On the internet, it's California's way on the legislative highway
Trying to regulate the internet at any level, much less at the level of one of our 50 states, is always something of a fool’s errand. How do you convince an online service provider in, say, Ukraine to comply with the current version of the Payment Card Industry (PCI) Data Security Standard, to borrow a clause from Nevada Revised Statute 603A.215? How would a district attorney or attorney general serve the online service provider if they failed to disclose a significant security breach, thus violating NRS 603A.220?
The answer, of course, is they can’t — but that doesn’t mean they can’t punish a misbehaving Strip casino for violating local statutes.
Regulating the internet as a state is, by nature and necessity, a legal and secular exercise of the Serenity Prayer — grant attorneys general the serenity to accept the out-of-state violations they cannot charge, courage to prosecute what malefactors they can, and wisdom to know the difference — or, failing that, at least the wisdom to recognize which windmills are politically beneficial to be seen tilting at. For good examples of the latter, see Florida and Texas.
California, however, isn’t like other states. California has more people than any other state in the U.S. — more than one in 10 Americans are also Californians and, were California a country, its population (a bit over 39 million) would rank 37th, between Ukraine (over 41 million, though the last census occurred before more than seven million Ukrainians evacuated in the face of the most recent Russian invasion of their country) and Canada (just under 39 million). Were California a country, it would also have the fifth-largest economy in the world, ahead of the United Kingdom, India, and South Korea.
California also hosts several multi-billion dollar technology companies, each fully subject to California law. Not that it matters all that much where a company is hosted — because California’s well-heeled consumers are protected under California law, basing your company elsewhere won’t exempt you from California’s laws as long as you want to do business with Californians.
That includes the entirety of Nevada’s tourism industry.
To fully understand the effect California’s legislation has on the internet, consider the California Consumer Privacy Act, which passed in 2018. It requires, among other things, for-profit businesses with annual gross revenues in excess of $25 million to have a “Do Not Sell My Personal Information” link on the homepage of the website for the business and to maintain accessible privacy notices — and so Microsoft, which is based in Redmond, Washington, has a California Consumer Privacy Act notice. If you visit the website for the MGM Grand and look at the bottom, meanwhile, you’ll find a notice indicating that California residents should “see Cookie Settings for opt-out rights” — those rights, if you investigate further, are enumerated as follows:
For California residents only, you have the right to opt-out of having your personal information sold to third parties. The use of certain cookies placed by third parties on our sites may constitute a sale of personal information under the California Consumer Privacy Act (“CCPA”). In addition to visiting http://ccpadsar.mgmresorts.com, you must use our cookie preference tool on your device and turn off all cookies below (except Strictly Necessary Cookies) to fully exercise your CCPA opt-out of sale rights. The cookie preference tool is device and browser specific. If you delete or clear cookies or change devices or browsers, you will need to reset your cookie preferences using the tool.
- MGM Resorts International Privacy Preference Center
Microsoft and the MGM Grand do business with Californians. Therefore, while they do so, they must — and do — follow applicable California laws even though they themselves are not located in California. Consequently, California punches above its legislative weight.
If you’re a Nevadan, don’t feel too sorry for yourself — NRS 603A.330 applies our state’s information security and privacy laws to anyone who does business with a Nevada resident. It’s the same trick California pulls — they’re just better at it because they have more than 10 times as many people and a tech industry that does something other than building slot machines, selling shoes to Amazon customers, or selling municipally-backed NFTs.
As the old saying goes, don’t hate the player, hate the game.
At the end of August, California’s legislature passed two additional bills that further regulate the internet for Californians, California-based businesses, and anyone who connects or does business with them (that would be us and everybody else who uses the internet, in other words) — Assembly Bill 2273, which passed both houses of California’s bicameral legislature unanimously, and Assembly Bill 587, which was only opposed by three state senators and passed the state assembly unanimously. Both bills are now sitting on Gov. Gavin Newsom’s desk, awaiting his signature, but even without it, both bills passed California’s legislature with overwhelming, veto-proof majorities.
AB587 requires social media companies that generate more than $100 million in gross revenue to post their terms of service, keep track of how their content moderation policies are enforced, and report back to California’s attorney general every six months about whether and how they monitor for hate speech, racism, extremism, radicalization, disinformation, misinformation, harassment, or foreign political interference. I’m sure the people running Parler — the conservative-catering, Henderson, Nevada-based social media network, which achieved a bit of notoriety for its relative popularity among the January 6th rioter set and was consequently kicked off of the internet for a week — are looking forward to preparing semiannual reports about their content-moderation policies to California’s attorney general, assuming their business is still clearing $100 million these days.
Less flippantly, Santa Clara University School of Law professor Eric Goldman points out there’s a strong chance AB587 runs afoul of several constitutional protections because hate speech, racism, and so on, though noxious, are all constitutionally protected and American governments don’t get to keep closer track of it than other speech. It also simultaneously prohibits large social media companies from making sudden content-moderation decisions in the event of novel harmful social media content because the terms of service must include full details about the social media platform’s editorial policies and practices. Given every detail about how each social media platform enforces its editorial decisions around each type of content, it’s only a matter of time before malicious users rules-lawyer their way around each platform’s posted terms of service to post noxious and potentially harmful content that doesn’t run afoul of the platform’s existing filters.
This, in the long run, will likely lead to a worse social media experience for all users, not just those logging in from California.
AB2273, meanwhile, bills itself as “The California Age-Appropriate Design Code Act.” Depending on who you ask, it will either make the digital world safe for American (not just Californian) children or require every website on planet Earth to scan your face before you access their digital contents.
In practice, the truth will probably be a very unsatisfying somewhere in between.
