Nowhere are youth safety laws more in tension with youth privacy than in how the laws require and define the processes of age assurance. Whether by declaration, estimation or verification, implementing an effective age-gate depends on a mechanism for assessing user age. Implementing any such process, however, means balancing the reliability of the age assurance with interests of privacy and convenience. Legislators approach mandating a certain method with hesitancy, often opting instead for broader, vaguer language about how organization must age-gate their systems. For example, the California AADC requires a user's age to be estimated with a "reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers." Likewise, Arkansas' law requires a "reasonable age verification," but further clarifies that the platform must use a third-party vendor to conduct age verification. In addition to requiring either a digitized identification card or a government-issued ID, Arkansas specifies that a platform can implement "any commercially reasonable age verification method."

As introduced in recent Maryland legislation, affected platforms would be required to either estimate the age of "child users" with this same reasonable level of certainty or, by default, "apply to all consumers the privacy and data protections afforded to children," mirroring California's default protections approach. Texas' recently introduced SB 2164 comes close to defining a required age-assurance method in more specific terms, while remaining broad. The Texas bill would require any entity that performs "age verification" to "provide digital identification; or comply with a commercial age verification system that verifies age using: (A) government-issued identification; or (B) a commercially reasonable method that relies on public or private transactional data to verify the age of an individual."

Likewise, many recent legislative frameworks either directly or indirectly target the use of manipulative design practices, so-called dark patterns. Florida's law creates its own definition of dark patterns, while referring to U.S. Federal Trade Commission guidance. Connecticut's bill mirrors Florida's by requiring no provider "use any user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice," which includes the FTC definition of a dark pattern. Regulated entities in Florida may not use dark patterns to encourage children to yield personal information or "forgo privacy protections," or for any other purpose the platform is aware of (or willfully disregards) that would "result in substantial harm or privacy risk to children." While Connecticut uses nearly identical language, California's law asserts slightly different language to create a "materially detrimental" standard. Defining dark patterns and their subsequent harms is not a new challenge for privacy regulation. However, as noted in an amicus brief signed by the Chamber of Progress, IP Justice and LGBT Tech Institute, when dark patterns are too broadly defined, the legislation risks limiting popular and benign features like recommendations or autoplay algorithms.

Finally, youth privacy bills tend to focus on operationalizing strong default privacy settings if the user is within the protected age range or, sometimes, if their age is undetermined. The California AADC requires services accessed by children build in "by design and by default" protections against services that would profile children and offer detrimental material. These strong defaults are vaguely defined as "settings that offer a high level of privacy." Likewise, the AADC does not explicitly define what detrimental material is, nor what is materially detrimental. Maryland's proposed rule mirrors this exact language. More precise meanings for several of these critical terms will have to emerge through rulemaking. Beyond state-level laws, default settings continue to be a frequent battleground for youth privacy rights, as evidenced in the FTC’s recent suit and settlement with EPIC Games, which dealt with the "on-by-default" voice channels in EPIC's popular game, Fortnite.

The first question a judge asks about a First Amendment challenge is whether the conduct restricted by the challenged law counts as protected speech. Courts continually wrestle with determining what qualifies as speech in an online context.

In peeking at the merits of the case, Judge Freeman disposed of this question relatively quickly. As she explained, quoting Supreme Court precedent, "The question is whether the law at issue regulates expression ‘because of its message, its ideas, its subject matter, or its content." To answer this question, Freeman peeked at both the prohibitions and mandates of the AADC.

Importantly for First Amendment watchers, even the actions prohibited under the law, such as the "collection, sale, sharing, or retention of children’s personal information, including precise geolocation information, for profiling or other purposes" are deemed to be restrictions of speech. Freeman cited the 2011 Supreme Court case Sorrell v. IMS Health, which some privacy attorneys warn could set a precedent for invalidating data privacy laws on First Amendment grounds, depending on how it is applied. As Freeman explained, "[W]hether there is a general right to collect data is independent from the question of whether a law restricting the collection and sale of data regulates conduct or speech. Under Sorrell, the unequivocal answer to the latter question is that a law that—like the [AADC]—restricts the ‘availability and use’ of information by some speakers but not others, and for some purposes but not others, is a regulation of protected expression."

