On August 29, 2022, the California Age-Appropriate Design Code Act (the Act) was unanimously approved by the California State Senate. It now awaits Governor Gavin Newsom’s signature. Given that the Act had also passed unanimously through the State Assembly, it seems likely that it will be signed into law. Businesses that have been preparing for compliance with the California Privacy Rights Act (CPRA) (which goes into effect on January 1, 2023) should simultaneously assess what steps they need to take to comply with the Act (most of which goes into effect on July 1, 2024), including potential compliance steps that can be addressed in parallel for both laws.
The Act applies to any business that provides an online service, product or feature (Online Service) likely to be accessed by children under 18. The Act was inspired by the UK Age-Appropriate Design Code for Online Services and imposes a number of affirmative requirements on businesses in addition to prohibiting certain data practices. If enacted as passed, the Act will impose burdensome obligations on covered businesses, including those around Data Protection Impact Assessments (DPIA), default settings and transparency requirements. In addition, the broad language of the Act will make designing compliance programs challenging, and there is no guarantee that the California attorney general (AG) will issue regulations clarifying the Act’s obligations.
We have provided additional details below on what is required under the Act. We are happy to answer any questions your business may have regarding compliance with the Act or the CPRA.
Key Takeaways and Affirmative Obligations
- Potential for a “California Effect”: The Act is the latest illustration of the “California Effect,” through which California laws and regulations may influence the direction taken by lawmakers and policymakers in the rest of the country. Companies that are subject to the Act will want to think about whether it makes sense—for operational, compliance and reputational reasons—to extend similar protections to children outside of California. In addition, companies should be thinking about whether this principle-based approach, which is focused on acting in the “best interests of the child,” could be mirrored for other groups of users.
- Protects Children Under 18: The Act is a notable departure from the Children’s Online Privacy Protection Act (COPPA) in a number of ways, including that it provides protections to children under 18 (as opposed to 13, as is the case with COPPA).
- “Likely to Be Accessed by Children”: According to the Act, “likely to be accessed by children” means that it is reasonable to expect, based on certain indicators, that the Online Service would be accessed by children. Although the indicators that businesses will need to consider are similar to what they would have had to consider under COPPA, they now must determine whether their services are likely to be accessed by a much broader age demographic.
- Age Estimation: One likely effect of the law is that more and more Online Services will either age-gate users or collect additional information in order to estimate age or the age range of users. The Act prohibits the use of any such personal information collected for these purposes to be used for any other purpose, and it can only be retained for as long as needed to estimate age. In addition, age assurance must be proportionate to the risks and data practice of the Online Service.
- DPIA: Prior to offering new Online Services that are likely to be accessed by children, a business must complete a DPIA and maintain documentation of the assessment for as long as the Online Service is likely to be accessed.
- All DPIAs must be reviewed biennially and, among other things, must identify the purpose of the Online Service, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business.
- To the extent applicable, DPIAs must examine the risk of a wide variety of harm, including exposure to harmful content, potential for targeting by harmful contacts and exploitation.
- After conducting the DPIA, businesses are required to both document any risk of material detriment to children identified and create a timed plan to either mitigate or eliminate the risk before the Online Service is accessed by children.
- DPIAs conducted for the purpose of compliance with other laws will be sufficient as long as the DPIA meets the requirements of the Act.
- Within three business days of a written request from the California AG, businesses must provide a list of all the DPIAs that have been completed.
- Upon a written request from the California AG, businesses must share DPIAs within the five business days of the request. Notably, DPIAs are protected as confidential and are exempt from public disclosure. Additionally, to the extent that information in DPIAs is privileged or subject to work product protection, disclosure to the California AG does not constitute waiver of privilege.
- Privacy Protective Default Settings: Default privacy settings for children must offer a high level of privacy unless the business can demonstrate a compelling reason for why a different setting would be in the best interests of children.
- Age-Tailored Transparency Requirements: Privacy information, terms of service, policies and community standards must be provided concisely, clearly, prominently and in a way that is suited to the age of the children likely to access the particular Online Service.
- Monitoring Signals: When parents, guardians or any other consumers are able to monitor a child’s online activity or track the child’s location, businesses must provide an obvious signal to the child when the child is being monitored or tracked.
- Easy User Reporting: Businesses must provide prominent, accessible and responsive tools to help children or their parents/guardians to exercise their privacy rights and report concerns.
- Attorney General May Issue Regulations: Although the Act provides that the California AG may solicit broad public participation and adopt regulations, the AG is not required to do so. Furthermore, there is no indication in the law as to what topics the regulations, if promulgated, would cover.
- California Children’s Data Protection Working Group: This working group will be created in order to deliver a report to the Legislature regarding best practices for the implementation of the Act.
- Enforcement and Penalties: Violators will be subject to an injunction and liable for a civil penalty (enforced by the California AG) of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation.
- No Private Right of Action: Although the Act explicitly states that nothing should “be interpreted to serve as the basis for a private right of action,” we may still see creative efforts to bring charges under this law.
- 90 Days to Cure: A business will not be liable for a civil penalty for violations that it has cured if the business (i) cures within 90 days of receiving notice from the California AG of alleged violations and (ii) provides the California AG with a written statement that alleged violations have been cured and that sufficient measures have been taken to prevent future violations.
- Health of the Child: Businesses cannot use the personal information of any child in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health or well-being of a child. Key questions will be what rises to the requisite level of knowledge for a business and what constitutes material detriment to a child.
- Profiling: Businesses cannot profile a child by default unless the business has appropriate safeguards in place or (i) profiling is necessary to provide the Online Service with respect to the aspects of the Online Service with which the child is actively and knowingly engaged or (ii) a compelling reason as to why profiling is in the best interests of children can be demonstrated.
- Limitations on Collecting, Selling, Sharing and Retaining Personal Information: Businesses cannot collect, sell, share or retain any personal information that is not necessary to provide an Online Service absent a compelling reason that the aforementioned activity is in the best interests of children likely to access the Online Service.
- Limitations on Collecting, Selling or Sharing Geolocation Information: Businesses cannot (i) collect precise geolocation information regarding a child without providing an obvious sign for the duration of the collection or (ii) collect, sell or share any precise geolocation information regarding children by default unless strictly necessary for the business to provide the Online Service and only while the collection of precise geolocation information is necessary to provide the service, product or feature.
- Dark Patterns: Businesses cannot use dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected to provide that Online Service, or to take any action that the business knows, or has reason to know, is materially detrimental to the child’s physical health, mental health or well-being.