Minor Keys: Major Takeaways from New California Online Children’s Privacy Law
The California Age-Appropriate Design Code Act (the “Act”) recently became law and includes a number of online privacy-related requirements related to individuals under the age of 18. The statute is similar to, and expressly acknowledges a relationship with, the Age-Appropriate Design Code recently passed in the United Kingdom. This post summarizes several key takeaways from these new privacy legal requirements from the Golden State.
The Act only applies to “businesses” as defined by CCPA, but otherwise generally applies more broadly than the federal Children’s Online Privacy Protection Act (“COPPA”). The Act applies to businesses—as defined by the CCPA—that provide an online service, product, or feature “likely to be accessed by children,” which the Act defines as consumers under the age of 18. That standard is both broader and narrower than COPPA:
- The Act’s application is broader than COPPA insofar as COPPA limits the definition of “child” to individuals under 13, and only applies to operators of online services that are “directed to children.”
- The Act’s application is narrower than COPPA in that an organization must fall within the definition of “business” under the CCPA for the Act to apply.
Whether an online service, product, or feature is “likely to be accessed by children” and therefore subject to the Act requires a factual and contextual review of certain indicators. The “likely to be accessed by children” concept is not precisely defined in the Act. Instead, the Act provides that standard means “it is reasonable to expect . . . that the online service, product, or feature would be accessed by children” based on an assessment of certain specified indicators. Those indicators include whether the online service, product, or feature:
- Meets the COPPA standard for being “directed to children;”
- Has routine access by a significant number of children based on competent and reliable evidence regarding audience composition;
- Has advertisements marketed to children;
- Is the same as or is substantially similar to another online service, product, or feature that is routinely accessed by a significant number of children;
- Contains design elements “known to be of interest to children,” such as games, cartoons, music, and celebrities who appeal to children; and
- Has a significant amount of children in its audience as determined by internal company research.
Effective on July 1, 2024. The Act takes effect on July 1, 2024, giving privacy lawyers something to look forward to after addressing the California Privacy Rights Act of 2020 and other new state privacy laws in Colorado, Connecticut, Utah, and Virginia taking effect in 2023.
The Act prohibits certain processing activities using a child’s personal information. The Act also prohibits other activities, including:
- Profiling of children, unless the business can demonstrate it has appropriate safeguards and the profiling is either “necessary to provide the online service, product, or feature requested and only with respect to the aspects of the online service, product, or feature with which the child is actively and knowingly engaged” or “[t]he business can demonstrate a compelling reason that profiling is in the best interests of children;”
- Using “dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected to provide that online service, product, or feature to forego privacy protections” or to take action “that the business knows, or has reason to know, is materially detrimental to the child’s physical health, mental health, or well-being;”
- Collecting, selling, sharing, or retaining any personal information that is unnecessary “to provide an online service, product, or feature with which a child is actively and knowingly engaged,” comply with law or legal process, cooperate with law enforcement, and exercise or defend legal claims, unless “the business can demonstrate a compelling reason” that the relevant processing “is in the best interests of children;”
- Collecting, selling, or sharing children’s precise geolocation information “unless the collection of that precise geolocation information is strictly necessary for the business to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.”
- Collecting children’s precise geolocation information “without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.”
- Using a child’s personal information for any reason other than a reason for which the personal information was collected absent a demonstratable compelling reason that such use is in the “best interests of children;” and
- Using children’s personal information in a way that the business knows or has reason to know is materially detrimental to a child’s physical health, mental health, or well-being.
The CCPA’s definitions of “profiling,” “dark patterns,” “sale,” “sharing,” and “precise geolocation information” also apply to the Act.
The Act imposes significant affirmative compliance requirements on covered businesses, including to conduct data protection impact assessments. Businesses subject to the Act are subject to significant affirmative compliance obligations, including:
- Completing data protection impact assessments (which must be provided to the California Attorney General within three days of a written request) satisfying specific criteria before offering any online service, product, or feature that is likely to be accessed by children to the public, including for any such online service, product, or feature “offered to the public” before the Act becomes effective;
- Estimating the age of child users with a reasonable level of certainty appropriate to the risks arising from the business’ data management practices or otherwise applying privacy and data protections the Act requires for children to all consumers;
- Configuring default privacy settings to those that offer a high level of privacy unless there is a demonstrable compelling reason that a different setting is in children’s best interests;
- Providing concise and prominent privacy information, terms of service, policies, and community standards that use clear language suited to the age of the children likely to access the online service, product, or feature;
- Providing an obvious signal to the child that they are being monitored or tracked if the online service, product, or feature allows the child’s parent, guardian or any other consumer to monitor the child’s online activity or track the child’s location;
- Enforcing published terms, policies, including privacy policies, and community standards; and
- Providing prominent, accessible, and responsive tools to allow children or their parents/guardians to exercise privacy rights and report concerns.
No private right of action, but Attorney General enforcement with a potential 90-day cure period. The Act does not include a private right of action—enforcement authority is only provided to the California Attorney General. The Attorney General can obtain injunctive relief, penalties of up to $2,500 per affected child for each negligent violation, and penalties up to $7,500 per affected child for each intentional violation.
If a business “is in substantial compliance” with the Act, the California Attorney General must provide written notice of the specific provisions the covered business violated or is violating. Such a business can then avoid civil penalties if it has cured the noticed violation(s) and provides the Attorney General with a written statement that the alleged violation(s) are cured and that the business has taken sufficient measures to prevent future violation(s) within 90 days of notice of the alleged violation(s).
The California Attorney General may also adopt regulations clarifying the Act’s requirements.
The Act establishes an advisory group to study and report to the legislature on best practices for implementing the Act. The Act establishes the California Children’s Data Protection Working Group. The Working Group is specifically tasked with studying several issues related to the Act, including identifying online services, products, or features likely to be accessed by children, ensuring that age-assurance methods used by covered businesses are risk-proportionate, privacy protective and minimally invasive, and evaluating how to leverage the expertise of the California Privacy Protection Agency in the long-term development of data privacy policies that affect the children’s privacy, rights and safety online.
If you would like to discuss the Act’s application or potential compliance strategies, please feel free to contact any member of the Wyrick Robbins privacy team.