We are three weeks into 2024 and lawmakers have already begun proposing technologically unfeasible and potentially unconstitutional bills. A new bill in Florida, HB 1, introduced by Rep. Tyler Sirois (R) and Fiona McFarland (R), is one such piece of legislation. Protecting minors online is critical, however, the manner in which HB 1 proposes to do so is simply counterproductive and untenable. The bill would prohibit users under 16 years of age from creating a new account on a social media platform and require a social media platform to use “reasonable age verification methods” (further specified to be an “independent third party” that is not affiliated with the platform) to verify the age of each account holder on the social media platform at the time a new account is created. This could create data collection requirements that conflict with other data minimization principles. Additionally, HB 1 risks adopting similar provisions that have faced legal challenges in other jurisdictions such as California and Arkansas, due to concerns with infringing upon teens’ First Amendment right to access information. Florida’s HB 1, and similar bills, exhibit an excessively broad scope, ultimately causing more harm than good.
In a DisCo featured story in March of 2023, I stated
“Lawmakers across the political spectrum at both the federal and state-level are increasingly proposing legislation aimed at creating additional age restriction and “assurance” measures. These measures are branded as a means to mitigate the perceived negative impacts that digital services may have on younger users. Many of these proposals include requirements for organizations to provide “age estimation” or “age verification” for users under a certain age.”
The March 2023 story went on to describe the various challenges associated with such approaches. This forecast holds true today where we can see a number of bills attempting to require age verification or age estimation as a tool framed to “protect children online”. In December of last year, CCIA released a short summary of State Online Age Verification Laws. While various age assurance methods are available, each approach comes with its own set of challenges and trade-offs. Many of these pieces of legislation do not provide a specific definition of age verification but provide broad examples of what could suffice. Beyond vague definitions, many of these proposals would require the use of third-party age verification tools. However, the Commission Nationale de l’Informatique et des Libertés (CNIL) analyzed several existing online age verification tools, finding that none can satisfactorily provide sufficiently reliable verification, allow for complete coverage of the population, and respect the protection of individuals’ data, privacy, and security.
As I stated,
“[t]he act of estimating or verifying a users age is a much more complicated initiative rife with concerns regarding feasibility, privacy, and unintended consequences for the very users these proposals are intended to benefit and protect.”
There are complex dynamics at play around age attestation, estimation, and verification. Paradoxically, at the same time lawmakers express concerns about minors’ privacy and security on social media, they also advance proposals to require verifying a user’s age which inherently necessitates the collection of additional, often sensitive data from minors. By essentially mandating the creation of a “honey pot” of information, particularly about younger users, such laws increase data privacy concerns and security risks. Some legislation seeks to get around this issue by prohibiting online services from retaining the data required to conduct age verification. However, this places businesses in an untenable situation in which they are unable to prove they complied with the age verification requirements. This would be particularly problematic in instances where the user employed means to bypass the age verification process, (i.e., using another individual’s ID).
While state lawmakers have pursued a variety of avenues aimed at addressing the risks younger users may encounter online, there are several trends to note. These bills often:
- Lack narrowly tailored definitions;
- Do not provide a common standard for how a user’s age should be estimated; and
- Offer sweeping restrictions such as denying services to users under 18, curtailing their First Amendment right.
HB 1, and similar bills, if enacted, could damage many minors’ experiences online. DisCo has discussed the importance of protecting children online, but noted that there is no silver bullet to this issue. No overly prescriptive regulation can solve this problem; effective solutions are often best tackled and driven from multiple fronts, including from online businesses themselves.
Creating safeguards intended for younger users is commendable, but legislation such as Florida’s HB 1 risks being counterproductive and could even foster serious privacy risks. Instead of such legislation, lawmakers should pursue legislation that adopts a risk-based approach tailored to tangible known harms and avoid bills that are broad, overreaching and potentially unconstitutional. In this manner, lawmakers can protect minors from specific instances of harm while maintaining their privacy and freedoms online and avoid undermining business certainty and deterring new entrants, harming competition and consumers.