As the digital world becomes increasingly intertwined with the lives of young people, states are stepping into the regulatory void left by Congress, creating a complex and often contradictory legal landscape. We sit down with Donald Gainsborough, a leading voice in policy and legislation from Government Curated, to navigate the intricate challenges at the intersection of child safety, data privacy, and the First Amendment. Our discussion explores the real-world hurdles of implementing ambitious state laws, the consequences of federal inaction, the perilous trade-offs of age verification technology, and the ways artificial intelligence is supercharging the very problems lawmakers are trying to solve.
New York’s SAFE for Kids Act mandates certified age verification and bans notifications from midnight to 6 a.m. From a technical standpoint, what are the step-by-step implementation hurdles for platforms, and what metrics would prove these measures are actually effective in protecting minors?
The technical hurdles are monumental, and they start with the phrase “certified age verification.” Step one for a platform is that they can’t just ask for a birthday; they have to integrate a third-party system that the state has approved and that is audited annually. This means a complex and costly integration with an outside vendor, adding another potential point of failure and data exposure. Step two is the notification ban. This sounds simple, but it requires accurately knowing a user’s local time zone. A teenager in New York on vacation in California would get notifications blocked at 9 p.m. their time unless the system is sophisticated enough to track location dynamically, which opens up a whole other can of privacy worms.
But the biggest hurdle, step three, is de-personalizing the feed. A platform’s entire business model is built on an algorithmic, personalized feed. To comply, they would have to engineer a completely separate, chronological, or non-algorithmic version of their service just for users they identify as minors in New York. As for metrics of success, it’s not just about a platform checking a compliance box. True effectiveness would have to be measured by public health outcomes—a statistically significant decrease in teen depression or anxiety rates in New York, for instance. You could also use surveys to track whether teens report better sleep habits. The ultimate proof isn’t in a company’s report, but in the well-being of the kids the law is meant to protect.
The Kids Online Safety Act was amended to remove its “duty of care” provision, a move Rep. Castor called a “gift to Big Tech.” Can you share a specific example of platform behavior this provision would have addressed, and how its absence might influence the “patchwork” of state laws?
Absolutely. The “duty of care” provision would have fundamentally shifted the legal burden. Think about the way algorithms can create harmful feedback loops. A teen might watch one video about dieting out of simple curiosity. Without a duty of care, the platform’s algorithm, designed solely to maximize engagement, can interpret that interest as a signal to serve up more and more extreme content—calorie counting, “thinspiration,” and eventually, pro-anorexia material. The platform can currently argue it’s just a neutral conduit. A duty of care would have required them to “exercise reasonable care,” meaning their systems would have to be designed to recognize and break that dangerous chain of recommendations. They would have been legally responsible not just for the content, but for their role in amplifying it to a vulnerable minor.
Its absence at the federal level is a massive catalyst for the “patchwork” of state laws. With no federal standard, states like California or New York will feel compelled to write their own, even stronger, duty of care provisions. This creates a nightmare for platforms, which might have to comply with dozens of different definitions of “reasonable care.” As Representative Castor noted, this is a “gift to Big Tech” because it’s far easier for them to fight 20 different state laws in court, bogging them down for years, than it is to face one unified, strong federal standard. The chaos is, ironically, to their strategic advantage.
Paul Lekas warns age verification’s “robust data collection” creates targets for bad actors, while others worry about “fencing off the internet.” Could you detail the specific sensitive data collected during verification and share an anecdote illustrating how this could limit access to vital information for teens?
When Paul Lekas talks about “robust data collection,” he’s not just talking about a name and a birthdate. To create a system that truly can’t be tricked, you’re looking at collecting copies of government-issued IDs. This means a platform or its third-party verifier is storing a teenager’s full legal name, home address, date of birth, driver’s license number, and a high-resolution photograph. In some cases, it might even involve biometrics, like a facial scan to match the ID photo. This creates an unbelievably tempting target for hackers. A single data breach could expose the core identity documents of millions of young people.
To understand the “fencing off” risk, picture a 16-year-old in a state where gender-affirming care is being restricted. The internet may be their only safe space to find accurate information and connect with a support community. If accessing a forum on a major platform now requires them to upload their state-issued ID—which lists their assigned sex at birth and their home address—they may be terrified to do so. The fear isn’t just a hack; it’s the fear of creating a permanent, traceable record of their search for information that is politically charged in their community. They’re forced to choose between their safety and access to potentially life-saving resources. That’s not a protection; it’s a barrier.
Rep. Pallone noted that AI accelerates the exploitation of our data for invasive ads and design features. Can you describe a specific AI-driven design feature he’s referencing and explain, step-by-step, how it leverages a teen’s data to foster the kind of addictive behavior New York’s law targets?
Representative Pallone is pointing directly at the heart of the modern social media experience: the personalized, AI-driven infinite feed. Let’s walk through how it works. Step one is data collection: a teenager scrolls through their feed, and the AI is watching everything. It sees they pause for three seconds on a video about a social injustice, but only one second on a cat video. That “dwell time” is a data point. Step two is pattern recognition: the AI combines this with thousands of other data points—who they follow, what they’ve liked in the past, their location, even the time of day—and builds a sophisticated psychological profile. It learns what triggers an emotional response.
Step three is exploitation, which is where the addictive design comes in. The AI doesn’t just show them more content about that topic; it refines the feed to maximize that emotional response. If it detects sadness, it might push more melancholy content to keep them engaged in that emotional state. This creates a powerful feedback loop. The AI uses the teen’s own emotional data to make the platform feel indispensable and almost impossible to put down. This is the exact mechanism that New York’s law seeks to dismantle by prohibiting the use of a minor’s data for personalization, essentially taking away the fuel for the AI’s addictive engine.
What is your forecast for the ongoing battle between state-level regulation and the push for a federal data privacy standard?
My forecast is that the state-level patchwork will become significantly more complicated before it gets simpler. More states will follow New York’s lead, each with its own unique twist on age verification, algorithmic regulation, and data privacy. This growing complexity will dramatically increase compliance costs and legal risks for tech companies. Paradoxically, this state-led chaos is the most powerful force pushing us toward a federal standard. Eventually, the tech industry will find it more advantageous to lobby for a single, comprehensive federal law—even one they don’t love—than to navigate a minefield of 50 different regulatory regimes. The real battle then won’t be about whether to have a federal law, but about its substance: will it be a strong law that sets a high bar for privacy and safety, or will it be a weaker one designed to preempt the stronger protections that states have already put in place? The states are currently forcing the issue, and Congress will eventually have no choice but to respond.
