R Street Institute
Testimony

Testimony in Opposition to SB 571, the “Consumer Protection-Online Products and Services-Data of Children (Maryland Kids Code)”

by Josh Withrow
Feb 13, 2024
Print
issues: Northeast, Online Content Policy, State Policy, Technology and Innovation

Testimony from:
Josh Withrow, Fellow, Tech & Innovation Policy, R Street Institute

Testimony in Opposition to SB 571, the “Consumer Protection-Online Products and Services-Data of Children (Maryland Kids Code)”

February 13, 2024

Maryland Senate Finance Committee

Chairwoman Beidle and members of the committee,

My name is Josh Withrow, and I am a fellow with the Technology and Innovation Policy team at the R Street Institute (“R Street”), which is a nonprofit, nonpartisan, public policy research organization. Our mission is to engage in policy research and outreach to promote free markets and limited, effective government in many areas, including the technology and innovation sector.

We are concerned that in pursuit of the worthy goal of protecting children, SB 571 places a duty of care upon online services that would make it nearly impossible to know if they comply, and which would place unconstitutional burdens on both platforms’ and users’ freedom of speech.

SB 571 and its companion, HB 603, are substantially similar to last year’s proposed Maryland’s Age Appropriate Design Code (AADC) Act and would still be entered under that name in statute. Much of the legislation is borrowed from the law of the same name passed by California in 2022, which in turn is based on the British age-appropriate design code.[1]  Notably, Maryland’s AADC specifically refers businesses covered by this law to “look to guidance and innovation” from its California and U.K. predecessors “when developing online products that are likely to be accessed by children,” effectively outsourcing the specifics of enforcement to those outside regulators.[2] 

Many of the AADC’s provisions deal with regulating the collection, storage, use and sale of data collected on minors. Like many other states, Maryland operates without a comprehensive data privacy and security law. While SB 571 mirrors the United Kingdom’s and California’s respective AADC laws, it is essential to note that the United Kingdom and California have comprehensive privacy and security laws to fill in any gaps. We firmly believe that Congress should act to preempt a patchwork of state comprehensive privacy laws, but acting on a narrower bill without broader protections is also problematic. In addition, should this bill motivate digital services to implement stricter age verification procedures, these may cause further data privacy and security concerns as websites—or the third-party services they employ—will have to process more personally identifying information.[3]

As R Street has pointed out with respect to California’s AADC, the vagueness in defining terms that plagues much of the AADC’s text means that how the law will actually be enforced rests in the hands of bodies like California’s Children’s Data Protection Working Group and the California Privacy Protection Agency.[4] These outside regulators will determine, in the future, how to interpret whether online services that are “likely to be accessed by children” have considered “the best interests of children” in the design of their products, and what product designs are sufficient to prevent minors from being exposed to “potentially harmful” material. These definitions are so vague as to make advance compliance on the part of companies nearly impossible, yet they will be exposed to state-led litigation accompanied by hefty financial penalties for failure to comply.

Partially because of this uncertainty, online services are incentivized to take countermeasures that are likely to restrict free speech online greatly. For example, although neither California’s nor Maryland’s AADC proposals explicitly mandate that websites enact strict age verification, both place online services in a dilemma that is likely to push them toward some form of age assurance in practice. SB 571 does improve upon last year’s version by specifying that it should not “be interpreted or construed to… require a covered entity to implement an age-gating requirement.”

In practice, however, it is likely that the vagueness of what makes a site “reasonably likely to be accessed by children” will lead to many covered platforms feeling obliged to enact age-gating even in the absence of a hard mandate that they do so. The existing methods that websites can employ to estimate or verify age are all to some extent intrusive and imperfect, and all create a barrier to accessing a given website or app.[5] 

Maryland’s AADC is likely to run afoul of the First Amendment due to its strong inducement for online platforms to over-censor content in order to avoid being penalized under the law’s vague concept of what might be harmful to minors. Every digital service is required to file a Data Protection Impact Assessment within 90 days of introducing any new service that minors might conceivably access, which requires them to “determine whether the online product is designed and offered in a manner consistent with the best interests of children.” Under threat of massive fines for misjudging what may be hypothetically not in the best interests of children, many platforms will certainly default to taking down all content on entire subjects, which is likely to remove self-help and educational material along with anything genuinely harmful.[6]

This pressure to over-censor content is a core flaw with the very design concept of the Age Appropriate Design Code. The British law from which the AADC derives did not need to consider the First Amendment’s stringent protections of freedom of access to speech, but a U.S. law does. California’s AADC is already under injunction, with a District Court judge ruling that it is likely to be found in violation of the First Amendment because of the pressure it creates for platforms to censor otherwise legal content.[7] This legislation would almost certainly attract a similar constitutional challenge, at great cost to Maryland taxpayers.

The Maryland Kids Code, like laws it largely copies from, is worthy in its intent and aim to address the real and significant problems raised by minors who come into contact with harmful content and individuals on the internet. However, the law is simply too vague for even the most conscientious online service to be able to comply with, and would thus pose a likely unconstitutional burden on both platforms’ and users’ rights to free speech. Thus, we ask that legislators oppose SB 571.

Thank you for your time,

Josh Withrow
Fellow, Technology & Innovation Policy
R Street Institute
(540) 604-3871
[email protected] 

[1]  Assembly Bill No. 2273, The California Age Appropriate Design Code Act, California Legislature; “We Need to Keep Kids Safe Online: California has the Solution,” 5 Rights Foundation, last accessed March 3, 2023. https://californiaaadc.com; “Introduction to the Age appropriate design code,” U.K. Information Commissioner’s Office, last accessed March 3, 2023. https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-code.

[2] Senate Bill 571, Maryland Kids Code, General Assembly of Maryland. https://mgaleg.maryland.gov/mgawebsite/Legislation/Details/sb0571?ys=2024RS 

[3] Shoshana Weissmann, “The Fundamental Problems with Social Media Age Verification,” R Street Institute, May 16, 2023. https://www.rstreet.org/commentary/the-fundamental-problems-with-social-media-age-verification-legislation/.

[4] Chris Riley, “Opportunities for Improvement to California’s Age-Appropriate Design Code and Similar Laws,” R Street Institute, Nov. 17, 2022. https://www.rstreet.org/commentary/opportunities-for-improvement-to-californias-age-appropriate-design-code-and-similar-laws.

[5] “Online age verification: balancing privacy and the protection of minors,” Commission Nationale de l’Informatique et des Libertés, Sept. 22, 2022. https://www.cnil.fr/en/online-age-verification-balancing-privacy-and-protection-minors.

[6] Tamra Moore and Christopher P. Eby, “Amici Curiae Brief of Chamber of Progress, IP Justice, and LGBT Tech Institute in Support of Plaintiff’s Motion for Preliminary Injunction,” King & Spalding LLP, March 1, 2023. http://progresschamber.org/wp-content/uploads/2023/03/AS-FILED-Ex.-A-Amici-Curiae-Brief-of-Chamber-of-Progress-et-al.-NetChoice-1.pdf.

[7] “Order Granting Motion for Preliminary Injunction,” Case No. 22-cv-08861-BLF, U.S. District Court Northern District of California, SanJose Division, https://netchoice.org/wp-content/uploads/2023/09/NETCHOICE-v-BONTA-PRELIMINARY-INJUNCTION-GRANTED.pdf.