States Ready to Reboot California-Style Kids’ Privacy Proposals


By Brenna Goth

  • Bills focused on site design, privacy for youth under 18
  • Legislation influenced by industry pushback, litigation

Bloomberg Government subscribers get the stories like this first. Act now and gain unlimited access to everything you need to know. Learn more.

State lawmakers are retooling efforts to replicate California’s first-in-the-nation law requiring online companies to proactively protect young users after opposition by the tech industry and other complications derailed their measures this year.

Lawmakers in Maryland and Minnesota said they will bring back legislation modeled after California’s Age-Appropriate Design Code Act, which boosts privacy standards and site design requirements for youth under 18 for a broad swath of sites. A coalition of advocacy groups aiming to address teen mental health issues and privacy concerns pushed the proposals this year in those states and elsewhere, though none have been enacted.

Supporters ran up against tight legislative timelines as they navigated significant lobbying from industry groups representing members including Amazon.com Inc., Meta Platforms Inc., and other Big Tech companies. State bills modeled after California also faced open legal questions as pending litigation alleges the California law violates the First Amendment and is otherwise unconstitutional.

Other states diverged this year in efforts to protect minors online with laws more narrowly focused on social media platforms. Utah is among states with new laws requiring parental consent for youth on social media, while a Florida measure includes some concepts similar to California’s design code.

The design-code approach makes the most sense by requiring platforms to build better, safer products from the outset, said Minnesota state Rep. Kristin Bahner (D), who pushed a bill modeled on California this year. Changes to the Minnesota bill address some of the First Amendment and other concerns raised in California, said Bahner, adding she’s confident in the bill’s prospects for passage next year.

“I really want this to be something that is repeatable across the country,” Bahner said.

Tech Pushback

The California law, which was enacted last year but has yet to take effect, aims to provide youth with baseline online protections by default and applies to sites likely to be accessed by children. Companies must assess how the design of new services, products, and features will impact children and their data.

The law—led by the children’s digital rights group 5Rights Foundation and based on a policy in the UK—also limits how a site can collect and use a child’s data. Companies must estimate the age of young users “with a reasonable level of certainty” based on data management risks, though it doesn’t specify specific considerations.

Lawmakers in Oregon, Nevada, and New Mexico joined Minnesota and Maryland to introduce bills mirroring that language. While the California measure may have flown under the radar when it was first considered in 2022, tech companies were on “high alert” this year, said Irene Ly, tech policy counsel for Common Sense Media, which has supported design code bills in California and elsewhere.

“Now they know that this is something that can pass and so they’re much more aware and they’re utilizing their resources and their staff to be trying to push back against it,” she said.

Groups such as the Computer & Communications Industry Association, whose members include Apple Inc.and Pinterest Inc., opposed the proposals in multiple states. The organization has argued the California law and similar measures are overly broad and that businesses don’t have a clear path to compliance.

The association remains concerned that the design-code approach and age estimation provisions “could introduce other problems related to data privacy and preventing open access to information online,” state policy director Khara Boender said in a statement.

NetChoice, the industry group suing over the California law, alleges the approach gives the government power to control speech and companies will be forced to collect more data on their users to identify their age. Parents should be the ones to determine what’s appropriate for their child, Carl Szabo, the group’s vice president and general counsel, told lawmakers at a National Conference of State Legislatures panel session in August.

“We need to recognize the trade-offs that come with this, and just saying something’s a health crisis as a basis to abandon the constitutional values we have can be a really slippery slope,” Szabo said.

Proposals Return

Moving forward, states will likely be looking to rebut tech industry opposition and narrow their proposals to ensure they’re specific to kids’ data privacy, Ly said. Legislators could also make changes if movement in the California suit reveals more about the judge’s concerns of that law, she said.

Lawmakers in Minnesota and Maryland have already amended their proposals based on feedback from the tech industry and other groups. They specifically aimed to clarify the bills are about design and data protections rather than content.

In Maryland, changes to the legislation proposed at the end of the session included tightening definitions and adding clarity on implementation, actions that a representative for Google called workable. That progress puts Maryland on strong footing to pass the measure next year, bill sponsor Del. Jared Solomon (D) said.

“We were really smart in the lobbyists that we worked with, in the coalition that we built, so I do not give Big Tech credit for killing the bill in Maryland,” Solomon said. “I truly think we just ran out of time.”

Minnesota Rep. Bahner said her measure will be back next year and that she’s considering its applicability to news organizations. The New York Times filed an amicus brief in the California litigation, arguing the law would restrict minors’ access to information.

Changes made to the Minnesota bill this year include removing sections that reference content, and giving businesses more time to fulfill specific data protection impact assessment requirements.

“I think we’re well positioned to press forward early in the session,” Bahner said.

Other states saw less momentum this year to enact design-code requirements. In Oregon, Sen. Chris Gorsek (D) wants to reintroduce a bill modeled on California’s law after it failed to receive a committee hearing this year, he said.

That move would likely come in 2025 given the state’s limited 35-day legislative session next year, he said.

“It just didn’t capture the attention it should have,” Gorsek said.

To contact the reporter on this story: Brenna Goth in Phoenix at bgoth@bloombergindustry.com

To contact the editors responsible for this story: Bill Swindell at bswindell@bloombergindustry.com; Stephanie Gleason at sgleason@bloombergindustry.com

Stay informed with more news like this – from the largest team of reporters on Capitol Hill – subscribe to Bloomberg Government today. Learn more.