Age Verification Mandates Are Unconstitutional, Even for App Stores
App stores, like websites, don't actually know how old their users are and forcing users to identify themselves would deprive them of First Amendment rights to anonymity
Five major tech company CEOs will testify tomorrow at a Senate Judiciary Committee hearing on “Big Tech and the Online Child Sexual Exploitation Crisis.” The Committee has recently considered a slew of bills, but the most important discussion might be about something none of these bills require explicitly: age verification of users. Congress tried twice to force websites to age-verify users in the 1990s, but both laws failed in court on First Amendment grounds. A federal appeals court explained the problem back in 2008: such mandates “require adults to relinquish their anonymity to access protected speech” online.
A federal judge recently struck down a similar Arkansas law on the same grounds. Yet the idea just won’t die. Every few years, someone proposes the same idea with some new twist that doesn’t make the idea any more constitutional—and we have to rehash the reasons why nothing’s really changed.
The latest idea, and the one that may dominate this week’s hearing, came last fall from Facebook’s Global Head of Safety. She endorsed “federal legislation that requires app stores to get parents’ approval whenever their teens under 16 download apps … much like when parents are notified if their teen attempts to make a purchase.” Parents could, she suggested, “verify the age of their teen when setting up their phone, negating the need for everyone to verify their age multiple times across multiple apps.”
Joel Thayer and Kara Frederick claim that having app stores certify users’ ages to apps avoid the First Amendment problems inherent in earlier, broader age verification mandates. “Social media apps rely on users to self-certify their age when they create an account,” the two write, “but they can’t fully confirm that the user is being truthful—whereas Apple and Google know the precise age of the owner of the device.” In other words, they argue that mandatory age verification might be constitutional because it wouldn’t require collection of personally identifying information that isn’t already being collected. They claim that “all the law would have to require is for Apple and Google to give the app a thumbs up or thumbs down when a social media app asks to verify the device is owned by an adult or a child.”
Thayer and Frederick make the usual claims about Apple and Google being “dominant” in mobile operating systems, app stores, and browsers, as if that somehow means these companies must know “the precise age” of every user. But even a cursory examination of the setup process for new Apple and Android devices and for their app stores makes clear that neither company requires users to verify the birthdays they submit when they create an account. (Providing birthdays, without further verification, is all that Children’s Online Privacy Protection Act requires for “general audience” services that aren’t “directed to” children.) The app stores do require users to provide a credit card, but only in order to make purchases of, and within, apps. Furthermore, both companies allow users to pay with gift cards instead of credit cards. Those gift cards are widely available to purchase without any ID requirement.
Bottom line: you don’t have to provide a credit card to set up a phone or an app store account. And even if you did, being able to provide a credit card number doesn’t really prove age anyway. True, credit cards are often used under the COPPA to infer that a user is likely to be over the age of 13—but only because COPPA doesn’t actually require verification of age in order to establish what it calls “verifiable parental consent.” Increasingly, major banks allow parents to add their children under 13 as authorized users on their credit cards. So providing a credit card no longer proves that a user is over 13. Credit cards are even less useful for implying that a user is over 16, as many more older teens have credit cards.
Thayer and Frederick’s First Amendment argument presumes that app stores are somehow in a fundamentally different position from social media sites. In fact, they’re in exactly the same position: they don’t really know who the user of a device is, let alone how old they are. “On the Internet, nobody knows you’re a dog”—or a kid. The only party in the mobile device ecosystem who consistently collects precise age information are the mobile carriers—but even then, not always. Carriers collect valid government-issued identification from customers setting up new “postpaid” (pay-as-you-go) mobile data plans but not for prepaid phones.
In fact, mandating age verification for app stores is even more complicated than it would be for apps or websites themselves because users within a single family frequently share devices. Most devices used by children are, in fact, “owned” by adults. How many children under the age of 16 can really buy devices that cost several hundred—or more than a thousand—dollars on their own? So even if Apple and Google knew, with certainty, that certain owners were adults, this doesn’t actually prove anything about the user of a particular device.
Thayer and Frederick want to impose age verification mandates on app stores over social media platforms because each “social media company would no longer have to guess how old the user is, which limits, or even eliminates, the risk of denying an adult the ability to engage on American social media platforms.” But because app stores don’t already have the precise age information that Thayer and Frederick blithely claim they do, they would have to do one of two things.
App stores could require users to prove their exact age—which, in practice, means providing a government ID and, probably, taking some additional step to verify that the user is actually the person in the ID, such as a video chat. Whatever the means, any technology sufficient to prove precise age would force adults to—as the Second Circuit said of Vermont’s age verification mandate in 2003—“forgo the anonymity otherwise available on the internet.” Indeed, the courts have said the same even about having to provide a credit card, which doesn’t prove precise age but does identify a user.
App stores could try to guess users’ ages. There are many ways to do this but all raise the problem Thayer and Frederick note: denying some adults access to app stores until they identify themselves (return to step one).
The First Amendment law here is very clear. The First Amendment law on online anonymity is clear. One might wonder why the Judiciary Committee didn't invite any scholar to explain it—except the answer is obvious: they just don’t care what will happen in court. Instead, Senators will bombard the five tech CEOs about why they aren’t doing more to protect kids. Meta CEO Mark Zuckerberg will likely repeat what his top safety officer said last year—app stores should solve the problem for us—but without getting into specifics. Notably, neither Apple nor Google will be represented at the hearing, leaving no one to explain that neither app store has the kind of precise age information Thayer and Frederick claim they do. Expect more of the same Wednesday afternoon at an event hosted by Frederick’s employer as the Heritage Foundation continues its ideological war against large social media companies.
What won’t be mentioned at the hearing? The tools Google and Apple currently offer parents to protect their kids online: powerful controls built into their operating systems and app stores. Both companies empower parents, when setting up a device, to limit the user’s access to apps, games, and other digital content without their approval. Courts have consistently recognized such tools as “less restrictive means” and under clear, First Amendment case law, regulation must give way to them. The Supreme Court said as much in 2000 about far less robust parental controls that allowed parents to block pornographic cable channels: “It is no response that voluntary blocking requires a consumer to take action, or may be inconvenient, or may not go perfectly every time. A court should not assume a plausible, less restrictive alternative would be ineffective; and a court should not presume parents, given full information, will fail to act.”
So, too, here. Parental controls can always be improved. Perhaps there’s more Apple and Google’s systems could do to enable parents to protect their kids. But to avoid infringing the First Amendment rights of adults—to say nothing of the rights of teens—the Constitution requires starting with voluntary solutions like those the companies already offer, rather than adding onerous legal requirements. Far better that some parents choose not to use parental controls than that every adult be forced to give up their anonymity.
Finally, it’s ironic—if predictable—that Thayer and Frederick harp on the market dominance of Google and Apple. Forcing them to begin collecting identifying information about users would likely only solidify their dominance. Moreover, their proposal would actually help Google at Apple’s expense because Android, unlike iOS, allows users to “sideload” apps directly from the website and currently allows access to alternative app stores (though, of course, parents can block such sideloading). Teens would tend to prefer Android phones.