blog: Don Marti


AADC compliance questions for small web sites

28 August 2022

(update 31 August 2022: third-party analytics for option 2?)

I am not a lawyer, and this is not legal advice. I'm just trying to figure out what would be the right questions to ask a California lawyer about how a small or medium web site can comply with AB-2273: The California Age-Appropriate Design Code Act, if it becomes law. What would be the available options?

This is not about apps, games, services that develop a lot of their own code, platforms, or UGC forums. See California Legislators Seek To Burn Down The Internet — For The Children by Eric Goldman for some questions on those. Compliance issues for games, especially those with an in-game economy, will be a lot more interesting. This is just about regular web sites that have unique content, but pretty generic functionality.

Will fill in with more info as I learn it.

Option 1: Don't be a business as defined by CCPA/CPRA. A CPRA business has to have at least one of the following:

A) annual gross revenues in excess of $25,000,000

(B) annually buys, sells, or shares the personal information of 100,000 or more consumers or households

(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Typical RTB web ads, as used by a small/medium site, are based on sale of personal info by the CCPA/CPRA definition. Some other third-party tools, like comments and social widgets, also sell info on the users. So if we get 100,000 or more normal ad users in a yearyear, not month (that is, visitors who are not blocking trackers or opting out of sale), then a for-profit site is a CCPA/CPRA business, and required to comply with AADC. And if we have fewer than 100,000 annual users but make half our money or more from RTB ads, we're also a business.

Option 1A: don't run the site as a for-profit business: start or find a non-profit org to own the domain and assets

Option 1B: stay under $25 million in revenue and either don't run any RTB ads or third-party resources, or shut them down for the year after 99,999 visitors saw the ads.

Option 1C: (and this is where it gets tricky, do not know if this would work) Stay under $25 million, run RTB ads, but do all the right legal and configuration incantations to put all third parties on the page into a mode where no sale is happening. Basically treat all the users as if they had done a CCPA opt out. Does this work?

Or could we combine 1B and 1C, and flip the ads to opt-out mode after 99,999 users in a year?

Option 2: don't make the site likely to be accessed by children. That's a hard one. Likely to be accessed by children can be any of these:

(A) The online service, product, or feature is directed to children as defined by the Children’s Online Privacy Protection Act (15 U.S.C. Sec. 6501 et seq.).

(B) The online service, product, or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children.

(C) An online service, product, or feature with advertisements marketed to children.

(D) An online service, product, or feature that is substantially similar or the same as an online service, product, or feature subject to subparagraph (B).

(E) An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.

(F) A significant amount of the audience of the online service, product, or feature is determined, based on internal company research, to be children.

The tricky part here is that COPPA children (under 13) are different from AADC children (under 18). Trying to comply by making a site not likely to be accessed by children might work if we were talking about COPPA-age children, but under-18s? People that age had better be reading about a lot of different stuff— they're going to be voting soon. (Is the webcomic Terminal Lance likely to be accessed by children because it's of interest to 17-year-olds thinking about joining the Marine Corps when they graduate from high school?)

Option 2 looks like a dead end. We might start off thinking we're not running a kids site, but no site maintainer can know if their niche topic is going to get covered in a MOOC, a YouTube video, a Discord or Reddit thread, or whatever, and all of a sudden the site becomes a must-visit for teenage users. (which is not a bad thing, right? Hey, kids, go get prepared to win Internet arguments about Sparta.)

There might be a way to do option 2, if the site has a third-party analytics provider that has age information. Would an aggregated report on the site audience be good enough to claim that the site is not likely to be accessed by children? If a site could rely on this, then that would let you leave RTB ads in normal mode and not do any of the remaining compliance stuff.

All right, let's keep going. If option 1 didn't work, and we don't have a way to show that the site is not likely to be accessed by children, then maybe we actually have to do DPIAs, plus either age estimation or put every user in the max privacy protection category.

An independent site is probably going to be running WordPress or some other open-source or SAAS WCMS. So we're likely going to be able to ask around and borrow mostly workable DPIAs from open source (like sites can borrow the WordPress privacy policy today) and we will get sent DPIAs by every ad network or third-party service that we're signed up for. More paperwork, but should be something that can be dealt with. (Hosting providers and ad services might add DPIA management to their service packages, too.)

Age estimation is not age verification (no, you won't have to pay a creepy vendor owned by a pr0n site to track your users, if this becomes law somebody else will launch a lower-risk estimator service) but it's still an extra piece of code to add. But it looks like this is a task that third party service(s) will either tell sites how to do and check up on, or do themselves. (We won't have to do it if we were able to use Option 1.) If a site kept running RTB ads and didn't either (1) put the ads in opt-out mode for everybody or (2) start running age estimation, then all the third-party services would be taking a compliance risk. It's going to be like having to get a CMP, right?

Impact on the future of web ads?

It looks like the options for most sites will be

  • remove RTB ads and other third-party resources that count as a sale or share

  • put all third parties into opt-out mode for all users maybe???

  • rely on 3rd-party analytics to prove that the site is not likely to be accessed by children maybe???

  • Do DPIAs (copied from the same open source projects as site code?) and turn on whatever age estimation service the third parties will require.

This is extra work for legit sites, but I'm cautiously optimistic about the big picture here. The first rule of understanding the impact of a proposed tech standard or regulation is that you can't just look at the likely impact on small legit sites—you have to look at the relative impact on small legit sites compared to the impact on harmful sites/apps/channels (scrapers, terrorists, etc.) and the third parties that enable them. In this case, AADC means increasing existing legal risks for apps and third parties, and the advertisers that use them, so should help push up the value of ads on legit sites. A lot of advertisers who get told they're reaching high-value adult audiences are really having their ads shown in apps for kids—if AADC makes that harder to do, it's good news for the legit sites that actually reach those adult audiences.

To review, the web ad crisis is more of a supply and demand story than a privacy story. We have a problem mostly because third parties can artificially increase the number of saleable ad impressions, by offering ads on content that no advertiser would choose to sponsor. Creepy trackers mostly aren't creepy because they want to be creepy, they're creepy because they want to sell some advertiser an ad impression they wouldn't otherwise buy. In general, regulations and tools that make third parties reduce the number of ad impressions they can sell are a step in the right direction.

No one law gets us all the way to the point where a fully-opted-out site is going to be viable on ad revenue alone, but it's a step.

Analysis of California’s Claims Against Sephora

Time Till Open Source Alternative

As Ad Industry Embraces First-Party Web, Media Owners Must Modernize Structure

Lawsuit accuses Oracle of facilitating sales of 'billions' of folks' personal data

Period-Tracking Apps Won’t Say Whether They’ll Hand Your Data Over to Cops

Nonprofit Websites Are Full of Trackers. That Should Change.

iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser

Use one big server

Show HN: I built a self hosted recommendation feed to escape Google's algorithm