!!) content on this service." Because that's just kind of a fact of
life. A child might witness harmful content walking down the street too, but
we figure out ways to deal with it.

On 8/29/2022 12:23 AM, BTR1701 wrote:
> California to Illinois: "Hold my beer..."

This is the caliber of RAT regulars: "Illinois thought..." Maybe one of
you guys anthropomorphize some animals next in tribute to Disney.

On 2022-08-29 1:23 AM, BTR1701 wrote:
> California to Illinois: "Hold my beer..."
>
> --------------------------------
>
> https://www.techdirt.com/2022/08/24/dear-california-law-makers-how-the-hell-can-i-comply-with-your-new-age-appropriate-design-code/
>
> I really don't have time for this kind of thing, but I wanted to pass along
> that it appears that the California legislature is very, very close to passing
> AB 2273, "The California Age-Appropriate Design Code Act". As far as I can
> tell, it has strong support in the legislature and very little opposition. And
> that's incredibly dangerous, because the bill is not only extremely
> problematic, but it's also impossible to comply with. I hope Governor Newsom
> will veto it, but it seems unlikely.
>
> Earlier this year, Professor Eric Goldman provided a long and detailed
> analysis of the many, many problems with the bill. As far as I can tell, since
> then, the California legislature has made a few adjustments to the bill, none
> of which fix any of Professor Goldman's concerns (one pretends to), and some
> of which make them worse-- and also create serious 1st Amendment problems for
> this bill. Oh, yeah, and they also carved out the one set of businesses with
> the longest record of actually abusing consumer privacy: telcos and broadband
> providers. Hilarious. It is astounding to me that the legislature appears to
> have just wholly ignored all of Goldman's clearly laid out and explained
> problems with the bill.
>
> This is a bill that, as is all too typical from politicians these days, one
> that insists that there's a problem without the evidence to back it up and
> then demands an impossible solution that wouldn't actually fix the problem
> even if the solution were possible. It's the ultimate in moral panic
> lawmaking.
> The bill is a "for the children" bill in that it has lots of language in there
> claiming that this is about protecting children from nefarious online services
> that create some unspecified and undefined "harm". But, as Goldman makes
> clear, the bill targets everyone, not just children, because it has
> ridiculously broad definitions.
>
> We already have a federal law that seeks to protect children's data online,
> the Children's Online Privacy Protection Act (COPPA). It has serious problems
> but this bill doesn't fix any of those problems. It treats those problems as
> features and expands on them massively. COPPA sensibly applies to sites that
> are targeted toward those under 13. This has had some problematic side
> effects, including inducing every major site to restrict the age of its users
> to over 13, even though many of those sites are useful for people under the
> age of 13. Of course, the way everyone deals with this is by signing up their
> children for these services and lying about their age. Literally one of the
> lasting impacts of COPPA is teaching children to lie. Great stuff.
>
> But 2273 doesn't limit its impact to sites targeting those under 13. It
> targets any business with an online service "likely to be accessed by
> children" who are defined as "a consumer or consumers who are under 18 years
> of age". I'm curious if that means someone who is not buying (i.e.,
> "consuming") anything doesn't count? Most likely it will mean consuming as in
> "accessing / using the service". And that's... ridiculous.
>
> Because EVERY service is likely to have at least someone under the age of 18
> visit it.
>
> After Goldman's complaints, the California legislature did add in some
> clarifying language which awkwardly implies a single person under the age of
> 18 won't trigger it, but that's not at all clear, and the vagueness means
> everyone is at risk, and every site could be in trouble. The added language
> says that "likely to be accessed by children" means that "it is reasonable to
> expect, based on the following indicators, that the online service, product or
> feature would be accessed by children". It then lists out a bunch of
> "indicators" that basically describe sites targeting children. But if they
> mean it to only apply to such sites, they should have said so explicitly, a la
> COPPA. Instead, the language that remains in the bill is still that "it is
> reasonable to expect... that the online service, product, or feature would be
> accessed by children".
>
> Let's use Techdirt as an example. We're not targeting kids but I'm going to
> assume that some of you who visit the site are under the age of 18. Over the
> years, I've had quite a few high school students reach out to me about what
> I've written-- usually based on their interest in internet rights. And that
> should be a good thing. I think it's great when high schoolers take an active
> interest in civil liberties and the impacts of innovation-- but now that's a
> liability for me. We're not targeting kids but some may read the site. My kids
> might read the site because they're interested in what their father does.
> Also, hell, the idea that all kids under 18 are the same and need the same
> level of protection is ludicrous. High schoolers should be able to read my
> site without difficulty but I really don't think elementary school kids are
> checking in on the latest tech policy fights or legal disputes. Given that, it
> seems that, technically, Techdirt is under the auspices of this law and is now
> required to take all sorts of ridiculous steps to "protect" the children
> (though, not to actually protect anyone). After all, it is "reasonable" for me
> to expect that the site would be accessed by some people under the age of 18.
>
> According to the law, I need to "estimate the age of child users with a
> reasonable level of certainty".
>
> Serious question: How?
>
> Am I really going to have to start age-verifying every visitor to the site? It
> seems like I risk serious liability in not doing so. And then what? Now
> California has just created a fucking privacy nightmare for me. I don't want
> to find out how old all of you are and then track that data. We try to collect
> as little data about all of you as possible but under the law that puts me at
> risk
>
> Yes, incredibly, a bill that claims to be about protecting data, effectively
> demands that I collect *way* more personal data than I ever want to collect.
> And what if my age verification process is wrong? I can't afford anything
> fancy. Does that violate the law? Dunno. Won't be much fun to find out,
> though.
>
> I apparently need to rewrite all of our terms of service, privacy policy, and
> community standards in "clear language suited for children". Why? Do I need to
> hire a lawyer to rewrite our terms... and then run them by my children to see
> if they understand them? Really? Who does that help exactly (beyond the
> lawyers)?
>
> But then there's the main part of the law-- the "Data Protection Impact
> Assessment". This applies to every new feature. Because it might be accessed
> by children, before we can launch any new fearture, we need to create one of
> these "DPIAs" for every new feature on the site. Our comment system? DPIA. Our
> comment voting? DPIA. Our comment promotion? DPIA. The ability to listen to
> our podcast? DPIA. The ability to share our posts? DPIA. The ability to join
> our insider chat? DPIA. The ability to buy a t-shirt? DPIA. The ability to
> post our stories to Reddit, Twitter, Facebook, or LinkedIn? DPIA (one DPIA for
> each of those, or can we combine them? I dunno). Our feature that recommends
> similar articles? DPIA. Search? DPIA. Subscribe to RSS? DPIA. DPIA. DPIA DPIA.
