On September 15th, Governor Gavin Newsom signed into law a bill aimed at protecting children’s privacy online and regulating companies that collect and process minors’ personal information.
The California Age-Appropriate Design Code Act (the Act) penalizes companies to the tune of $2,500 per affected child for each negligent violation and $7,500 per affected child for each intentional violation.
The Act goes into effect on July 1, 2024, giving businesses ample time to revamp their products and services as necessary to comply with the Act’s obligations. There is also a 90-day period to cure any violations for which a business receives notice from the Attorney General.
After the state Assembly passed a version of the Act, the Senate’s updates focused on enforcement by California’s Attorney General and implementation by its first-in-the-nation privacy protection agency – the California Privacy Protection Agency, created by the California Privacy Rights Act. The state Assembly approved a Senate-passed version of the Act on August 30, 2022, sending the bill to Gov. Gavin Newsom.
At its core, the Act emphasizes that companies must prioritize children’s privacy, safety and well-being over commercial interests. It also addresses concerns of children’s advocacy groups regarding the impact of technology on children’s development and mental health. The Act applies to businesses “that provide an online service, product, or feature likely to be accessed by children,” with the term “likely to be accessed by children” broadly defined, taking into account factors such as audience composition, advertising and design elements. As a result, social media platforms, gaming companies and other online services that target children or teens should be aware of upcoming compliance obligations.
What Does the Act Require?
The Act requires covered businesses to take the following actions:
- Complete a Data Protection Impact Assessment (DPIA) before offering any new online services or products to children. A DPIA addresses topics such as:
- whether the design of the product or service may result in children being exposed to or targeted by harmful content or contacts,
- the use of algorithms or targeted advertising systems that could harm children,
- elements of the product or service that are designed to increase, sustain or extend time spent online (e.g. the automatic playing of media, rewards for time spent and notifications), and
- whether the product or service processes sensitive personal information of children.
- To the extent the DPIA identifies any risk of material detriment to children, businesses must create a timed plan to mitigate or eliminate the risk before the product or service is accessed by children.
- Businesses must also make a DPIA available to the California Attorney General within five business days of a written request (the DPIA would be exempt from public disclosure under the California Public Records Act, and any information contained in the DPIA would be subject to attorney-client privilege or work product protection would not lose such privilege or protection).
- Estimate the age of child users with a reasonable level of line certainty.
- Configure all default privacy settings offered by the product or service to offer the highest level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children.
- Provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access the product or service.
- Provide clear and conspicuous indications to children where the product or service enables a parent, or another consumer, to monitor the child’s online activity or track the child’s location, and where children can access tools to exercise their privacy rights and report concerns.
What Does the Act Prohibit?
The Act prohibits covered businesses from taking any of the following actions:
- Using children’s personal information in a way that is materially detrimental to a child’s physical health, mental health or well-being.
- Profiling a child by default, unless the business demonstrates that
- it has appropriate safeguards in place to protect children AND
- profiling is necessary for providing the product or service, and only with respect to the aspects of the product or service that the child is actively and knowingly engaged or the business can demonstrate a compelling reason that profiling is in the best interests of children.
- Using personal information for any reason other than why it was collected; or collecting, selling, sharing or retaining children’s personal information that is not necessary to provide the product or service, unless the business can demonstrate a compelling reason that doing so in the best interest of the child.
- Collecting, selling or sharing children’s precise geolocation information by default, unless it is strictly necessary to the product or service, and then only for the limited time that such collection is necessary.
- Collecting children’s precise geolocation information without providing an obvious sign to children for the duration of such collection.
- Using dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected to provide the product or service, to forego privacy protections, or to take any action that is materially detrimental to the child’s physical health, mental health, or well-being.
- Using children’s personal information to estimate age for any other purpose or retaining that personal information longer than necessary to estimate age.
The Bottom Line
- For the first time, a state has enacted a bipartisan law that imposes monetary fines on companies that violate children’s privacy or jeopardize the online safety of minors under age 17.
- The Act requires businesses to reevaluate their privacy practices related to children and teenagers and place a greater emphasis on the safety and well-being of minors when designing and developing online products and services.