Utah Legislature Passes Completely Unworkable App Store ‘Age Verification’ Bill
It’s not like we need any more of this sort of thing. COPPA (Children’s Online Privacy Protection Act) pretty much deters any app maker or social media service from catering to a very underage crowd. Compliance is difficult, if not impossible. But, all the same, it has deterred plenty of the worst developers in the world from exploiting the pre-teen demographic.
In Utah, that’s not enough. Now, it’s time to “protect” the age 13-18 group from their own actions. The bill [PDF], recently passed by the Utah legislature (and now headed for the governor’s desk), creates a private cause of action for parents of this subgroup of minors should app stores (and the developers of the apps they host) somehow fail to comply with a long list of impossibilities.
What I always find amusing to the point of nausea are things like this: the legislative presumption that it’s somehow possible to “verify” the ages of people who are too young to obtain legal forms of identification. But that’s what’s going on here, as the bill makes amply clear:
requires app store providers to:
● verify a user’s age category;
● obtain parental consent for minor accounts;
● notify users and parents of significant changes;
● share age category and consent data with developers; and
● protect age verification data
Some of this makes sense. Conscientious parents would appreciate any minor-affecting changes to terms of use agreements or further insight into how user data is collected/used. But it’s the first bullet point that’s a problem. You can’t verify “age category” without government documents that attest to a person’s age. And short of having every user upload a PDF of birth certificates, there’s no way to do this in a way that satisfies this bill’s vague demands for “verification.”
What this law is really about is giving parents leverage to sue app stores after their kid racks up $400 in Roblox purchases. That’s it. It serves no greater purpose than to alleviate parents of parental responsibility. While it does say things that sound like the sort of thing that should be said to the most exploitative of minor-targeting apps, most of this has already been said elsewhere in other laws.
There are some upsides, but they’re (excuse the pun) pretty minor when compared to the entirety of the bill. First, there’s a safe harbor provision for “compliant developers.” That this compliance will be defined by the same legislators that proposed this hot garbage isn’t exactly comforting, though.
Second, it does at least ensure the government doesn’t leave “compliance” completely up to the imaginations of app stores and developers. It does instruct the Division of Consumer Production to “establish standards for age verification methods.” That puts part of the compliance burden back on the government, where it definitely belongs. How can anyone “comply” when there are no specifications for “compliance?” Letting this law go into force before this guidance is in place is what’s commonly known as entrapment.
Back to the bad news:
…creates a private right of action for parents of harmed minors
This is all the bill does. In practice, that would mean awards of $1,000 per violation to any successful suing parent, along with legal fees. The bill does not allow the state to pursue legal action against app stores and developers. And if that last sentence sounds like adequate news, if not actual good news, it isn’t. It’s a dodge.
This makes it a “bounty” law. By doing so, it ensures the bill will have a much higher chance of surviving a legal challenge if it’s signed into law. This is the same playbook the Utah government used to keep its porn site age verification law from being blocked by federal courts. The argument — as weak as it is — appears to be working, so far. That argument is: if only private citizens can sue, it’s not really the government doing the enforcing of the law. And if the government isn’t enforcing it, suing the government doesn’t work because… well, it’s just private citizens taking private companies to court.
It’s bullshit. But it’s bullshit that works. And that sucks because the law, as written, is a vague, unworkable mess that requires minors to verify their age with documents they can’t possibly possess. And app stores shouldn’t be held responsible for purchases/contracts deployed by apps they host just because some kid has spent hundreds of their parents’ dollars on virtual goods. On top of that, app stores and developers have no way of knowing who’s using the devices accessing these apps. Plenty of minors use their parents’ devices to play games or access content. If the account has already been flagged (through whatever process) as belonging to an adult, app stores and developers aren’t going to restrict access and/or block purchases because they have no reason to believe a minor is utilizing that device or account.
This is stupid, performative crap that basically says parents who don’t pay attention to what their kids are doing can leverage their own negligence to extract money from tech companies. And all with the state’s blessing, even if the state is doing everything it can to pretend that passing laws that enable private legal actions is somehow not actually government imposition.