On Sept. 15, 2022, California Governor Gavin Newsom signed the California Age-Appropriate Design Code Act, A.B. 2273 (CAADCA) into law, which goes into effect July 1, 2024. CAADCA is California’s most recent privacy law, following the California Privacy Rights Act of 2020 (CPRA), which modifies and extends the California Consumer Protection Act of 2018 (CCPA). CAADCA seeks to protect children accessing the internet by restricting certain actions of businesses that provide an online service, product, or feature likely to be accessed by them. It cites the increasing amount of time that children spend interacting with the internet and raises concerns for the negative impact that the online world has on their well-being. Covered businesses which violate CAADCA will be subject to a $2,500 penalty per affected child for each negligent violation or a $7,500 penalty per affected child for each intentional violation.

APPLICABILITY

A “covered business” under CAADCA is any entity that is subject to CCPA and provides an online service, product, or feature that is likely to be accessed by children. “Likely to be accessed by children” means it is reasonable to expect that the online service, product, or feature would be accessed by children because:

1. it is directed to children as defined by the Children’s Online Privacy Protection Act (15 U.S.C. Sec. 6501 et seq.) (COPPA);
2. it is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children;
3. it is associated with advertisements marketed to children;
4. it is substantially similar or the same as an online service, product, or feature described in subparagraph (b);
5. it has or contains design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children; or
6. it is determined, based on internal company research, that a significant amount of the audience will be children.

Broadband internet access services, telecommunications services, and the delivery and use of a physical product are exempt from these requirements.

COPPA v. CAADCA

CAADCA will require covered businesses to comply with several new requirements and restrictions, and goes further than current federal legislation, COPPA, in several ways. Most notably, there is a significant difference in how each law defines a child. COPPA defines a child as an individual under the age of 13, whereas CAADCA extends protections to children under the age of 18. Under CAADCA, covered businesses will have to “estimate the age of child users with a reasonable level of certainty,” but does not describe how companies will achieve this. Whereas COPPA does not require a covered business to determine a child’s age unless they have actual knowledge that children’s information has been collected, which requires verifiable parental consent. Both laws also vary their limits on data collection. CAADCA requires data collection to be reasonably necessary to provide the product or service, unlike COPPA, which restricts data collection without notice and verifiable parental consent. CAADCA’s applicability is also much broader than COPPA, which applies to businesses that direct their services to children or those that have actual knowledge that a user is a minor, whereas CAADCA applies to businesses that develop and provide online services, products, or features children are “likely” to access.

CAADCA extends beyond COPPA by also having specific requirements for the collection of precise geolocation, default privacy settings, and language of certain privacy information. A covered business must provide an obvious sign to the child for the duration of the collection that the business is collecting their precise geolocation. Covered businesses will also be required to provide an obvious sign to the child if the product or service allows a parent, guardian, or any other consumer to monitor the child’s activity or track their location for the duration of the monitoring. CAADCA will require covered businesses to configure the default privacy settings provided to children to settings that offer a “high level of privacy,” unless a business can demonstrate a compelling reason that a different setting is in the child’s best interest. CAADCA will require any privacy information, terms of service, and other similar policies to be written in clear language, suitable to the age of the child likely to access the site.

RESTRICTIONS

Under CAADCA, covered businesses have certain restrictions relating to the collection and use of children’s personal information (as defined by CCPA and CPRA). Covered businesses will be prohibited from using any personal information that it knows or should know is materially detrimental to a child’s physical or mental health and/or wellbeing. Covered businesses are also restricted from processing personal information to cluster children by interests, behavior, location, and movement (“profiling”). However, covered businesses may engage in profiling if the business can demonstrate it has appropriate safeguards to protect children, the profiling is necessary to provide the business’s online service or product, and the business can demonstrate a compelling reason that the profile is in the best interest of the child.

Similar to CCPA, CAADCA has privacy related restrictions such as not collecting, selling, sharing, or retaining any personal information that is not reasonably necessary or using such information for reasons other than for which that information was collected. Covered businesses will be prohibited from collecting, selling, sharing, or retaining any child’s personal information unless it is in the best interest of the child. CAADCA also prevents any covered businesses from obscuring user interface features to deliberately defeat consent or manipulate children into providing unnecessary personal information (“dark patterns”).

CAADCA COMPLIANCE

Under CAADCA, covered businesses will be required to complete a Data Protection Impact Assessment (DPIA) for any new feature they wish to offer to the public if it is “likely to be accessed by children.” The DPIA must identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business. Specifically, a DPIA will determine if any dark patterns are employed, if there is an asymmetrical reward system (e.g., in-app upgrades for extended use of the product or service), or if targeted advertisements are deployed in a way that could harm or exploit children. The DPIA must be biennially reviewed, and covered businesses must maintain these DPIAs as long as the feature is likely to be accessed by children. DPIAs must be made available to the Attorney General within five business days after a written request is made.

THE FUTURE OF CHILDREN’S PRIVACY

The future of CAADCA is not entirely clear. On Dec. 14, 2022, NetChoice, an umbrella organization of tech companies including Google, Amazon, Meta, Twitter, and TikTok filed a complaint against the California Attorney General alleging constitutional violations, including preemption by COPPA. As of now, CAADCA will become effective on July 1, 2024, and there is no indication the law will be stayed. As such, covered businesses and potentially covered businesses should begin the implementation process, including evaluating children’s privacy protections, ensuring privacy considerations are incorporated early on within the product or software development lifecycle, providing the most restrictive privacy settings by default, implementing age gates for certain content, conducting a data inventory and mapping of your product, service, or feature, and working with experienced privacy attorneys to develop and complete the DPIA process.

In addition to CAADCA, there were several state and federal bills introduced in 2022 that may greatly impact children’s online privacy if they become law in 2023. At the federal level, the Kids Online Safety Act, S. 3663 (KOSA) and Children and Teens’ Online Privacy Protection Act, S. 1628 (COPPA 2.0) advanced with bipartisan support out of the Senate Commerce committee and are awaiting a vote on the Senate floor. KOSA would create a duty of care for social media platforms to prevent and mitigate harm to minors, require them to put the strictest privacy setting in place as the default for users, and provide parents or guardians with safeguards. While COPPA 2.0 would expand COPPA to include protections for minors aged 13 to 16 and add new protections such as a ban on targeted advertising to minors. The Federal Trade Commission (FTC) may also finally revise the COPPA Rule after receiving 175,000 public comments in 2019 but are reportedly awaiting legislative action first before enacting any updates, indicating there will likely be major revisions to come in 2023. Both New Jersey, AB 4919, and New York, S 9563, introduced bills that were inspired by CAADCA and restrict how children and other users interact with online services.

Nelson Mullins Riley & Scarborough closely follows developments relating to privacy and cybersecurity.