The idea behind AB2273 is to ensure children — anyone under the age of 18 — aren’t subject to “dark patterns” or privacy violations while they use the internet. Accomplishing that, however, requires businesses to either know which of its website users are children or not (hence the “scan your face” bit) or ramp up privacy and content-protection policies for all users.
The legal website JD Supra has a full breakdown of the law, which businesses are covered under it, and what requirements and prohibitions apply.
To the bill’s credit, it wasn’t drafted ex nihilo from the fertile imaginations of California legislators — instead, they copied the United Kingdom’s Children's Code nearly word-for-word, which means many online service providers have some familiarity and experience with the concepts and pitfalls involved in becoming compliant with the new regulations. Age verification, at least in the UK, is defined under PAS 1296:2018, a standard published by the British Standards Institution, which defines several levels of acceptable age assurance approaches, depending on severity and need. Taking someone’s picture, to pick the most hyperbolic example, would qualify either as a “Liveness Detection” or an “ID Validation,” both of which are only necessary in use cases requiring Level 3, or Enhanced age assurance. Standard-level checks require more passive age verification measures.
To the bill’s detriment, even the more passive methods available require some fairly intrusive data collection, including verification of government identity documents, bank records, and algorithmic profiling. Additionally, as the International Association of Privacy Professionals (IAPP) points out, the law applies to any business that “provides an online service, product, or feature likely to be accessed by children” — this, as the News/Media Alliance, a trade group representing The New York Times, among other publications, pointed out, might even include for-profit news agencies because older children frequently read the news online.
Though the British version of California’s bill has produced some salutary effects in the desired direction — members of the U.S. Senate and Congress are already calling on U.S. tech and gaming companies to voluntarily adopt the UK’s code for American children, and similar legislative efforts are underway in Ireland, Australia and Canada — California’s law won’t be enforced by British bureaucrats interpreting the code under the relatively aspirational standards of British common law where good tries are rewarded. Instead, as Eric Goldman highlights, it will be enforced by California’s attorney general and the California Privacy Protection Agency under the considerably more adversarial rules-based norms of the American legal system.
That’s a problem given much of AB2273 is written closer to the now-unconstitutional standard of Montana’s 1990s-era “reasonable and prudent” speed limit than to any sort of firm metric a court of law can adjudicate between two antagonistic adversaries. What does it mean, for example, for a site to be “likely to be accessible by children”? What is a “high level of privacy protection”? What is a “reasonable level of certainty” when establishing the age of a website visitor? When a disclosure is made “concisely, prominently, and using clear language suites to the age of children likely to access” a site, what happens if a preschooler in California accesses the Reno Gazette-Journal? Does the RGJ need to provide its disclosures in language even someone finishing up potty training can understand?
To be clear, California’s new laws address some good, serious points worthy of potential regulation. “Dark patterns,” malicious data sharing, and the lack of online privacy are all serious concerns. Combining all three, the National Republican Senatorial Committee was recently caught sending uncredited text messages asking recipients if they support Trump — if they replied “YES,” the N.R.S.C. debited $25 against whatever credit card information was saved for that phone number in WinRed, the Republican Party’s fundraising platform. Unfortunately, they never asked WinRed for permission to use their data in that fashion for that campaign — and, even if WinRed consented, chances are the donors themselves never consented to lose money every time they merely replied to a text.
Protecting children from malicious data collection and strictly protecting their privacy is also a noble goal. For over a decade now, there’s a recurring story that follows the contours of the game of “Capture the Flag” internet trolls played with Shia LaBeouf against the actor’s wishes, where random online participants, using data LaBeouf himself released about his flag, identified where his flag was located and stole it — only, instead of stealing flags, they send S.W.A.T. teams to their houses and push people into suicide. Preventing children from either harassing random strangers or being harassed themselves is a worthwhile goal, one I commend California’s legislature for trying to address.
Unfortunately, the American legal system California (and Nevada, for that matter) operates under assumes — to borrow a phrase from Alon Levy, a research scholar at NYU's Marron Institute of Urban Management — that every agency, every corporation, and every individual is a baboon. Baboons are stupid, unmovable, and unreasonable. Baboons have no interest in resolving anyone’s problems, including their own. Coordinating and negotiating between baboons is impossible — the best you can do is draft firm, specific rules and regulations even a baboon can read and understand, then enforce them with as big of a stick as you can place in your hand.
Consequently, when faced with an aspirational piece of legislation full of vague and nonspecific requirements that was drafted and passed in an American legislature, American companies will assume legislators have empowered their bureaucrats to use that language like a stick anywhere and everywhere they can, with as much strength behind it as they can muster, and react accordingly. In the case of AB2273, that likely means assuming a toddler in California will visit a casino website by accident and programming the next refresh of that site defensively, with all of the age-verification systems money can buy, each paragraphed between novel-lengths of terms and conditions written in Basic English and Learning English.
There is a way out of this. Gov. Newsom could veto the bill with instructions to California’s legislature to better incorporate the recommendations filed by Consumer Reports, among others, and flesh out the instructions the law provides to American standards. Alternatively, we could wait for Congress to finish working on the Kids Online Safety Act and leave nation-affecting legislation at the national level. Better yet, we could just wait for companies to finish voluntarily complying with the United Kingdom’s Children’s Code worldwide, which many companies are already doing.
The United Kingdom is at least a real country. California is only a country in video games.
David Colborne ran for office twice and served on the executive committees for his state and county Libertarian Party chapters. He is now an IT manager, a registered nonpartisan voter, the father of two sons, and a weekly opinion columnist for The Nevada Independent. You can follow him on Twitter @DavidColborne or email him at [email protected].