Age-verification legislation discourages data minimization, even when legislators don’t intend that
Data minimization is the principle that reducing the amount of data collected in the first place, to the extent it is possible, reduces pursuant risk. At the very least, the principle holds that data should be deleted promptly after it is acquired for a specific use. The wisdom of this approach is that it lessens the potential for data breaches.
This ought to be the standard for age-verification legislation. Unfortunately, the age-verification process will require the collection of sensitive information such as government IDs or biometrics like face scans. And, even where not explicitly required or even where legislation encourages data minimization in age-verification processes, if platforms are going to be punished in any way for not collecting or maintaining that data, then those provisions encouraging minimization are moot. Companies may need more data to build their features or technologies and may choose to keep more data, but actively punishing them for trying to reduce data collection is another matter.
And companies recognize these risks. Wikipedia has declared that it will not comply with age-verification checks. According to the BBC, “Rebecca MacKinnon, of the Wikimedia Foundation, which supports the website, says it would ‘violate our commitment to collect minimal data about readers and contributors.’”
Here, the Protecting Kids on Social Media Act is once again relevant. If the legislation is enacted, a platform may choose not to operate in the pilot program but instead use another age-verification provider. In this case, the legislation requires that the platforms not use any data collected for the purposes of age verification for any reason “except to the extent necessary to prove that the platform has taken reasonable steps to verify the age of the user.” But the Federal Trade Commission recognizes that data is regularly collected for one purpose and used for another. The same requirements are written in regard to verifying consent from parents that their children may use social media. It is worth noting that the legislation provides a sunset for the pilot program, at which time—if the program is not renewed—platforms will be expected to rely exclusively on other private methods.
With this language, it is clear that the authors of the legislation realize the issues of creating honeypots of personal data. But the act hand-waves away the core problem: Of course they’re going to retain personal information to prove compliance rather than risk not being able to prove compliance and face penalties. And the same amount of information necessary to verify age and parental approval will be necessary to ensure compliance with the law. That means platforms may be functionally obligated to keep databases of user government IDs, face scans, addresses and more.
And the Protecting Kids on Social Media Act isn’t the only legislation that poses an issue. Technology experts have noted that the California Age-Appropriate Design Code Act (AADC) would force certain companies to collect far more data about users than they otherwise would. Indeed, every website will have to verify user age before allowing people to access their sites—or treat all users like children. Further, it is important to note the lack of difference between “age assurance” and “age verification.” As one scholar put it, “the AADC’s purported ambition to protect children’s privacy is in complete tension with its age-assurance requirement,” in part because it “makes it easy for malefactors to prey on children’s underdeveloped digital skills by getting them to reveal private and sensitive information through illegitimate age-assurance processes.” This often holds true for other age-verification laws as well.
Age-verification legislation too often encourages private companies to collect and maintain more data than they otherwise would. Lawmakers need to grapple with the security risk that discrepancy creates.
This is part of the series: The Fundamental Problems with Social Media Age-Verification Legislation.