To print this article, all you need is to be registered or login on Mondaq.com.
On August 29, 2022, the
California Age-Appropriate Design Code Act (the Act) was
unanimously approved by the California State Senate. It now awaits
Governor Gavin Newsom’s signature. Given that the Act had
also passed unanimously through the State Assembly, it seems likely
that it will be signed into law. Businesses that have been
preparing for compliance with the California Privacy Rights Act
(CPRA) (which goes into effect on January 1, 2023) should
simultaneously assess what steps they need to take to comply with
the Act (most of which goes into effect on July 1, 2024), including
potential compliance steps that can be addressed in parallel for
The Act applies to any business that provides an online service,
product or feature (Online Service) likely to be accessed by
children under 18. The Act was inspired by the
UK Age-Appropriate Design Code for Online Services and
imposes a number of affirmative requirements on businesses in
addition to prohibiting certain data practices. If enacted as
passed, the Act will impose burdensome obligations on covered
businesses, including those around Data Protection Impact
Assessments (DPIA), default settings and transparency requirements.
In addition, the broad language of the Act will make designing
compliance programs challenging, and there is no guarantee that the
California attorney general (AG) will issue regulations clarifying
the Act’s obligations.
We have provided additional details below on what is required
under the Act. We are happy to answer any questions your business
may have regarding compliance with the Act or the CPRA.
Key Takeaways and Affirmative Obligations
- Potential for a “California
Effect”: The Act is the latest illustration of
the “California Effect,” through which California laws
and regulations may influence the direction taken by lawmakers and
policymakers in the rest of the country. Companies that are subject
to the Act will want to think about whether it makes
sense—for operational, compliance and reputational
reasons—to extend similar protections to children outside of
California. In addition, companies should be thinking about whether
this principle-based approach, which is focused on acting in the
“best interests of the child,” could be mirrored for
other groups of users.
- Protects Children Under 18: The Act is a
notable departure from the Children’s Online Privacy
Protection Act (COPPA) in a number of ways, including that it
provides protections to children under 18 (as opposed to 13, as is
the case with COPPA).
- “Likely to Be Accessed by
Children”: According to the Act, “likely
to be accessed by children” means that it is reasonable to
expect, based on certain indicators, that the Online Service would
be accessed by children. Although the indicators that businesses
will need to consider are similar to what they would have had to
consider under COPPA, they now must determine whether their
services are likely to be accessed by a much broader age
- Age Estimation: One likely effect of the
law is that more and more Online Services will either age-gate
users or collect additional information in order to estimate age or
the age range of users. The Act prohibits the use of any such
personal information collected for these purposes to be used for
any other purpose, and it can only be retained for as long as
needed to estimate age. In addition, age assurance must be
proportionate to the risks and data practice of the Online
- DPIA: Prior to offering new Online
Services that are likely to be accessed by children, a business
must complete a DPIA and maintain documentation of the assessment
for as long as the Online Service is likely to be accessed.
- All DPIAs must be reviewed biennially and, among other things,
must identify the purpose of the Online Service, how it uses
children’s personal information, and the risks of material
detriment to children that arise from the data management practices
of the business.
- To the extent applicable, DPIAs must examine the risk of a wide
variety of harm, including exposure to harmful content, potential
for targeting by harmful contacts and exploitation.
- After conducting the DPIA, businesses are required to both
document any risk of material detriment to children identified and
create a timed plan to either mitigate or eliminate the risk before
the Online Service is accessed by children.
- DPIAs conducted for the purpose of compliance with other laws
will be sufficient as long as the DPIA meets the requirements of
- Within three business days of a written request from the
California AG, businesses must provide a list of all the DPIAs that
have been completed.
- Upon a written request from the California AG, businesses must
share DPIAs within the five business days of the request. Notably,
DPIAs are protected as confidential and are exempt from public
disclosure. Additionally, to the extent that information in DPIAs
is privileged or subject to work product protection, disclosure to
the California AG does not constitute waiver of privilege.
- Privacy Protective Default
Settings: Default privacy settings for children must
offer a high level of privacy unless the business can demonstrate a
compelling reason for why a different setting would be in the best
interests of children.
- Age-Tailored Transparency
Requirements: Privacy information, terms of service,
policies and community standards must be provided concisely,
clearly, prominently and in a way that is suited to the age of the
children likely to access the particular Online Service.
- Monitoring Signals: When parents,
guardians or any other consumers are able to monitor a
child’s online activity or track the child’s location,
businesses must provide an obvious signal to the child when the
child is being monitored or tracked.
- Easy User Reporting: Businesses must
provide prominent, accessible and responsive tools to help children
or their parents/guardians to exercise their privacy rights and
- Attorney General May Issue
Regulations: Although the Act provides that the
California AG may solicit broad public participation and adopt
regulations, the AG is not required to do so. Furthermore, there is
no indication in the law as to what topics the regulations, if
promulgated, would cover.
- California Children’s Data Protection Working
Group: This working group will be created in order to
deliver a report to the Legislature regarding best practices for
the implementation of the Act.
- Enforcement and Penalties: Violators will
be subject to an injunction and liable for a civil penalty
(enforced by the California AG) of not more than $2,500 per
affected child for each negligent violation or not more than $7,500
per affected child for each intentional violation.
- No Private Right of Action: Although the
Act explicitly states that nothing should “be interpreted to
serve as the basis for a private right of action,” we may
still see creative efforts to bring charges under this law.
- 90 Days to Cure: A business will not be
liable for a civil penalty for violations that it has cured if the
business (i) cures within 90 days of receiving notice from the
California AG of alleged violations and (ii) provides the
California AG with a written statement that alleged violations have
been cured and that sufficient measures have been taken to prevent
- Health of the Child: Businesses cannot
use the personal information of any child in a way that the
business knows, or has reason to know, is materially detrimental to
the physical health, mental health or well-being of a child. Key
questions will be what rises to the requisite level of knowledge
for a business and what constitutes material detriment to a
- Profiling: Businesses cannot profile a
child by default unless the business has appropriate safeguards in
place or (i) profiling is necessary to provide the Online Service
with respect to the aspects of the Online Service with which the
child is actively and knowingly engaged or (ii) a compelling reason
as to why profiling is in the best interests of children can be
- Limitations on Collecting, Selling, Sharing and
Retaining Personal Information: Businesses cannot
collect, sell, share or retain any personal information that is not
necessary to provide an Online Service absent a compelling reason
that the aforementioned activity is in the best interests of
children likely to access the Online Service.
- Limitations on Collecting, Selling or Sharing
Geolocation Information: Businesses cannot (i)
collect precise geolocation information regarding a child without
providing an obvious sign for the duration of the collection or
(ii) collect, sell or share any precise geolocation information
regarding children by default unless strictly necessary for the
business to provide the Online Service and only while the
collection of precise geolocation information is necessary to
provide the service, product or feature.
- Dark Patterns: Businesses cannot use dark
patterns to lead or encourage children to provide personal
information beyond what is reasonably expected to provide that
Online Service, or to take any action that the business knows, or
has reason to know, is materially detrimental to the child’s
physical health, mental health or well-being.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States