AADC compliance questions for small web sites
28 August 2022
(update 31 August 2022: third-party analytics for option 2?)
I am not a lawyer, and this is not legal advice. I'm just trying to figure out what would be the right questions to ask a California lawyer about how a small or medium web site can comply with AB-2273: The California Age-Appropriate Design Code Act, if it becomes law. What would be the available options?
This is not about apps, games, services that develop a lot of their own code, platforms, or UGC forums. See California Legislators Seek To Burn Down The Internet — For The Children by Eric Goldman for some questions on those. Compliance issues for games, especially those with an in-game economy, will be a lot more interesting. This is just about regular web sites that have unique content, but pretty generic functionality.
Will fill in with more info as I learn it.
Option 1: Don't be a
business as defined by CCPA/CPRA. A CPRA
business has to have at least one of the following:
A) annual gross revenues in excess of $25,000,000
(B) annually buys, sells, or shares the personal information of 100,000 or more consumers or households
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
RTB web ads,
as used by a small/medium site, are based on
sale of personal
info by the CCPA/CPRA definition. Some other third-party tools, like comments and social
sell info on the users.
So if we get 100,000 or more normal ad users in a yearyear, not month (that is, visitors who are not blocking trackers or opting out of
sale), then a for-profit site is a CCPA/CPRA business, and required to comply with
AADC. And if we have fewer than 100,000 annual users but make half our money or more from RTB ads, we're also a
Option 1A: don't run the site as a for-profit business: start or find a non-profit org to own the domain and assets
Option 1B: stay under $25 million in revenue and either don't run any RTB ads or third-party resources, or shut them down for the year after 99,999 visitors saw the ads.
Option 1C: (and this is where it gets tricky, do not know if this
would work) Stay under $25 million, run RTB ads, but do all the
right legal and configuration incantations to put all third parties on the page into a mode
sale is happening. Basically treat all the users as
if they had done a CCPA opt out. Does this work?
Or could we combine 1B and 1C, and flip the ads to opt-out mode after 99,999 users in a year?
Option 2: don't make the site
likely to be accessed by children. That's a
Likely to be accessed by children can be any of these:
(A) The online service, product, or feature is directed to children as defined by the Children’s Online Privacy Protection Act (15 U.S.C. Sec. 6501 et seq.).
(B) The online service, product, or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children.
(C) An online service, product, or feature with advertisements marketed to children.
(D) An online service, product, or feature that is substantially similar or the same as an online service, product, or feature subject to subparagraph (B).
(E) An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.
(F) A significant amount of the audience of the online service, product, or feature is determined, based on internal company research, to be children.
The tricky part here is that COPPA
children (under 13)
are different from AADC
children (under 18).
Trying to comply by making a site not
likely to be
accessed by children might work if we were talking about
COPPA-age children, but under-18s?
People that age had better be
stuff— they're going to be voting soon. (Is the webcomic Terminal
likely to be accessed by
children because it's of interest to 17-year-olds thinking about
joining the Marine Corps when they graduate from high school?)
Option 2 looks like a dead end. We might start off thinking we're not running a
but no site maintainer can know if their niche topic is going to get covered in a MOOC, a
YouTube video, a Discord or Reddit thread, or whatever, and all of a sudden the site becomes a must-visit for
teenage users. (which is not a bad thing, right? Hey, kids, go get prepared to win
Internet arguments about Sparta.)
There might be a way to do option 2, if the site has a third-party analytics provider that
has age information. Would an aggregated report on the site audience
be good enough to claim that the site is not
likely to be accessed
by children? If a site could rely on this, then that would let you leave RTB ads in
normal mode and not do any of the remaining compliance stuff.
All right, let's keep going. If option 1 didn't work, and we don't have a way to show that
the site is not
likely to be accessed by children,
then maybe we actually have to do DPIAs, plus either age estimation or put every user in
the max privacy protection category.
Age estimation is not age verification (no, you won't have to pay
a creepy vendor owned by a pr0n site to track your users, if this becomes
law somebody else will launch a lower-risk
estimator service) but it's still an extra piece
of code to add. But it looks like this is a task
that third party service(s) will either tell sites how to do
and check up on,
or do themselves. (We won't have to do it if we were able to use
Option 1.) If a site kept running RTB ads and didn't either (1)
put the ads in opt-out mode for everybody or (2) start running age
estimation, then all the third-party services would be
taking a compliance risk. It's going to be like having to get a CMP, right?
Impact on the future of web ads?
It looks like the options for most sites will be
remove RTB ads and other third-party resources that count as a
put all third parties into opt-out mode for all users maybe???
rely on 3rd-party analytics to prove that the site is not
likely to be accessed by childrenmaybe???
Do DPIAs (copied from the same open source projects as site code?) and turn on whatever age estimation service the third parties will require.
This is extra work for legit sites, but I'm cautiously optimistic about the big picture here. The first rule of understanding the impact of a proposed tech standard or regulation is that you can't just look at the likely impact on small legit sites—you have to look at the relative impact on small legit sites compared to the impact on harmful sites/apps/channels (scrapers, terrorists, etc.) and the third parties that enable them. In this case, AADC means increasing existing legal risks for apps and third parties, and the advertisers that use them, so should help push up the value of ads on legit sites. A lot of advertisers who get told they're reaching high-value adult audiences are really having their ads shown in apps for kids—if AADC makes that harder to do, it's good news for the legit sites that actually reach those adult audiences.
To review, the web ad crisis is more of a supply and demand story than a privacy story. We have a problem mostly because third parties can artificially increase the number of saleable ad impressions, by offering ads on content that no advertiser would choose to sponsor. Creepy trackers mostly aren't creepy because they want to be creepy, they're creepy because they want to sell some advertiser an ad impression they wouldn't otherwise buy. In general, regulations and tools that make third parties reduce the number of ad impressions they can sell are a step in the right direction.
No one law gets us all the way to the point where a fully-opted-out site is going to be viable on ad revenue alone, but it's a step.