California lawmakers passed a new potentially transformative children’s privacy law. The new measure, the California Age-Appropriate Design Code Act (“CAADCA” or “Act”), establishes a comprehensive framework that requires businesses to prioritize the “best interests of the child” when designing, developing, and providing online services such as websites, online video games and mobile apps.
The CAADCA will change privacy practices concerning minors in the U.S. in a significant and meaningful way. Although it is a state, in privacy, as goes California, as often goes the rest of the country. Even if other states fail to follow suit and enact their own versions of the CAADCA (as Colorado, Connecticut, Utah and Virginia did with respect to the California Consumer Privacy Act), California is such a large and important market that the CAADCA feels destined to become the de facto national standard.
Here is a look at the measure’s more notable provisions:
Entities Regulated: The CAADCA applies to “businesses” that provide an online service, product, or feature likely to be accessed by children. The use of “likely to be accessed” creates a broader, more inclusive scope, than the one found under the Children’s Online Privacy Protection Act (“COPPA”), which applies to entities that direct their online service toward children or have actual knowledge that they collects personal information from children under 13.
The Act uses the same definition of “business” as the one found in the California Privacy Rights Act (“CPRA”). Accordingly, an entity becomes a “business” for the purpose of the CAADCA when it is for-profit, does business in California, collects personal information from a California resident and satisfies any of the three following requirements: (i) has annual revenues in excess of $25 million; (ii) processes the personal information of at least 100,000 California residents annually; or (iii) derives at least half of its revenue from the sale of personal information.
Broad Application to Children Under 18: The CAADCA will apply to children under the age of 18, an age threshold that is considerably higher than the one found in COPPA. Interestingly, the Act does not provide a mechanism for verifying the age of users; however, it does provide that businesses must develop methods to estimate the age of child users to a reasonable degree of certainty and appropriate to the involved risks. Alternatively, businesses can apply the privacy and data protection afforded to children to all consumers.
Data Protection Impact Assessment: A central element of the CAADCA is a requirement that businesses complete a Data Protection Impact Assessment (“DPIA”) for any online service, product, or feature likely to be accessed by children. The Act provides various requirements for completing these assessments. One such requirement is that the risk of material detriment to children that arises from the data management practices of the business, as identified in the assessment, be documented and a plan put in place to mitigate or eliminate the risk prior to the service being accessed by children. The first DPIA must be completed by July 1, 2024, and subsequently such assessments must be reviewed by the business every two years.
The business must promptly provide a list of all DPIAs completed to the California Attorney General (“AG”) upon written request of the AG. Furthermore, the business must also promptly make any completed DPIA available to the AG upon written request of the AG.
Heightened Standards: The new measure will cover a wide range of businesses that provide online services “likely to be accessed by a minor” even if the business lacks “actual knowledge” that children use the service.
High-Level of Privacy as a Default: Require businesses follow the principle of “privacy by design.” This generally means setting default privacy settings that offer a “high level” of privacy protection (e.g., setting geolocation and app tracking to off) unless the business can present a “compelling reason” that a different setting is in the best interests of children.
Limited Collection and Use of Information from Children: Under the CAADCA, businesses generally may only collect, sell, share, or retain personal information from children as necessary to provide an online service with which the child is actively and knowingly engaged. Similarly, the business typically may not use personal information collected from children for any reason other than a reason for which that personal information was collected.
Prohibition on Dark Patterns: The CAADCA prohibits the use of “dark patterns” to lead or encourage children to provide personal information beyond what is reasonably expected to provide the online service, product, or feature to forego privacy protections. Similarly, the Act prohibits the use of dark patterns to take any action that the business knows, or has reason to know, is materially detrimental to the child’s physical health, mental health, or well-being.
Notices Designed for Children: Under the CAADCA, businesses must provide all privacy information, terms of services, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access the online services. Drafting such notices in child-appropriate language is likely to be a significant departure from most businesses’ current practices. Furthermore, if the online service allows a consumer (e.g. a child’s parent) to monitor the child’s online activity or track the child’s location, then the service must provide an “obvious signal” to the child when the child is being monitored or tracked.
The CAADCA will be enforced by the AG and there are hefty fines for non-compliance – civil penalties of up to $7,500 per affected child for intentional violations, and up to $2,500 per affected child for negligent violations. When a business has substantially complied with threshold requirements of the Act, though, the AG must provide notice and give the business a 90-day period to cure. Significantly, the Act expressly provides that it does not create a private right of action.
California Governor Newsom signed the bill into law on September 15, 2022, but it will not enter into force until July 1, 2024. In addition, much about how the Act will be implemented and interpreted remains to be seen. The law does require the state to establish a working group, which will be charged with developing best practices for implementing the CAADCA. This working group will consist of ten members, including two chosen by the California Privacy Protection Agency. By January 1, 2024 and every two years thereafter, the working group will submit a report to the CA legislature regarding its findings. Given the likely complexities involved in compliance, businesses should not wait until 2024 to begin working to comply with the Act but should begin to assess whether the Act applies to them, and if so, promptly undertake efforts to begin the compliance process. Completing a DPIA will likely be a good starting point for subject businesses.
The CAADCA is the latest, but surely not the last development in the rapidly evolving and increasingly protective landscape concerning children’s privacy rights. Given all the recent attention surrounding children’s privacy rights and, in particular, the protection of children online, companies that in anyway interact with minors through digital media should take prompt efforts to ensure that their current and contemplated data processing activities comply with the present and rapidly evolving legal and regulatory landscape.
The post California Lawmakers Pass The Transformative Age Appropriate Design Code Act appeared first on Data + Privacy + Cybersecurity Insights.