> Also, every two years we have to review all DPIAs.
>
> Fuck it. No more Techdirt posts. I'm going to be spending all my time writing
> DPIAs.
>
> We're currently working on a bunch of cool new features to make the site more
> useful for the community. Apparently we'll need to do a data protection impact
> assessment of all those, too. And that's going to make us that much less
> likely to want to create these new features or to improve the site in the
> future.
>
> The DPIAs are not just useless busy work, they are overly broad and introduce
> massive liability. The Attorney General can demand them and we have three
> business days to turn over all of our DPIAs.
>
> Many of the DPIAs are crazy intrusive and raise 1st Amendment issues. The DPIA
> has to analyze any given feature would a child "to harmful, or potentially
> harmful, content". Um. I dunno. Some of our comment discussions get pretty
> rowdy. Is that harmful? For a child? I mean, the bill doesn't even define
> "harmful" so basically... the answer is I have no fucking clue.
>
> We also have to cover whether or not a child could witness harmful conduct on
> the site. We've written about police brutality many times. Some of those
> stories have videos or images. So, um, yeah? I guess a kid could potentially
> witness something "harmful".
>
> So, now basically EVERY company with a website is going to have to have a
> written document where they say, "Yes, our service might, in some random way,
> enable a child to witness harmful content." And that's kind of ridiculous. If
> you don't say that, then the state can argue you did not comply with the law
> and failed to do an accurate DPIA. Yet, if you do say that, how much do you
> want to bet that will be used against companies as a weapon? There is some
> language in the bill about keeping the DPIAs confidential, but especially for
> the big companies they're going to leak.
> I can already predict the NY Times, WSJ, Washington Post headlines screaming
> about how "Big Tech Company X Secretly Knew It's Product Was Harmful!" That
> will be entirely misleading because the only way to fill out a DPIA is to say
> "Um, yes, maybe a child could possibly witness 'harmful' (again, undefined in
> the bill!!) content on this service." Because that's just kind of a fact of
> life. A child might witness harmful content walking down the street too, but
> we figure out ways to deal with it.
>
> You have to imagine that DPIA's will be open for discovery and subpoenas in
> lawsuits, which will then be turned around on companies to insist that they
> had "knowledge of the harms" that could happen, and therefore they're liable,
> even if the actual harm was not connected to the actual workings of the site,
> but the underlying content.
>
> Part of the DPIA process is that once we've identified the potential harm, we
> have to "create a timed plan to mitigate or eliminate the risk before the
> online service, product, or feature is accessed by children".
>
> So, um, how do we mitigate the "harm" we might provide? We just can't report
> on police brutality any more? We can't have comments any more? Because some
> undefined hypothetical child (including high school students) out there might
> access it and witness "harmful" content? How is that possible?
>
> I literally don't know how to comply with any of this. And doesn’t that
> violate the 1st Amendment? Having the government demand I document and
> mitigate (undefined) harm from my site (or the content on my site) seems like
> it's a content moderation bill in disguise, requiring me to mitigate the harms
> (i.e., take down or ban content). And, well, that's a 1st Amendment problem.
>
> The enforcement of the bill is in the hands of the Attorney General. I doubt
> the AG is going to go after Techdirt... but, I mean, what if I write something
> mean about him? Now they have a tool to harass any company, demanding they
> hand over all their DPIAs and potentially fining them "a civil penalty of not
> more than $2,500 per affected child for each negligent violation or not more
> than $7,500 per affected child for each intentional violation".
>
> So... if a class of 20 high schoolers decide to visit Techdirt to learn about
> how their civil liberties are under attack in California, the AG could then
> effectively fine me $150,000 for not having mitigated the "harm" they may have
> endured. The AG would likely have to give me 90 days to "cure" the violation,
> but as discussed above, there is no cure.
>
> At the very least, this bill would make me extremely nervous about ever
> criticizing California's Attorney General (especially if he seems like the
> vindictive type-- and there are plenty of vindictive AGs in other states),
> because they now have an astounding weapon in their toolbox to harass any
> company that has a website. As such, this bill-- just by existing-- suppresses
> my speech in that it leads to us being less willing to criticize the Attorney
> General.
>
> Eric Goldman keeps posting about how this blows up the internet. My guess is
> that it's actually going to be almost entirely ignored... until it's used to
> bash a company for some other issue. It's impossible to comply with. It
> creates a massive amount of busy work for almost all companies with a website,
> almost all of which will ignore it. The biggest companies will send off their
> legal teams to write up a bunch of useless DPIAs that only will create legal
> liability for them. Mid-sized companies may do the same, though they may also
> significantly decrease the kinds of features they'll add to their websites.
> But every smaller company is going to just totally ignore it.
>
> And then, any time there's some other issue that politicians are mad about,
> the AG will have this stupid thing in their back pocket to slam them with.
> It's performative lawmaking at its absolute worst.
>
> And no one can explain how any of this will actually help children.
>
> Here's the thing that's particularly stupid about all of this. The underlying
> premise of the bill is completely disconnected from reality. It's premised on
> the idea that most websites don't have any incentive to be careful with
> children. Are there some egregious websites out there? Sure. So write a
> fucking bill that targets them. Not one that drags in everyone and demands
> impossible-to-comply with busy work. Or, JUST USE THE AUTHORITIES THAT ALREADY
> EXIST. COPPA exists. The California AG already has broad powers to protect
> California consumers. Use them!
>
> The whole thing is the worst of the worst in today's tech policymaking. It
> misunderstands the problem. Has no clue about what its own law will do and
> just creates a massive mess. Again, I think the end result of any such law is
> that it is mostly ignored and we shouldn’t be passing a law if the end result
> is that it's going to be ignored and basically have everyone violate it, which
> just creates a massive liability risk, because eventually, the AG is going to
> go after some company for this while everyone is ignoring it, and then there
> will be a flurry of concern.
>
> Honestly, seeing my home state pass a law like this makes me think that
> California no longer wants internet businesses to be opening up here. Why
> would you?
>
> But California politicians need headlines about how they’re "taking on big
> tech" and "protecting the children" and so we get this utterly disconnected
> from reality nonsense. No one can possibly comply with it and now the
> California Attorney General can retaliate against any business with a
> website.
>
>
You've made a compelling case for why this is a REALLY bad law but I'm
darned if I know what to do about it. I can't imagine Newsom vetoing it;
it sounds like exactly the sort of virtue-signalling garbage he and his
"progressive" friends are down with. It might even be a plank in his
platform if he makes the predicted run for the White House. (Imagine a
federal law modelled on the California law!!)

