Testimony from:
Josh Withrow, Fellow, Tech & Innovation Policy, R Street Institute

In OPPOSITION to SB 844, the “Maryland Age-Appropriate Design Code Act.”

March 6, 2023

Maryland Senate Finance Committee

Chairwoman Griffith and members of the committee,

My name is Josh Withrow, and I am a fellow with the Technology and Innovation Policy team at the R Street Institute (“R Street”), which is a nonprofit, nonpartisan, public policy research organization. Our mission is to engage in policy research and outreach to promote free markets and limited, effective government in many areas, including the technology and innovation sector.

We are concerned that in pursuit of the principled goal of protecting children, SB 844 places a duty of care upon online services that would make it near impossible to know if they comply, and which would place unconstitutional burdens on both platforms’ and users’ freedom of speech.

Maryland’s Age Appropriate Design Code (AADC) Act, HB 901 and SB 844, is substantially similar to the law of the same name passed by California in 2022, which in turn is based on the British age-appropriate design code.[1] Notably, Maryland’s AADC specifically refers businesses covered by this law to “look to guidance and innovation” from its California and U.K. predecessors “when developing online products that are likely to be accessed by children,” effectively outsourcing the specifics of enforcement to those outside regulators.

Many of the AADC’s provisions deal with regulating the collection, storage, use and sale of data collected on minors. Like many other states, Maryland operates without a comprehensive data privacy and security law. While SB 844 mirrors the United Kingdom and California’s respective AADC laws, it is essential to note that the United Kingdom and California have comprehensive privacy and security laws to fill in any gaps. We firmly believe that Congress should act to preempt a patchwork of state comprehensive privacy laws, but acting on a narrower bill without broader protections is also problematic. In addition, should this bill motivate digital services to implement stricter age verification procedures, these may cause further data privacy and security concerns as websites—or the third-party services they employ—will have to process more personally identifying information.

As R Street has pointed out with respect to California’s AADC, the vagueness in defining terms that plagues much of the AADC’s text means that how the law will actually be enforced rests in the hands of bodies like California’s Children’s Data Protection Working Group and the California Privacy Protection Agency.[2] These outside regulators will determine, in the future, how to interpret whether online services that are “likely to be accessed by children” have considered “the best interests of children” in the design of their products, and what product designs are sufficient to prevent minors from being exposed to “potentially harmful” material. These definitions are so vague as to make advance compliance on the part of companies nearly impossible, yet they will be exposed to both private and state-led litigation accompanied by hefty financial penalties for failure to comply.

Partially because of this uncertainty, online services are incentivized to take countermeasures that are likely to restrict free speech online greatly. For example, although neither California’s nor Maryland’s AADC proposals explicitly mandate that websites enact strict age verification, both place online services in a dilemma that is likely to push them toward some form of age assurance in practice. SB 844 requires that either a service that is likely to be accessed by children must “estimate the age of child users with a reasonable level of certainty” or they must “apply to all consumers the privacy and data protections afforded to children.”

As internet law professor Eric Goldman warns, “Though age assurance may sound like a less demanding

requirement than age verification, in practice it is a distinction without a difference. Both age verification and age assurance require websites and apps to erect barriers before usage.”[3] The existing methods that websites can employ to estimate or verify age are all to some extent intrusive and imperfect, and all create a barrier to accessing a given website or app.[4]

California’s AADC is subject to First Amendment litigation for this very reason, and Maryland’s AADC would certainly be subject to similar legal challenges should it become law.[5] Courts have repeatedly found that age verification barriers are inconsistent with the First Amendment, because they restrict access to speech for adults and children alike.[6] The majority of the Communications Decency Act of 1996 was likewise struck down by the Supreme Court in part because the difficulty of age verification meant burdening access to web services for adults as well as for children.[7]

Maryland’s AADC is similarly likely to run afoul of the First Amendment due to its strong inducement for online platforms to over-censor content in order to avoid being penalized under the law’s vague concept of what might be harmful to minors. Every digital service is required to file a Data Protection Impact Assessment before introducing any new service that minors might conceivably access, which requires them to list even hypothetical risks “of material detriment to children” and to “mitigate or eliminate the risk before the online product is made available to children.” Under threat of massive fines for misjudging what may be considered “potentially harmful” to children, many platforms will certainly default to taking down all content on entire subjects, which is likely to remove self-help and educational material along with anything genuinely harmful.[8]

The Maryland AADC Act, like laws it largely copies from, is worthy in its intent and aim to address the real and significant problems raised by minors who come into contact with harmful content and individuals on the internet. However, the law is simply too vague for even the most conscientious online service to be able to comply with, and would thus pose a likely unconstitutional burden on both platforms’ and users’ rights to free speech. Thus, we ask that legislators oppose SB 844.

Thank you for your time,

Josh Withrow
Fellow, Technology & Innovation Policy
R Street Institute
(540) 604-3871
[email protected]

[1]  Assembly Bill No. 2273, The California Age Appropriate Design Code Act, California Legislature; “We Need to Keep Kids Safe Online: California has the Solution,” 5 Rights Foundation, last accessed March 3, 2023. https://californiaaadc.com; “Introduction to the Age appropriate design code,” U.K. Information Commissioner’s Office, last accessed March 3, 2023. https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-code.

[2] Chris Riley, “Opportunities for Improvement to California’s Age-Appropriate Design Code and Similar Laws,” R Street Institute, Nov. 17, 2022. https://www.rstreet.org/commentary/opportunities-for-improvement-to-californias-age-appropriate-design-code-and-similar-laws.

[3] Eric Goldman, “Amicus Brief on the Constitutionality of the California Age-Appropriate Design Code’s Age Assurance Requirement (NetChoice v. Bonta),” Social Science Research Network, Feb. 24, 2023.   https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4369900.

[4] “Online age verification: balancing privacy and the protection of minors,” Commission Nationale de l’Informatique et des Libertés, Sept. 22, 2022. https://www.cnil.fr/en/online-age-verification-balancing-privacy-and-protection-minors.

[5] See NetChoice, LLC v. Bonta, U.S. District Court for the Northern District of California, Dec. 14, 2022. https://dockets.justia.com/docket/california/candce/5:2022cv08861/406140.

[6] Goldman. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4369900.

[7] Reno v. ACLU, 521 U.S. 844 (1997), U.S. Supreme Court, June 26, 1997. https://supreme.justia.com/cases/federal/us/521/844.

[8] Tamra Moore and Christopher P. Eby, “Amici CuriaeBrief of Chamber of Progress, IP Justice, and LGBT Tech Institute in Support of Plaintiff’s Motion for Preliminary Injunction,” King & Spalding LLP, March 1, 2023. http://progresschamber.org/wp-content/uploads/2023/03/AS-FILED-Ex.-A-Amici-Curiae-Brief-of-Chamber-of-Progress-et-al.-NetChoice-1.pdf.