California Is First State to Adopt Age-Appropriate Design Code Law Alert
The California Age-Appropriate Design Code Act expands privacy requirements for businesses with online products, services, or features directed to or likely to be accessed by users under the age of 18.
On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the "Act"). This is the first state privacy law specifically regulating provision of online services used by children and imposes obligations beyond those required by the federal Children's Online Privacy Protection Act ("COPPA"). The Act will be effective on July 1, 2024, giving businesses less than two years to become compliant.
The Act applies to businesses subject to the upcoming California Privacy Rights Act that provide online services, products, or features "likely to be accessed" by children or known to be accessed by children. The term "children" is defined as an individual under the age of 18. Whether a business's online services, products, or features are "likely to be accessed" by children will be determined by assessing a number of factors, including whether they are "directed to children" as defined under COPPA. The Act applies, more broadly than COPPA, where the online product, service, or feature is being accessed, or likely to be routinely accessed, by a significant number of children, without regard to the knowledge of the covered business.
Key requirements of the Act include the following:
- Covered businesses are prohibited from: (i) using a child's personal information in a manner that is considerably harmful to the child; (ii) profiling a child by default; (iii) collecting, selling, sharing, or retaining a child's personal information unless necessary to provide the online product, service, or feature; (iv) using a child's personal information for any reason other than the reason for which the information was originally collected; or (v) misleading or encouraging children to provide more personal information than is reasonably expected.
- Privacy policies, terms, and codes of conduct must be obviously displayed, using clear language suited to the age of children. The covered business must enforce these policies and terms.
- Any product or service that allows a parent or other consumer to track or monitor a child must include an obvious signal that shows the child when they are being tracked or monitored. Relatedly, a covered business may not collect, share, or sell children's exact geolocation by default.
- Businesses must complete a Data Protection Impact Assessment ("DPIA") by July 1, 2024, review it every two years, and maintain related documentation. The DPIA must be provided to the California Attorney General ("CA AG") upon request.
The legislation establishes a Working Group consisting of members with expertise in areas of children's rights, computer science, and health. The Working Group will draft a report for the legislature on best practices for implementing the Act and where covered businesses can look to for guidance.
The Act will be enforced by the CA AG alone. The CA AG may seek an injunction and civil penalties up to $2,500 per child for a negligent violation and $7,500 per child for an intentional violation. The Act does not provide for a private right of action, but does not limit or restrict the ability of individuals to seek compensatory damages for violations of these requirements where permitted under other state laws.