In looking at the actions mandated by the AADC, such as the DPIA requirement, the court again cited Sorrell. Freeman took issue with the law's application to only certain speakers, i.e., "only for-profit entities but not government or non-profit entities," and further concluded that the age estimation and privacy provisions "appear likely to impede the availability and use of information and accordingly to regulate speech."

If the law at issue is regulating speech, how much deference should the court give to the government? Different standards of judicial review apply depending on whether the regulation is content-based or content-neutral.

If a law targets speech "based on its communicative content," it is a content-based law that triggers an extremely skeptical review by courts known as "strict scrutiny." There are many exceptions to this rule because certain special category restrictions, covering content like commercial speech, fighting words, or obscenity, trigger other flavors of judicial review.

If the court determines strict scrutiny is not warranted, it will instead apply intermediate scrutiny. As a lower standard, intermediate scrutiny only requires the regulation to further an "important government interest" and that the means are "substantially related" to this interest. Often, fulfilling the second prong requires the regulation to leave "ample avenues for other communication" open.

Somewhat unexpectedly in the AADC case, Freeman applied a special type of intermediate scrutiny that governs "commercial speech." The analysis applied under this standard comes from the Central Hudson case. This slightly more elaborate standard essentially boils down to whether the government has a "substantial interest" that would be achieved through the speech restrictions at issue. From there, the government must show that these restrictions are not "more extensive than is necessary to serve that interest."

No one disputes the fact that "protecting the physical, mental, and emotional health and well-being of minors," as the state of California puts it in briefs, is an important government interest.

Given this context, though NetChoice argued the law does not describe a sufficiently concrete harm, the court recognized the evidence California provided in the case as sufficient. That is, children are harmed by design and privacy practices, and preventing this sort of harm is within the powers of the state. This is one area where California is unlikely to lose the case moving forward.

This is the part of the legal test that will likely determine the outcome of this case, as Freeman previews in her preliminary injunction.

Whether the court looks for the regulatory mechanisms to be "substantially related" to the government interest, as under intermediate scrutiny, or not be "more extensive than necessary to serve that interest," as under the commercial speech standard, this step of the analysis asks judges to look for a fit between the means and the ends of the law.

For the California AADC, Freeman's preliminary look at the case found the ends may not justify the means, not just for the most hotly debated parts of the law, but for every single provision she considered.

In reviewing the court's reasoning, excerpted below, it is important to keep in mind the primary purpose of this law is the safety of minors online, with privacy interests only secondarily invoked. For other laws, where the ends are targeted more specifically at privacy, the same type of analysis could result in different conclusions—because a fit between means and ends is important for First Amendment jurisprudence.

NetChoice claimed the AADC warrants strict scrutiny, the highest level of judicial review a constitutional challenge can prompt. It does so on multiple grounds, including on the basis that the law is a content-based restriction of speech. In her preliminary injunction, Freeman determined intermediate scrutiny is more likely to apply and, since she sees a likelihood that the law would not survive this scrutiny, the need to analyze it under a more exacting standard is nullified.

Yet, it is helpful to understand the different standard at issue for future free-speech cases, and how this has been applied in the past. Surviving strict scrutiny requires two basic elements, each slightly stronger than the standards for intermediate scrutiny. The government must demonstrate that the law at issue fulfills a "compelling government interest" and is "narrowly tailored" to suit this interest.

The U.S. Supreme Court previously resolved the tension between child safety and free speech in favor of free speech, either completely invalidating legal restrictions or revoking them only in part. The Supreme Court found sections of the Communications Decency Act to be unconstitutional in Reno v. ACLU, noting "although the Government has an interest in protecting children from potentially harmful materials … the CDA pursues that interest by suppressing a large amount of speech that adults have a constitutional right to send and receive."

The First Amendment rights of minors also have a significant legal history that bears on the government's interest. Traditionally, First Amendment rights are the same for minors and adults when the government seeks to control their access to speech. However, in Erznoznik v. City of Jacksonville, the court found that "only in relatively narrow and well-defined circumstances may government bar public dissemination of protected materials to (minors)." Likewise, the court in Reno placed narrow limits on the content that could be regulated to protect minors while still preserving their rights to free speech via access to the internet. In a recent decision, the court openly acknowledged the conflict between guardian and minor rights, with U.S. Supreme Court Justice Samuel Alito noting a student is "subject to whatever restraints the student’s parents impose, but (enjoys) the same First Amendment protection against government regulation as all other members of the public.”

Similarly, in Ashcroft v. ACLU the Court found the "universal restrictions" in the Child Online Protection Act were overbroad, and less restrictive means of enforcement were available, completely invalidating the law.

There are exceptions, however. In U.S. v. American Library Association, the Children's Internet Protection Act survived strict scrutiny. The court found that requiring libraries to place filters to prevent minors from accessing obscene materials met a compelling government interest and was sufficiently narrowly tailored.

As immortalized in New York Times Co. v Sullivan, the state cannot restrict speech before its publication. This prohibition on prior restraint is another foundational First Amendment principle. Courts nearly universally disfavor government attempts to block or prevent speech before it even occurs. Much of the previous prior restraint litigation has involved more traditional journalistic outlets, like the New York Times. However, the debate has become more contentious as social media platforms and other online providers grapple with the magnitude of their speech forums.

NetChoice's filing claims the age assurance methods required by the California AADC are an unconstitutional prior restraint of speech. NetChoice claims requiring users' ages to be verified preemptively restricts content and effectively chills speech that is not age appropriate. The complaint alleges the law will not only limit content for adult audiences but will also "infringe on protections for anonymous speech and deter users from services deploying the invasive age-verification mechanisms." This type of limitation, they argue, is barred by the First Amendment as prior restraint, which includes "state action designed to deputize private actors to serve as censors by proxy."

Alternatively, others argue the mechanisms that add friction in the name of youth privacy can have drastic chilling effects on speech and, regardless of the type of restriction, the restriction is a form of prior restraint. As legal scholar Eric Goldman noted in his brief for the NetChoice case, online users are incredibly sensitive when sites have barriers of access. If there is a delay or "latency" when a user attempts to access a site, "it would drive many users away," Goldman claimed. A court may not agree — or it just might.

Across NetChoice's filing and the supporting amicus briefs, advocates emphasized how the California AADC and other similar laws should be void for vagueness under the First Amendment. Specifically, NetChoice argued the restricted practices covered under the California AADC are too broad, and they "disallow a range of commonplace online speech" that may be otherwise benign. Some of these commonplace practices include providing user recommendations and sending automated email updates. NetChoice argued further that, without a clearer description of the law's key obligations for potentially affected providers, the attorney general is left with "virtually boundless discretion" for enforcement.

Generally, First Amendment challenges based on vagueness put forward a simple claim: far-reaching laws deter otherwise lawful speech by not being precise enough to provide adequate notice. In U.S. v. Williams, the Supreme Court describes an unconstitutionally vague law as one which either fails to provide fair notice or "is so standardless that it authorizes or encourages serious discriminatory enforcement."

Just as laws can limit the functionality of online providers through prior restraint, there are concerns that vague rules would over-censor content by restricting some of the functions or even the lawful content of a site. As the Court reflects in Butler v. Michigan, a regulation cannot "reduce the adult population (to) only what is fit for children." Much like how functions such as autoplay could be construed as "dark patterns" without more tailored or precise language, other basic content could be deterred by a vague requirement.

Legislation meant to serve a general protective purpose may unintentionally include speech that should not be restricted, based on the definition of harm. As the New York Times asserts in its brief, "The opportunity for abuse is obvious here." Especially in a patchwork system, regulators may vary on the degrees and definitions of what is potentially harmful. While the state may have a compelling interest in protecting children from the risks of being online, it must do so with precision and specificity to prevent the rule from being void for vagueness.

Children's Privacy topic page
On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to children’s privacy.
View here

Children’s Privacy and Safety
This textbook provides substantive background on children’s privacy, data protection and safety issues.
View here