California poised to enact broad, new restrictions on online services with under-18 users

Sophie Baum, Mark Brennan, Harsimar Dhanoa, A.J. Santiago, J. Ryan Thompson
Hogan Lovells
Contact
LinkedIn
Facebook
X
Send
Embed

Hogan Lovells

The California Senate Appropriations Committee has advanced the California Age-Appropriate Design Code Act, AB 2273, which could significantly impact many online service providers. Modeled on the UK’s Age Appropriate Design Code, AB 2273 would impose data protection obligations and other restrictions on businesses that provide an “online service, product, or feature likely to be accessed by children.” In a significant shift from the current framework under the federal Children’s Online Privacy Protection Act (COPPA), however, new protections granted by the bill would extend to all individuals under age 18.

Background and Key Provisions

AB 2273’s proponents argue that the bill is necessary for the safety and privacy of children. Importantly, the bill would prohibit businesses from using children’s data in any way that the business knows or has reason to know “is materially detrimental to the physical health, mental health, or well-being of a child.”

The bill would also impose specific requirements on businesses, including:

  • Data Minimization – businesses must limit the collection, sharing, sale, and retention of children’s data unless they can demonstrate a compelling reason that the processing is in the child’s “best interests”;
  • Risk Assessments – businesses must assess, document, and mitigate risks of material detriment to children;
  • High Privacy Defaults – default privacy settings for under-18 users must offer a “high level of privacy” (unless the business can demonstrate a compelling reason that a different setting is in the best interests of children);
  • Revised Online Notices – privacy information and similar online notices must use language suitable to the age of children likely to access the service; and
  • Rights and Reporting Tools – businesses must offer children and parents/guardians tools to exercise their privacy rights and report concerns.

The Attorney General can also adopt regulations to clarify these requirements, and a new Children’s Data Protection Working Group will recommend best practices for businesses implementing the bill’s provisions.

Significant Challenges

AB 2273 could create significant compliance challenges in its pursuit of additional protections for children. For example, the bill’s “likely to be accessed by children” standard goes beyond COPPA’s “directed to children” standard. Under the current framework, COPPA’s requirements apply only to online services where a business has actual knowledge that the user is under the age of 13 or if the service’s offerings are “directed” at children through factors like marketing, graphics, or music that appeals to children.

Under AB 2273, businesses must now also determine whether “a significant number of children” routinely access the service (or substantially similar services) “based on competent and reliable evidence regarding audience composition.” The law would also require businesses to estimate under‑18 users’ ages “with a reasonable level of certainty.” Compliance with these provisions could require collecting even more children’s data and make understanding the law’s applicability a moving target for businesses.

Enforcement

Violations of AB 2273 can result in injunctions or civil penalties against businesses of up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation. Businesses that substantially comply with the Data Protection Impact Assessment requirements, however, can benefit from a 90-day cure period. AB 2273 also expressly prohibits a private right of action.

Broader Impact

If passed, the California AADC could further complicate compliance efforts for companies operating across the country. Like with the California Consumer Privacy Act (CCPA), other state legislatures may look to California as a model for similar protections, creating another patchwork of potentially inconsistent state laws.

This effort comes as the U.S. Senate considers the Kids Online Safety Act (S. 3663), similar legislation that also involves potential state preemption. But as with California’s opposition to the preemption provisions of the American Data Privacy and Protection Act (H.R. 8152), efforts to preempt state rules may lead to significant pushback, particularly because the California Privacy Protection Agency would be responsible for AB 2273’s enforcement.

Next Steps

The bill is now eligible for a full Senate vote. Because the Senate’s and Assembly’s versions of AB 2273 differ, the Assembly (AB 2273’s house of origin) must concur with the Senate’s amendments. If the Assembly concurs, the bill will go to Governor Newsom for signing. If the Assembly does not concur, the bill will go to a conference committee to negotiate and reconcile the two versions’ differences. If they agree on a single version, it will go back to both Floors for approval and then to the Governor for signing.

If passed, the bill would go into effect on July 1, 2024.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide