An open laptop in a dark room.
Representation of an open laptop. DanFa/Pixabay


  • AB 2273 requires sites to "consider the best interest of child users"
  • Critics have questioned the "vague" aspects of the new law
  • Some say the requirements under the law are "impossible" to comply with

California Gov. Gavin Newsom has signed a new online data privacy law that would provide additional protection for minors using various sites and social media platforms. However, critics are raising concerns about the possible compliance issues some smaller sites may come across, which could lead them to compromise user anonymity.

Newsom's office said in a statement Thursday that the California Age-Appropriate Design Act Code, or AB 2273, "requires that privacy information, terms of service, policies and community standards be easily accessible and upheld – and requires responsive tools to help children exercise their privacy rights."

AB 2273 "requires online platforms to consider the best interest of child users and to default to privacy and safety settings that protect children's mental health and wellbeing," the statement said.

According to the new law, websites should limit the use of personal information provided by users under 18 and avoid collecting data related to children's geolocation unless it is "strictly necessary."

While some people have praised the law, critics and digital experts have raised concerns about the broad scope of the bill and how its compliance requirements could push smaller sites to use methods that could compromise the anonymity of users, both adults and children, the Verge reported.

Eric Goldman, a law professor at Santa Clara University School of Law, argued that AB 2273 could create "even greater privacy and security risks" as "it's typically impossible to do age-authentication without also doing identity-authentication."

In a blog post published Thursday, the professor pointed out that AB 2273 has "several radical policy ideas."

Since the law requires websites to "estimate the age of child users with a reasonable level of certainty," it appears that sites that cannot do so are at risk of liability, even if they do not have the tools to "estimate" user age, Techdirt blog editor Mike Masnick said.

Masnick further noted that the law is "impossible to comply with" due to its broadness.

To avoid being held liable for violations of the new law, some platforms may resort to using privacy invasive age-authentication policies, the Verge noted.

Set to take effect in 2024, AB 2273 has been met with criticism from digital experts, but children's rights groups have heaped praise on the legislation, the New York Times reported.

Companies will be fined up to $2,500 per affected child for negligent violations, while "intentional" violations may see up to $7,500 in fines per affected child.