On September 15, 2022 California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (CAADCA) AB 2273, which takes effect July 1, 2024 and intends to protect the wellbeing, data, and privacy of children using online platforms. Businesses subject to the California Privacy Rights Act of 2020 (CPRA) should review the requirements of CAADCA closely to determine what data protection measures should be updated, as the new law expands upon existing minor protection laws, such as California’s Parent’s Accountability and Child Protection Act and the Children’s Online Privacy Protection Act (COPPA) under federal law. The Act does not have a lookback period, though businesses must complete an impact assessment of its services before the law takes effect. While many companies may unexpectedly be swept into the scope of the CAADCA, social media companies and gaming companies, along with companies that are already subject to COPPA, are the largest organizations likely to be impacted.
Applicability
CPRA Subject Business
The CAADCA “furthers the purposes and intent of the [CPRA]” and therefore applies only to businesses subject to the CPRA. Specifically, the CAADCA applies to businesses that “provide[] an online service, product, or feature likely to be accessed by children” who are under the age of 18. All non-defined terms are defined pursuant to the CPRA, and under the CPRA a covered business is defined as a “for-profit entity doing business in California that collects personal information of California residents and meets specific threshold criteria.”1
“Likely to be accessed by children.”
To accomplish its goal, the CAADCA creates new legal obligations with respect to online products and services that are “likely to be accessed by children” under the age of 18. An online service, product, or feature is “likely to be accessed by children” based on certain indicators, including whether:
- It is “directed to children,” as defined by COPPA
- It is determined to be routinely accessed by a significant number of children (based on competent and reliable evidence regarding audience composition)
- It has advertisements marketed to children
- It is substantially similar to, or the same as, an online service, product, or feature routinely accessed by a significant number of children
- It has design elements that are known to be of interest to children (including, but not limited to, games, cartoons, music, and celebrities who appeal to children)
- Based on internal company research, a significant audience of the online service, product, or feature is determined to be children
Although the CAADCA references COPPA, CAADCA presents a much broader standard. Notably, CAADCA defines “child” more broadly than COPPA. While COPPA defines “child” as an individual under the age of 13, CAADCA defines “child” as a consumer under the age of 18. Additionally, the CAADCA imposes a number of requirements on covered businesses that are not included under COPPA.
Requirements Imposed on Covered Businesses by the CAADCA
Among other obligations, the CAADCA requires that covered businesses take all of the following actions:
- Creation of a Data Protection Impact Assessment. Businesses that currently provide online products and services that are “likely to be accessed by children” must complete a Data Protection Impact Assessment (DPIA) prior to July 1, 2024. After July 1, 2024, covered businesses must complete a DPIA before any new features or online products and services likely to be accessed by children can be offered by the public. The DPIA must identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business. The DPIA must be biennially reviewed and, upon written request, provided to California Attorney General within five business days.
- Provide privacy by default. A business subject to the CAADCA must configure all default privacy settings provided to children to offer a high level of privacy unless the business can demonstrate a compelling reason that a different setting is in the best interests of children.
- Estimate and tailoring of products by age. Under the CAADCA, businesses must estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the business’ data management practices or apply the privacy and data protections afforded to children to all consumers.
- Provide clear privacy policy and terms. The CAADCA requires businesses to provide privacy information, terms of service, policies, and community standards concisely and with clear language suited to the age of the children likely to access the online service, product, or feature.
- Allow exercise of rights. Businesses must provide prominent, accessible, and responsive tools to help children or parents or guardians exercise their privacy rights and report concerns.
- Clearly identify tracking signals. If the online service, product, or feature allows the child’s parent, guardian, any other consumer, or the business itself to monitor the child’s online activity or track the child’s location, provide an obvious signal to the child when the child is being monitored or tracked.
Restrictions on a Covered Business
The CAADCA also restricts covered businesses that provide an online service, product, or feature likely to be accessed by children from taking any of the following actions:
- Using personal information of any child “in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child”
- Profile a child unless necessary to provide the online service or feature or the business can demonstrate a compelling reason that the profiling is in the best interest of the child
- Collecting, selling, or disclosing precise geolocation information unless strictly necessary
- Using dark patterns to encourage children to provide personal information
- Retaining more information than necessary or using collected information for any other purpose than estimating age
Potential Penalties
Although the CAADCA does not create a private right of action, the CAADCA allows the Attorney General to subject any business that violates that Act to a civil penalty, including:
- Up to $2,500 per affected child for negligent violations, and
- Up to $7,500 per affected child for intentional violations of the Act.
However, for businesses in substantial compliance the Attorney General shall provide written notice to the business before initiating an action and allow the business 90 days from such notice to cure any potential violations.
Next Steps for California Businesses
The CAADCA creates significant new obligations and restrictions on covered businesses in relation to children’s information. While the CAADCA provides businesses until July 1, 2024 to comply, California businesses should
- Determine if their online products and services are likely to be accessed by children. This may require some market research into their current or future users of their products according to the criteria above.
- Prepare for and create a DPIA. For many companies, this may require a data mapping exercise to understand what they do with data about children under 18. Businesses should also evaluate and document the purpose of each online service, product, or feature likely to be accessed by children and the risks involved in processing data about children.
- Carefully review their policies and procedures and begin planning necessary changes to ensure compliance. Covered businesses are likely to need to adjust the default privacy settings to accommodate a high level of privacy by default and tailor the products by age groups defined in the CAADCA. Businesses should also ensure that they are not engaging in any of the prohibited activities mentioned above, and be particularly mindful of unintentional dark patterns.
- Update privacy policies and terms. Businesses will need to adjust the language in their privacy policies and terms based on the age groups likely to access their online service, product, or feature.
- Implement new tracking signals. The CAADCA requires that the business provide a clear signal to children when they are being tracked.
- Comply with consumer rights. Businesses should ensure that children and their parents or guardians have a convenient way to exercise their privacy rights or report concerns.
For more information about CAADCA or for assistance preparing for complying with the CAADCA, please contact any of the authors or any Partner or Senior Counsel in Foley’s Cybersecurity and Data Privacy team.
1 For more information on the CPRA applicability, see California Voters Pass the California Privacy Rights Act.