All Things Newz
Law \ Legal

California’s Age-Appropriate Design Code Signals Big Change For Businesses Offering Online Products And Services – Privacy Protection

To print this article, all you need is to be registered or login on

On August 29, 2022, the 
California Age-Appropriate Design Code Act
 (the Act) was
unanimously approved by the California State Senate. It now awaits
Governor Gavin Newsom’s signature. Given that the Act had
also passed unanimously through the State Assembly, it seems likely
that it will be signed into law. Businesses that have been
preparing for compliance with the California Privacy Rights Act
(CPRA) (which goes into effect on January 1, 2023) should
simultaneously assess what steps they need to take to comply with
the Act (most of which goes into effect on July 1, 2024), including
potential compliance steps that can be addressed in parallel for
both laws.

The Act applies to any business that provides an online service,
product or feature (Online Service) likely to be accessed by
children under 18. The Act was inspired by the 
UK Age-Appropriate Design Code for Online Services
imposes a number of affirmative requirements on businesses in
addition to prohibiting certain data practices. If enacted as
passed, the Act will impose burdensome obligations on covered
businesses, including those around Data Protection Impact
Assessments (DPIA), default settings and transparency requirements.
In addition, the broad language of the Act will make designing
compliance programs challenging, and there is no guarantee that the
California attorney general (AG) will issue regulations clarifying
the Act’s obligations.

We have provided additional details below on what is required
under the Act. We are happy to answer any questions your business
may have regarding compliance with the Act or the CPRA.

Key Takeaways and Affirmative Obligations

  • Potential for a “California
    The Act is the latest illustration of
    the “California Effect,” through which California laws
    and regulations may influence the direction taken by lawmakers and
    policymakers in the rest of the country. Companies that are subject
    to the Act will want to think about whether it makes
    sense—for operational, compliance and reputational
    reasons—to extend similar protections to children outside of
    California. In addition, companies should be thinking about whether
    this principle-based approach, which is focused on acting in the
    “best interests of the child,” could be mirrored for
    other groups of users.

  • Protects Children Under 18: The Act is a
    notable departure from the Children’s Online Privacy
    Protection Act (COPPA) in a number of ways, including that it
    provides protections to children under 18 (as opposed to 13, as is
    the case with COPPA).

  • “Likely to Be Accessed by
     According to the Act, “likely
    to be accessed by children” means that it is reasonable to
    expect, based on certain indicators, that the Online Service would
    be accessed by children. Although the indicators that businesses
    will need to consider are similar to what they would have had to
    consider under COPPA, they now must determine whether their
    services are likely to be accessed by a much broader age

  • Age Estimation: One likely effect of the
    law is that more and more Online Services will either age-gate
    users or collect additional information in order to estimate age or
    the age range of users. The Act prohibits the use of any such
    personal information collected for these purposes to be used for
    any other purpose, and it can only be retained for as long as
    needed to estimate age. In addition, age assurance must be
    proportionate to the risks and data practice of the Online

  • DPIA: Prior to offering new Online
    Services that are likely to be accessed by children, a business
    must complete a DPIA and maintain documentation of the assessment
    for as long as the Online Service is likely to be accessed.

  • All DPIAs must be reviewed biennially and, among other things,
    must identify the purpose of the Online Service, how it uses
    children’s personal information, and the risks of material
    detriment to children that arise from the data management practices
    of the business.

  • To the extent applicable, DPIAs must examine the risk of a wide
    variety of harm, including exposure to harmful content, potential
    for targeting by harmful contacts and exploitation.

  • After conducting the DPIA, businesses are required to both
    document any risk of material detriment to children identified and
    create a timed plan to either mitigate or eliminate the risk before
    the Online Service is accessed by children.

  • DPIAs conducted for the purpose of compliance with other laws
    will be sufficient as long as the DPIA meets the requirements of
    the Act.

  • Within three business days of a written request from the
    California AG, businesses must provide a list of all the DPIAs that
    have been completed.

  • Upon a written request from the California AG, businesses must
    share DPIAs within the five business days of the request. Notably,
    DPIAs are protected as confidential and are exempt from public
    disclosure. Additionally, to the extent that information in DPIAs
    is privileged or subject to work product protection, disclosure to
    the California AG does not constitute waiver of privilege.

