California is moving forward with more ground-breaking privacy legislation, most recently with its passage of the California Age-Appropriate Design Code Act (“AADC”), which was signed by Governor Newsom on September 15, 2022. The AADC will expand the obligations of businesses already covered by the California Consumer Privacy Act (“CCPA”), to the extent they provide online products, services, or features likely to be accessed by California residents under the age of 18. Notably, businesses may be subject to the AADC even if they are not subject to the federal Children’s Online Privacy Protection Act (“COPPA”), which applies to personal information of children under the age of 13.
Inspired by the U.K. Age-Appropriate Design Code, the AADC has the stated intent of requiring covered businesses to “prioritize the privacy, safety, and well-being of children over commercial interests.” As discussed below, the AADC will require these businesses to modify their covered online services, products, or features to limit the collection and processing of personal information of California residents under the age of 18, and to maintain formal data protection impact assessments that will be available for inspection by the California Attorney General.
Limitations on Collection and Processing of Personal Information of Children Under 18 Years of Age
The AADC will require covered businesses to limit their collection and processing of personal information of California residents under the age of 18 (“Children”), including by :
- Estimating the age of Child users with a reasonable level of certainty appropriate to the risks that arise from the business’ data management practices, or applying the privacy and data protections afforded to Children to all consumers;
- Refraining from collecting, selling, sharing,[1] or retaining any personal information that is not necessary to provide an online service, product, or feature with which a Child is actively and knowingly engaged, unless the business can demonstrate a compelling reason that the collection, sale, sharing, or retention of the personal information is in the best interests of Children likely to access the online service, product, or feature;
- Refraining from using a Child’s personal information for any reason other than a reason for which that personal information was collected, unless the business can demonstrate a compelling reason that use of the personal information is in the best interests of Children;
- Configuring all default privacy settings provided to Children to settings that offer a high level of privacy, unless the business can show a compelling reason that a different setting is in the best interest of Children;
- Refraining from profiling[2] a Child by default unless the business can demonstrate that it has appropriate safeguards to protect Children and that either (a) the profiling is necessary to provide the online service, product or feature (and only applies with respect to the aspects of the online service, product or feature with which the Child is actively and knowingly engaged) or (b) the business has a compelling reason for the profiling or the profiling is in the best interest of Children;
- Refraining from collecting, selling, or sharing any precise geolocation information of Children by default, unless the collection of that precise geolocation information is strictly necessary for the business to provide the service, product, or feature requested by the Child, and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature, and providing an obvious sign to the child for the duration of the collection of that precise geolocation information;
- Providing any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of Children likely to access that online service, product, or feature; and
- Providing an obvious signal to the Child when the Child is being monitored or tracked, if the online service, product, or feature allows the Child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location.
These restrictions may require businesses to make fundamental changes to covered online services, products, and services. Although the AADC does not become operative until July 1, 2024, covered businesses will need to begin preparing well in advance for the impact that the AADC will have on their covered online services, products, or features.
Preparation of Data Protection Impact Assessments
The AADC also will require covered businesses to prepare a detailed Data Protection Impact Assessment (“DPIA”) of any online service, product, or feature likely to be accessed by Children, before offering that online service, product, or feature to the public. The AADC provides that the DPIA must be completed on or before July 1, 2024, for any online service, product, or feature likely to be accessed by Children offered to the public before July 1, 2024.
As detailed in the AADC, the DPIA must identify the purpose of the online service, product, or feature covered by the DPIA, how that service/product/feature uses Children’s personal information, and the risks of material detriment to Children that arise from the data management practices of the business. More specifically, the AADC also requires the DPIA to address the following considerations, to the extent applicable:
- Whether the design of the online product, service, or feature could:
- harm Children, including by exposing Children to harmful, or potentially harmful, content;
- lead to Children experiencing or being targeted by harmful, or potentially harmful, contacts;
- permit Children to witness, participate in, or be subject to harmful, or potentially harmful, conduct; or
- allow Children to be party to or exploited by a harmful, or potentially harmful, contact.
- Whether algorithms used by the online product, service, or feature could harm Children;
- Whether targeted advertising systems used by the online product, service, or feature could harm Children;
- Whether and how the online product, service, or feature uses system design features to increase, sustain, or extend use of the online product, service, or feature by Children, including the automatic playing of media, rewards for time spent, and notifications; and
- Whether, how, and for what purpose the online product, service, or feature collects or processes sensitive personal information of Children.
If the DPIA identifies any risk of material detriment to Children that arises from the business’ data management practices, the AADC requires the business to document those risks and create a timed plan to mitigate or eliminate the risk before the online service, product, or feature is accessed by children.
The AADC requires covered businesses to maintain documentation of the DPIA as long as the online service, product, or feature is likely to be accessed by Children, and to review all DPIAs biennially. Under the AADC, a covered business must provide a list of all DPIAs to the California Attorney General within three business days of a written request, and provide a copy of any DPIA to the California Attorney general within five business days of a written request.
Enforcement
The AADC will be enforced by the California Attorney General, who can bring civil actions to enforce the AADC. The AADC provides that a business that violates the AADC may be subject to an injunction and liable for a civil penalty of up to $2500 per affected child for each negligent violation, or up to $7500 per affected child for each intentional violation. The AADC provides for a 90-day notice and cure period before the California Attorney General can bring a civil enforcement action, but only if the business is otherwise in substantial compliance with the AADC. The AADC explicitly provides that it does not create a private right of action for consumers.
Conclusion
The AADC shows a continued expansion of California privacy laws, including by creating children’s privacy protections for individuals under the age of 18. The California legislature has given businesses nearly two years to implement the required changes prior to the AACA’s operative date of July 1, 2024, but covered businesses may need this lead time to implement all of the required changes in time.
[1] Note that the AADC’s restrictions on sale/sharing apply in addition to the limitations imposed by the CCPA, which typically requires opt-in consent to the sale or sharing of personal information of consumers under the age of 16.
[2] The AADC defines “profiling” as “any form of automated processing of personal information that uses personal information to evaluate certain aspects relating to a natural person, including analyzing or predicting aspects concerning a natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”
