The California Age-Appropriate Design Code Act Places New Obligations on Companies Collecting Information About Children Online

Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing LLP

​On September 15, 2022, California Governor Newsom signed the California Age-Appropriate Design Code Act (the “Act”).  The Act takes effect July 1, 2024, and regulates the collection, storage, and transfer of children’s data by entities that provide online services, products, or features to children in California.

​What You Need to Know:

  • Starting July 1, 2024, businesses subject to the California Consumer Privacy Act (CCPA) that provide online services, products, or features to children may need to comply with the Act.
  • The Act expands upon existing minor data protection laws, such as California’s Parent Accountability and Child Protection Act and the federal Children’s Online Privacy Protection Act (COPPA).
  • The Act imposes significant new obligations and restrictions on businesses that provide an online service, product, or feature likely to be accessed by children under 18 years old.

On September 15, 2022, California Governor Gavin Newsom signed the California Age-Appropriate Design Code Act (A.B. 2273) (the “Act”). The Act takes effect July 1, 2024, and regulates the collection, storage, and transfer of children’s data by entities that provide online services, products, or features to children in California. The Act intends to protect young people who are often subject to targeted online advertisements and increasingly use digital services for education, entertainment, and communication. The Act expands upon existing minor protection laws, such as California’s Parent Accountability and Child Protection Act and the federal Children’s Online Privacy Protection Act (“COPPA”). Businesses subject to the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”) should review the requirements of the Act to determine what data protection measures should be updated. 

Applicability

The Act applies to businesses subject to the CCPA that are providing online services, products, or features to children. Under the CCPA, a covered business is defined as a for-profit entity doing business in California that collects the personal information of California residents and satisfies one of three requirements:

  • Has an annual gross revenue of more than $25 million; or
  • Purchases, receives for commercial purposes, sells, or otherwise makes available for commercial reasons, singly or in combination, the personal information of more than 50,000 customers, households, or devices; or
  • Generates at least 50 percent of its annual revenue from the sale of personal data.

Further, the Act applies to businesses that provide an online service, product, or feature likely to be accessed by children under 18 years old. “Likely to be accessed by children” means it is reasonable to expect, based on the following indicators, that the service, product or feature would be accessed by children:

  • It is “directed to children,” as defined by COPPA (note that COPPA applies to children under 13 while the Act applies to children under 18, which includes websites directed solely to teenagers).
  • It is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children.
  • It has advertisements marketed to children.
  • It is substantially similar to, or the same as, an online service, product, or feature routinely accessed by a significant number of children.
  • It has design elements that are known to be of interest to children (such as games, cartoons, music, and celebrities who appeal to children).
  • Based on internal company research, a significant audience of the online service, product, or feature is determined to be children.

Requirements of the Act

The Act imposes a number of obligations on covered businesses, including requiring all of the following:

  • Create a Data Protection Impact Assessment (“DPIA”) for every online service, product, or feature that is likely to be accessed by children. The DPIA must identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business. Covered businesses must complete DPIAs for current services, products, and features prior to July 1, 2024. In addition, covered businesses must complete a DPIA before any new features or online products and services that are likely to be accessed by children can be offered to the public. Each DPIA must be reviewed biennially for updates. A covered business must provide all completed DPIAs to the California Attorney General within five business days upon written request.
  • Configure all default privacy settings provided to children by the online service, product, or feature to settings that offer a high level of privacy, including, but not limited to, disabling features that profile children using their previous behavior, browsing history, or assumptions of their similarity to other children.
  • Estimate the age of users with a reasonable level of certainty appropriate to the risks that arise from the business’s data management practices, or apply the privacy and data protections afforded to children to all consumers. This estimate is required to determine if a covered business’s specific online service, product, or feature is likely to be accessed by children under 18 years old. In lieu of an estimate, the covered business can provide the protections required for children to all consumers. 
  • Provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature. The business’s policies must be enforced by the business.
  • If the online service, product, or feature allows the child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location, the business must provide an obvious signal to the child when the child is being monitored or tracked.
  • Provide prominent, accessible, and responsive tools to help children, or - if applicable - their parents or guardians, exercise their privacy rights and report concerns.

Prohibited Activities of Covered Businesses

Covered businesses are not permitted to engage in any of the following:

  • Use the personal information of any child “in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child”;
  • Profile a child unless necessary to provide the online service or feature or if the business can demonstrate a compelling reason that the profiling is in the best interest of the child;
  • Collect, sell, share, or retain any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged, with limited exceptions;
  • If the end user is a child, use personal information for any reason other than the reason for which that personal information was collected, unless the business can demonstrate a compelling reason that use of the personal information is in the best interests of that child;
  • Collect, sell, or share any precise geolocation information of children by default, unless the collection of that precise geolocation information is strictly necessary for the business to provide the service, product, or feature;
  • Collect any precise geolocation information of a child without providing an obvious sign to the child that precise geolocation information is being collected;
  • Use dark patterns to lead or encourage children to provide personal information; and
  • Retain more information than necessary or use collected information for any other purpose than estimating age.

Implementation Guidance

The Act establishes the California Children’s Data Protection Working Group, which will study and report to the California legislature best practices for implementing the Act. The Working Group will be made up of experts in children’s data privacy, physical health, mental health and well-being, computer science, and children’s rights. 

Enforcement

Under the Act, the California Attorney General may subject a covered business to a civil penalty of up to $2,500 per affected child for negligent violations and up to $7,500 per affected child for intentional violations of the Act. The Act provides for a potential 90-day cure period if a covered business substantially complies with the Act. Note the Act does not create a private right of action.

Next Steps

Given that the Act imposes significant new obligations and restrictions on covered businesses, all organizations should determine if the Act applies to their products, services, and features. 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide