Minnesota bill would do more harm than good to kids’ online safety

Opinion editor’s note: Star Tribune Opinion publishes a mix of national and local commentaries online and in print each day. To contribute, click here.

•••

Legislation under consideration in Minnesota that would require any website that may “reasonably likely be accessed” by minors to take certain steps to protect them would actually have severe unintended consequences affecting the privacy and security of both kids and adults.

While the authors’ goal is admirable, the reality of this legislation is troubling and falls short for a number of reasons.

Under the proposal, billed as the Age-Appropriate Design Code Act (HF 2257/SF 2810), companies with websites “likely to be accessed” by a minor (aka every website) will be forced to require proof of age. This may include a wide range of personal information such as birth dates, addresses, pictures and government IDs.

In practice, this legislation will result in every website amassing a massive trove of data on every one of its users — be they adults or children. This will be a ripe target for hackers and criminals. The fact that every website will have to comply means that the protection of users’ data is only as good as the weakest security of any single website they visit.

Data breaches have become more and more common. According to Flashpoint National Security Solutions’ 2024 Global Threat Intelligence Report, cyberattacks in 2023 resulted in the exposure of more than 17 billion personal records. What’s more, according to Javelin Strategy & Research, approximately 1.7 million children were affected by data breaches in 2022. With these cybercrimes on the rise, we must be cautious about collecting any more of our children’s personal information.

This could restrict young people’s access to perfectly age-appropriate content based on the opinion of that individual company.

Parents are in the best position to decide what is best for their children. It should be up to each family’s discretion to decide what kids see and post online to ensure the best outcomes for their education and overall well-being. To do this, platforms should enable tools to help parents manage this. Companies should perform risk-based impact assessments to ensure they are protecting young people’s data. And, we should empower the proper regulatory agencies to enforce legislation and ensure compliance.

Companies focused on their bottom lines will not be able or willing to protect kids from their own corporate biases, potentially empowering a slew of politically driven misinformation.

Notably, California recently passed its own version of legislation like this, which was swiftly blocked by a federal judge over concerns of First Amendment violations. Minnesota’s effort is sure to share a similar fate.

We all believe that protecting children is the highest priority, but this legislation is not a magic wand that will shield kids from harm. The Age-Appropriate Design Code Act would require companies to collect more of every Minnesotan’s personal information, putting their security at perilous risk in the ever more likely event of a cyberattack.