California Passes Another Privacy Law, this Time for Children Under 18September 15, 2022
On September 15, 2022, California Governor Gavin Newsom signed the California Age-Appropriate Design Code Act (the “Act”), a law directed at businesses that provide online services, products, or features that are likely to be accessed by children under 18. The Act aims to hold children’s well-being over businesses’ commercial interests and implement robust privacy protections in light of children’s increased interactions online. It will work in conjunction with the California Consumer Privacy Act of 2018 (the “CCPA”), as amended by the California Privacy Rights Act of 2020 (the “CPRA”), to govern the privacy of California residents. The Act will take effect on July 1, 2024.
Applicability of the Act
The Act applies to businesses who provide online services, products, or features “likely to be accessed by children,” meaning that it is “reasonable to expect,” based on the indicators below, that the online service, product, or feature would be accessed by children. Indicators of such access include that the online service, product, or feature is at least one of the following:
- directed to children as defined by the Children’s Online Privacy Protection Act (“COPPA”);
- determined to be routinely accessed by a significant number of children based on competent and reliable evidence regarding audience composition or is substantially similar to an online service, product, or feature determined as such;
- marketed to children;
- designed to include elements that are known to be of interest to children, such as games, cartoons, music, and celebrities who appeal to children; or
- determined, based on internal company research, to have a significant amount of the audience be children.
Unless the Act provides a specific definition, it utilizes the defined terms found in the CPRA. As a result, the Act only applies to those businesses subject to the CPRA. Under the CPRA, a “business” is a for-profit entity doing business in California that collects personal information of California residents (or on the behalf of which such personal information is collected) and satisfies at least one of the following:
- as of January 1, had annual gross revenues in excess of $25,000,000 in the preceding calendar year, as adjusted pursuant to the CPRA;
- alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more California residents or households; or
- derives 50% or more of its annual revenues from selling or sharing California residents’ personal information.
The Act does not apply to broadband internet access services, telecommunications services, or the delivery or use of physical products. Further, the Act also does not apply to certain information or entities exempt from the CCPA and CPRA, namely protected health information and covered entities governed by HIPAA, healthcare providers and medical information governed by California’s Confidentiality of Medical Information Act, and personal information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects.
Of note, as used in the Act, “children” means California residents who are under the age of 18. This is a higher age threshold than other children’s privacy laws, like COPPA, which defines children to be those under 13 years of age. As such, businesses who have previously limited their online services, products, or features to those over 13 due to COPPA concerns may need to re-evaluate their practices with respect to 13-18 year olds under the Act.
Data Protection Impact Assessments: The Act requires businesses that provide an online service, product, or feature likely to be accessed by children to complete a Data Protection Impact Assessment, which is a systematic survey that assesses and mitigates risks to children that arise from the business’s data management practices. A business must complete a Data Protection Impact Assessment before offering any new online services, products, or features to the public that are likely to be accessed by children and, for such online services, products, or features offered to the public before July 1, 2024, the business must complete a Data Protection Impact Assessment prior to July 1, 2024. The business must review all Data Protection Impact Assessments every other year, and must provide copies of the assessments within five business days upon request from the California Attorney General.
Privacy by Default: Businesses subject to the Act must configure all default privacy settings provided to children to offer a high level of privacy, unless there is a compelling reason that a different setting is in the best interests of the children. The Act does not go into further detail on what may constitute a “high level of privacy.” However, the Act provides that businesses can look to guidance from the Age-Appropriate Design Code established in the UK in September 2021, from which the Act was sculpted. As an example of a high level of privacy, UK guidance provides that children’s personal information is only visible or accessible to other users of the service if they change their settings to allow this.
Tracking Signals: The Act also requires businesses to obviously display a signal to a child when the child’s activity or location is being monitoring or tracked by a parent, guardian, or other consumer. Further, if the business collects any precise geolocation information of a child, it must display an obvious sign to the child whenever collecting that information.
Enforcement & Penalties
The California Attorney General has enforcement authority under the Act. There is no private right of action. Negligent violations of the Act carry civil penalties of up to $2,500 per affected child, while intentional violations carry civil penalties up to $7,500 per affected child. There is also a limited right to cure violations of the Act. Specifically, if a business is in substantial compliance with the material requirements of the Act, then the Attorney General must provide written notice of any violations and 90 days to cure such violations prior to bringing an enforcement action.
The Act addresses recent concerns from lawmakers and government agencies about the protection of children online (see our prior alert here). Like with the CCPA, this new California privacy law may be setting the stage for similar state legislation or even federal legislation. The Act exceeds current protections for children under 13 provided by COPPA and businesses subject to it will need to take steps to ensure compliance well before the Act’s July 1, 2024 effective date.
If you need assistance with your compliance efforts or want more information on compliance with the Act, please contact one of our Cybersecurity & Data Privacy attorneys.