FPF Submits Comments to Inform California Children’s Social Media Protections Rulemaking Process
Co-authored by Jack Maketa, U.S. Legislation Intern
On June 30, the Future of Privacy Forum (FPF) submitted comments in response to the California Department of Justice’s (the Department’s) ongoing rulemaking process for the “Protecting Our Kids from Social Media Addiction Act” (the Act or SB 976). Signed into law in 2024, SB 976 bars operators of “addictive internet-based services” from providing an addictive feed to a user unless the operator reasonably determines the user is not a minor or, in the case of minors, obtains verifiable parental consent. The law also restricts notifications to minors during school and late-night hours; requires platforms to give parents tools to cap feed time, limit visibility of likes and other engagement metrics, and enable a “private mode”; and requires operators to annually disclose how many minor users they have and how many have parental consent on file. The law’s core provisions take effect on January 1, 2027. On May 15, the Department published a Notice of Proposed Rulemaking (NPRM) setting out draft regulations to guide business compliance with SB 976’s age assurance and parental consent requirements before the law takes effect.
FPF seeks to support balanced, informed public policy and equip regulators with the resources and tools needed to craft effective regulation. FPF submitted comments addressing three aspects of the NPRM.
1. Age Assurance
FPF encouraged the Department to consider the full range of age assurance methods and technologies available and maintain a flexible approach. The proposed regulations already lay out a performance-based framework for age assurance with a listed sampling of compliant methods for operator consideration. The proposed rules also identify both criteria for compliant age determinations (i.e., reasonably effective at determining users under 18, consistently measurable, and quantifiably testable) and insufficient methods. FPF recommended the Department review our infographic, Unpacking Age Assurance: Technologies and Tradeoffs, for more detail on how these methods work and their relative privacy and assurance tradeoffs. In particular, FPF flagged its 2026 updates to that resource, which—in line with the Department’s proposed approach—caution against relying on age declaration as a standalone solution, while noting that it can still be useful in a “waterfall” or layered approach. FPF suggests to the Department that inferential data can be a useful tool for affirming age in addition to disproving it.
2. Verifiable Parental Consent
FPF recommended that the Department consider a VPC framework that does not rely on an approved-methods list, addresses the potential for consent fatigue, and provides further illustrative guidance on consent revocation methods. SB 976’s proposed VPC requirements establish a two-step process: requiring operators to obtain a minor’s own permission before seeking parental consent, and then tying acceptable VPC methods to those already approved under COPPA, which is effectively dependent upon an ‘approved methods’ list. While the rules do direct operators to offer at least one VPC option that doesn’t require an account, a purchase, or government-issued ID—ensuring parents have access to a COPPA-compliant method that doesn’t require disclosing sensitive information—the Department may still need to address other persistent frictions noted in FPF’s VPC research to promote process and compliance efficiency.
Moreover, although additional consent processes may aim to provide minor control over parental releases and data disclosures in VPC efforts, stacking multiple consent prompts can contribute to consent fatigue, where users grow less attentive to each successive request. That risk may be compounded where the two-step process runs alongside other required consents, such as the opt-in consent teens must separately provide for the sale or sharing of their data under the CCPA.
To address these potential challenges in the Department’s proposed rules, FPF offered three considerations for mitigating these frictions:
- moving toward a criteria-based or updateable VPC standard rather than relying solely on COPPA’s static list of approved methods—since 2013 the FTC has approved only two new methods, with no new submissions since 2015;
- requiring clearer notice about why VPC data is collected, how it’s used, and how long it’s retained in order to ease consumer hesitancy;
- providing illustrative examples of compliant designs for the “as easy to use as” revocation standard, consistent with the Department’s approach elsewhere in the proposed rules.
3. Data Retention and Use Limitations
Finally, FPF recommended that the Department align the data retention and use limitations rules with the statutory requirements to better protect user privacy. The proposed regulations would require that data collected for age assurance be minimized to what’s necessary to comply with that section specifically, used for no other purpose, securely held, and deleted immediately once its compliance purpose is served. FPF appreciates the underlying data protection goals but notes that this language is narrower than the statute it implements, which could create unintended compliance outcomes.
The statutory text, Cal. Health & Safety Code § 27001(b), permits data collected for age assurance to be used for compliance with that chapter or with another applicable law and requires deletion once its compliance purpose is served. The proposed regulation omits the “another applicable law” language, limiting permitted use to compliance with SB 976 alone. That gap could create ambiguity about which standard governs, and could also work against the Department’s own goals: operators relying on the narrower regulatory text might need to run duplicative age assurance processes to satisfy other legal obligations, or could be precluded from using age data gathered under SB 976 to meet minor privacy or safety obligations elsewhere in the law.
FPF recommended that the Department either clarify its intent here or align the regulatory text with the broader statutory language.