  • Privacy Protective Default
     Default privacy settings for children must
    offer a high level of privacy unless the business can demonstrate a
    compelling reason for why a different setting would be in the best
    interests of children.

  • Age-Tailored Transparency
     Privacy information, terms of service,
    policies and community standards must be provided concisely,
    clearly, prominently and in a way that is suited to the age of the
    children likely to access the particular Online Service.

  • Monitoring Signals: When parents,
    guardians or any other consumers are able to monitor a
    child’s online activity or track the child’s location,
    businesses must provide an obvious signal to the child when the
    child is being monitored or tracked.

  • Easy User Reporting: Businesses must
    provide prominent, accessible and responsive tools to help children
    or their parents/guardians to exercise their privacy rights and
    report concerns.

  • Attorney General May Issue
     Although the Act provides that the
    California AG may solicit broad public participation and adopt
    regulations, the AG is not required to do so. Furthermore, there is
    no indication in the law as to what topics the regulations, if
    promulgated, would cover.

  • California Children’s Data Protection Working
     This working group will be created in order to
    deliver a report to the Legislature regarding best practices for
    the implementation of the Act.

  • Enforcement and Penalties: Violators will
    be subject to an injunction and liable for a civil penalty
    (enforced by the California AG) of not more than $2,500 per
    affected child for each negligent violation or not more than $7,500
    per affected child for each intentional violation.

  • No Private Right of Action: Although the
    Act explicitly states that nothing should “be interpreted to
    serve as the basis for a private right of action,” we may
    still see creative efforts to bring charges under this law.

  • 90 Days to Cure: A business will not be
    liable for a civil penalty for violations that it has cured if the
    business (i) cures within 90 days of receiving notice from the
    California AG of alleged violations and (ii) provides the
    California AG with a written statement that alleged violations have
    been cured and that sufficient measures have been taken to prevent
    future violations.

Key Prohibitions

  • Health of the Child: Businesses cannot
    use the personal information of any child in a way that the
    business knows, or has reason to know, is materially detrimental to
    the physical health, mental health or well-being of a child. Key
    questions will be what rises to the requisite level of knowledge
    for a business and what constitutes material detriment to a

  • Profiling: Businesses cannot profile a
    child by default unless the business has appropriate safeguards in
    place or (i) profiling is necessary to provide the Online Service
    with respect to the aspects of the Online Service with which the
    child is actively and knowingly engaged or (ii) a compelling reason
    as to why profiling is in the best interests of children can be

  • Limitations on Collecting, Selling, Sharing and
    Retaining Personal Information:
     Businesses cannot
    collect, sell, share or retain any personal information that is not
    necessary to provide an Online Service absent a compelling reason
    that the aforementioned activity is in the best interests of
    children likely to access the Online Service.

  • Limitations on Collecting, Selling or Sharing
    Geolocation Information:
     Businesses cannot (i)
    collect precise geolocation information regarding a child without
    providing an obvious sign for the duration of the collection or
    (ii) collect, sell or share any precise geolocation information
    regarding children by default unless strictly necessary for the
    business to provide the Online Service and only while the
    collection of precise geolocation information is necessary to
    provide the service, product or feature.

  • Dark Patterns: Businesses cannot use dark
    patterns to lead or encourage children to provide personal
    information beyond what is reasonably expected to provide that
    Online Service, or to take any action that the business knows, or
    has reason to know, is materially detrimental to the child’s
    physical health, mental health or well-being.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

CCPA May Soon Apply To Employee And B2B Information

Sheppard Mullin Richter & Hampton

Companies subject to California’s Consumer Privacy Act (CCPA) may soon need to figure out how to scale their privacy compliance programs to include employee and B2B information.

The Sephora Case: Do Not Sell – But Are You Selling?

Goodwin Procter LLP

Businesses barely had time to recover from a hectic privacy summer, with U.S. privacy legislation making progress on the Hill and the U.S. Federal Trade Commission’s launch of a sweeping rulemaking initiative…

Source link

Related posts

Second Circuit: SOX Whistleblower Claims Require Retaliatory Intent – Whistleblowing

Overview Of The FCC’s Broadband Data Collection Resources – Telecoms, Mobile & Cable Communications

Beware the foreign asset in an Australian discretionary trust: These tax determinations emphasise the need for review and legislative change – Property Taxes