All Things Newz
Law \ Legal

New California Law Requires Enhanced Privacy By Default And Design For Users Under The Age Of 18 – Privacy Protection

The bill, still awaiting likely signature from Gov. Newsom,
will go into effect July 1, 2024 and apply to any business offering
online services or products to children.

The California Age-Appropriate Design Code Act
recently passed both houses of the California legislature and is
only a governor-signature away from imposing strict requirements on
business that have online services, products, or sites that are
targeted to children or that children are reasonably likely to

As a window into the intent of the bill, the bill states a
legislative finding that businesses must consider the “best
interests of children” when designing and developing websites,
and that if a conflict arises between commercial interests and the
best interests of children, the best interests of children

The new bill also sets forth some data protection requirements
that are familiar to those businesses already subject to other data
protection laws like the California Consumer Protection Act or the
EU’s General Data Protection Regulation. Those requirements
include data protection impact assessments and data

Scope and Applicability

To analyze the full scope of the new bill, both the scope of
what businesses are considered in-scope of the bills requirements
and who is categorized as a child must be considered.

The bill does not provide a definition for what is considered an
in-scope “business”; however, the scope of the
requirements sweeps up any business that “provides an online
service, product, or feature likely to be accessed by
children.” The bill includes some insight into what businesses
could fall within this broad category.

According to the bill, the following types of businesses must
comply with the bills requirements: any online service, product, or
feature that (i) is directed at children; (ii) is routinely
accessed by a significant number of children—based on
competent and reliable evidence—or is substantially similar
to such an online service; (iii) includes advertisements to
children; (iv) is designed in a way to target children, including
for example games, cartoons, music, etc.; or (v) has an audience
significantly made up of children—as determined by internal
company research.

This is a potentially broad category depending on how California
authorities seek to interpret and enforce the law once in effect.
Even if a business is not directly targeted at children or
marketing to children, it could get swept up into the bill’s
requirements if it is “substantially similar to” an
online service that is routinely accessed by a significant number
of children.

The bill does have some expressed exemptions. Broadband internet
service providers, telecommunication service providers, and
deliveries of physical products, are all exempt from the bill’s

Under the bill, a “child” or “children” is
considered any consumer who is 18 years old or younger. This sweeps
up a broader portion of the population than current data protection
laws that govern the collection of children’s personal
information do.

For example, the U.S. Children’s Online Privacy Protection
Act considers anyone under the age of 13 to be a child and the
California Consumer Privacy Act considers anyone under the age of
16 to be a child. The new bill expands on both and includes anyone
who is 18 years old or younger.

Data Privacy Impact Assessment

Prior to making an online service, product, or feature available
to the public (one that falls within the scope of
“business” as described above), the business must conduct
a Data Protection Impact Assessment

Broadly, DPIA’s must identify the purposes of their online
service, product, or feature; how it uses children’s personal
information, and any identified risks.

Specifically, any DPIA must analyze the whether the online
service, product, or feature could: (i) harm children or expose
them to potentially harmful content (including its design); (ii)
lead children to experience or be targeted by harmful or
potentially harmful contacts; (iii) permit children to witness,
participate in, or be subject to harmful or potentially harmful
conduct; and (iv) allow children to be a party or exploited by
harmful or potentially harmful contacts.

It is important to note that the above risks must be analyzed
even when something could be “potentially harmful”;
requiring companies to take a broad approach to the DPIA’s risk

Additionally, the DPIA must consider whether: (i) algorithms
used in the product, service, or feature could harm children; (ii)
targeted advertising used in the product, service, or feature could
harm children; (iii) the use of automatically playing media,
rewards given for time spent on a service, and notifications can
increase or sustain a child’s use of the service; and (iv) the
service, product, or feature collects or processes sensitive
personal information of children.

At a high level, the DPIAs required under the new bill are not
all that different from those required under the California
Consumer Privacy Act, or that will be required under new state data
protection laws. A business must analyze the purposes of their
processing or activities and weigh them against the potential risks
posed by such processing or activities. However, this bill sets
forth specific categories of analysis that in-scope businesses must
conduct—which sets it apart from other laws.

The DPIA is a prerequisite to any in-scope online service,
product, and feature as businesses are prohibited from implementing
such online products, services, or features without first
conducting a DPIA. All Data Protection Impact Assessments required
under the bill must be reviewed every other year after they are
initially conducted.

Government Requests

Related to the DPIA, there are certain timing requirements that
must be met when the California State Attorney General makes

A business must, within 3 business days of a written request
from the Attorney General, provide the Attorney General with a list
of all DPIAs the business has conducted; and within 5 business days
of a specific request, make any specific DPIA available to the
Attorney General.

Affirmative Obligations

The bill also requires a set of affirmative obligations on
in-scope businesses, all related to the principle of data
minimization and privacy by designed and default.

  1. All privacy settings for children users must be configured,
    by default to the highest level of privacy offered,
    unless the business can demonstrate an overriding interest (i.e.,
    best interest of the child).

  2. Privacy policies, terms of use, and other policies must be
    clearly and prominently posted on the site using language that is
    suited for the average age of those children accessing the service,
    product, or feature.

  3. Prominent (i.e., clear and conspicuous) tools must be made
    available to help children exercise any applicable privacy


The bill also sets forth a number of prohibitions, restricting
the activities and data processing of in-scope businesses. In-scope
businesses are prohibited from:

  1. Using a child’s personal information in a manner the
    business knows or has reason to know is materially detrimental to
    the physical or mental health, or general well-being of the

  2. Profiling a child unless the business can demonstrate (i)
    appropriate safeguards are in place; and (ii) either that the
    profiling is necessary and requested by the user or that the
    profiling is in the best interest of the child;

  3. Collecting, selling, sharing, or retaining a child’s
    personal information beyond what is absolutely necessary;

  4. Using a child’s personal information beyond the purposes it
    was originally collected for;

  5. Collecting a child’s precise geolocation information
    without providing an obvious sign to the child for the duration of
    the collection of that geolocation information; and

  6. Using dark patterns (e.g., misleading designs, consents,
    automatic renewals, etc.).

The practical reality of these obligations and prohibitions is
that any business that is or might be in the bills scope likely
needs to set up some form of “age assurance” process to
know what users are considered children, whether they make up a
significant amount of the online services traffic, and how to
ensure policies and procedures are in place to comply with the
above obligations and restrictions.

But even age assurance procedures are limiting in the bill as
business are prohibited from using any personal information
collected for age assurance purposes for any subsequent

Penalties and Enforcement

The bills, once signed by Gov. Newsom and in effect, will be
enforced by the California State Attorney General. There is no
private right of action expressed in the bill that would allow
consumers to sue for violations.

Any business that violates the bill can be subject to (i) an
injunction; (ii) $2,500 fines per affected child for each negligent
violation; or (iii) $7,500 fines per affected child for each
intentional violation. The foregoing fines are the same totals of
the per-violation fines for violations of the California Consumer
Privacy Act.

Business with large volumes of traffic consisting of children
(e.g., social media companies) could potentially face massive fines
under the bill if found in violation.

As new laws and regulations come into effect that
require enhanced data protection standards or defaults, including
those related to the online activities of children, the Benesch
Data Protection and Privacy team is committed to staying at the
forefront of knowledge and experience to assist our clients in
compliance efforts. We are available to assist you with any
compliance needs.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Source link

Related posts

OFCCP Launches Construction Contract Award Portal – Construction & Planning

Rusya Ve Ukrayna Arasinda İmzalanan Tahil Sevkiyati Antlaşmasi Ve Olasi Etkileri – Marine/ Shipping

Don’t Patent That! – Trade Secrets