The Age of Online Age Verification Begins. (Maybe?)

Photo credit: Kassandra Acuna, ESRB Privacy Certified

Like everyone else, we’ve been riding the generative AI rollercoaster, talking nonstop at conferences and meetings about what it means for the future of video games, privacy, and our Privacy Certified program. But no matter how head-spinning AI developments seem, there’s nothing like a major Supreme Court ruling, one that (presumably) was written by humans, to pull us into the present. Last week’s groundbreaking Supreme Court ruling upholding Texas’s age verification law for access to adult content in Free Speech Coalition v. Paxton demands attention now. Read on for a quick summary of the ruling and our thoughts on what this all means for video game companies and the ever-expanding patchwork of kids’ privacy, online safety, and social media laws.

The age of age verification begins: Online age verification mandates for kids and teens have been expanding around the globe for years. In the U.S., however, state efforts to impose such requirements have long clashed with the First Amendment. That may be changing. In a 6–3 opinion issued last Friday (the last day of this year’s term), the U.S. Supreme Court upheld a First Amendment challenge to a Texas law, H.B. 1181, which requires adult websites to implement age verification for sexually explicit content that is “harmful to minors.” The “harmful to minors” standard refers to “material that is obscene from the perspective of an average person considering the material’s effect on minors.”

Writing for the majority,  Justice Thomas stated that the states have the power to protect children from sexually explicit speech as a matter of “[h]istory, tradition, and precedent.” He declared that the “power to verify age is a necessary component” of that power and dismissed the idea that the Internet had any impact on the states’ traditional powers. Instead, the Court emphasized how modern technology, such as smartphones and instant streaming, permits minors to access “vast libraries” of online pornography easily in previously “unimaginable” ways, distinguishing today’s online environment from the context of the Court’s earlier decisions about minors’ access to online porn in Reno v. American Civil Liberties Union, 521 U. S. 844 (1997) and Ashcroft v. American Civil Liberties Union, 542 U. S. 656 (2004). In those cases, the Supreme Court blocked federal laws restricting online content for minors under the First Amendment, finding they burdened too much content for adults and that less restrictive alternatives were available.

Constitutional test: A central issue in the case focused on the proper level of constitutional scrutiny the Court should use to review the Texas law. The challengers and the dissent argued for the often “fatal” strict scrutiny test while Texas urged the Court to use the more lenient rational basis standard.  Recognizing that Texas’ age verification law does impose a burden on adults’ rights to view content harmful to minors (but which is fine for adults), the majority opted for intermediate scrutiny review.

A law can survive intermediate scrutiny if it “advances important governmental interests unrelated to the suppression of free speech and does not burden substantially more speech than necessary to further those interests.” Applying that standard the Court found that shielding children from sexual content qualified as an important interest and that Texas’ law was “adequately tailored” to that interest. “States have long used age-verification requirements to reconcile their interest in protecting children from sexual material with adults’ right to avail themselves of such material,” the Court explained, “H. B. 1181 simply adapts this traditional approach to the digital age.”

Adult access: Departing from decades of Supreme Court precedent, the Court held that adults do not have a First Amendment right to avoid age verification. Any burden experienced by adults in the Court’s view was only “incidental” to the statute’s regulation of activity that is not fully protected by the First Amendment. The Court distinguished its older decisions in Reno and Ashcroft as “categorically different” because they criminalized and banned both minors and adults from accessing speech that was, at most, obscene only to minors.

By contrast, the Court found that the Texas law does not ban adult access to lawful content – it simply imposes a verification step. The dissent, written by Justice Kagan, asserted that the majority’s distinction between bans and burdens should make no difference to the level of scrutiny, and argued that the Court should have applied strict scrutiny. But the majority declared, “[N]o person—adult or child—has a First Amendment right to access speech that is obscene to minors without first submitting proof of age.”

Verification methods: The Texas law does not mandate a specific form of age verification, instead requiring sites to use “reasonable age verification methods,” namely commercial age verification systems that authenticate government-issued identification or that rely on “public or private transactional data.”  The law also allows online pornography sites to perform the verification itself or through a third-party service. The Court called these approaches “plainly legitimate,” pointing out that both are established methods of verifying age already in use by many pornographic websites and other industries with age-restricted services.

Interestingly, the record from the lower court proceedings contained a discussion of whether other methods of age assurance, such as biometric facial analysis or credit card authentication, might qualify under the law. The Court did not address this issue directly, stating in a footnote that it was unnecessary to decide whether the Texas law would allow website operators to use “newer biometric methods of age verification, like face scans” because Texas is not required to use the least restrictive means to satisfy intermediate scrutiny.

Privacy Concerns Dismissed: The Court gave the challengers’ privacy arguments short shrift. It acknowledged that age verification may require users to scan a driver’s license or submit personal information to a third party but concluded that the privacy risks were minimal. Justice Thomas wrote that the online pornography websites and third-party service providers with which the website contracts would have “every incentive to assure users of their privacy.”

From our perspective, however, the Court failed to consider the very real privacy and security risks that exist in the digital world. Justice Thomas seemed to envision online age assurance as analogous to the brief and ephemeral ID checks that take place, for example, in liquor stores. There, purchasers usually present their physical IDs for a clerk’s brief look and then put them back in their wallets. That process might truly present only an “incidental burden” to adults, at least to those with government-issued ID. The online context is different. In the absence of strong privacy protections, the online site or service or the age verification provider could sell, share, or misuse the purchaser’s ID or other personal information collected with the verification. If retained, the data could be exposed in a breach, like the massive one that exposed nearly 11 billion records from the adult video streaming website CAM4 in 2020. (The breached records included sensitive information, such as full names, email addresses, sexual orientation, chat transcripts, email correspondence transcripts, password hashes, IP addresses, and payment logs.)
There are, of course, privacy-protective ways to conduct age assurance, and laws and best practices around data collection, use, sharing, and retention, as well as strong data security safeguards, could mitigate much of the risk. But the Court’s opinion simply ignores those issues.

Potential Privacy/Safety Consequences: Paxton marks the first time the Court has upheld an age verification law in the digital sphere.  Although the Court’s ruling applies only to adult content, its rationale could extend beyond pornography.  Indeed, the Court observed with approval, that, “Requiring age verification is common when a law draws lines based on age.” It reasoned that Texas, like many states, requires proof of age to obtain a handgun license, register to vote, and to marry and therefore declared –  “In none of these contexts is the constitutionality of a reasonable, bona fide age-verification requirement disputed.”

The decision is likely to encourage states that have passed (or are considering passing) laws requiring minors to obtain parental consent or verify age to access social media platforms or other online content so long as those laws don’t fully ban access for adults. It could support states developing age assurance and age signal mandates for privacy compliance as long as they are “appropriately tailored” and do not amount to outright bans for adults. The level of legal scrutiny (and the corresponding outcome) might be different for platforms that contain or host protected speech or broader content. Nonetheless, the Court’s endorsement of age verification suggests that states now have a clearer constitutional path forward to adopt and implement child privacy and safety laws that contain age assurance requirements.
• • •

As senior vice president of ESRB Privacy Certified (EPC), Stacy Feuer ensures that member companies in the video game and toy industries adopt and maintain lawful, transparent, and responsible data collection and privacy policies and practices for their websites, mobile apps, and online services. She oversees compliance with ESRB’s privacy certifications, including its “Kids Certified” seal, which is an approved Safe Harbor program under the Federal Trade Commission’s Children’s Online Privacy Protection Act (COPPA) Rule. She holds CIPP/US and CIPP/E certifications from the International Association of Privacy Professionals.