> BTR1701
>
> Honestly, seeing my home state pass a law like this makes me think that
> California no longer wants internet businesses to be opening up here. Why
> would you?

Seems to me the solution is to stop doing business with California.

If a user's IP address shows up as being in California, then they get a screen
saying that can't access the site with the text of the stupid law underneath
and phone numbers for the California governor and legislature.

BTR1701 <atropos@mac.com> wrote:

>California to Illinois: "Hold my beer..."

>--------------------------------

>https://www.techdirt.com/2022/08/24/dear-california-law-makers-how-the-hell-can-i-comply-with-your-new-age-appropriate-design-code/

I have no new outrage to counter this. Give me a few days.

On 2022-08-29 3:41 PM, Ed Stasiak wrote:
>> BTR1701
>>
>> Honestly, seeing my home state pass a law like this makes me think that
>> California no longer wants internet businesses to be opening up here. Why
>> would you?
>
> Seems to me the solution is to stop doing business with California.
>
> If a user's IP address shows up as being in California, then they get a screen
> saying that can't access the site with the text of the stupid law underneath
> and phone numbers for the California governor and legislature.

I approve! That's a very good fast way to get the message across to a
lot of people very quickly.

--
Rhino

In article <tel2no$1fqfn$1@dont-email.me>,
Rhino <no_offline_contact@example.com> wrote:

> On 2022-08-29 3:41 PM, Ed Stasiak wrote:
> >> BTR1701
> >>
> >> Honestly, seeing my home state pass a law like this makes me think that
> >> California no longer wants internet businesses to be opening up here. Why
> >> would you?
> >
> > Seems to me the solution is to stop doing business with California.
> >
> > If a user's IP address shows up as being in California, then they get a
> > screen saying that can't access the site with the text of the stupid law
> > underneath and phone numbers for the California governor and legislature.
>
> I approve! That's a very good fast way to get the message across to a
> lot of people very quickly.

This crowd would just amend the law to make it illegal to embarrass them
that way.