On September 15, the California governor signed into law the California Age-Appropriate Design Code Act (the “Act”), calling it the “nation’s first law” to protect children’s online data and privacy. AB 2273 sets out new legal requirements for businesses offering online products and services that, based on certain factors, are “likely to be accessed by children under the age of 18”. These factors include whether the feature is: (i) “directed at children” as defined in the Children’s Online Privacy Protection Act (COPPA); (ii) “determined, based on competent and reliable evidence of audience composition, to be routinely attended by a significant number of children”; (iii) solicited to children; (iv) is substantially similar or the same as any online service, product, or feature that is regularly accessed by a significant number of children; (v) designed to appeal to children; or (vi) determined, based on internal Company research, to have significant access by children. In particular, in contrast to the COPPA, the law defines a child more broadly as a consumer under the age of 18 (COPPA defines a child as a person under the age of 13).
The law also includes specific requirements for affected companies, including:
- Businesses must configure any default privacy settings offered by the online services, products, or features to provide a high level of privacy protection “unless the business can demonstrate a compelling reason that a different setting is in the best interests of children”;
- Businesses must “concisely” and “clearly” provide clear privacy information, terms of service, policies, and community standards appropriate to the ages of children likely to access the online service, product, or feature;
- Before offering any new online service, product or feature that children expect to access before July 1, 2024, businesses must conduct a Data Protection Impact Assessment (DPIA) on or before the same date. Businesses must also document any “risk of significant harm to children” arising from the DPIA, create a mitigation plan, and submit the DPIA to the Attorney General upon written request;
- companies must[e]Estimate the age of child users with a reasonable level of assurance commensurate with the risks arising from the entity’s data management practices, or apply the privacy and data protection afforded to children to all consumers”;
- Should an online service, product, or feature allow a child’s parent, guardian, or other consumer to monitor the child’s online activities or track the child’s location, businesses must give the child a clear signal when the child is being monitored or followed;
- companies must[e]nenforce published terms, policies and community standards established by the Company, including but not limited to privacy policies and those affecting children”; and
- Businesses need to provide prominent, accessible, and responsive tools to help children (or their parents/guardians) exercise their privacy rights and report concerns.
In addition, data subject companies are prohibited from using a child’s personal information (i) in a way that the company knows or has a need to know would be materially harmful to a child’s physical health, mental health or well-being; or (ii) for a reason other than the reason the personal information was collected, unless an entity can demonstrate an overriding reason that the use of the personal information is in the “best interests of children”. The law also restricts the profiling, collecting, selling or sharing of children’s geolocation data or the use of dark patterns to encourage children to provide personal information beyond what is reasonably expected.
The law also establishes the California Child Privacy Working Group, which will study and report to the legislature on best practices in implementing the law and, among other things, evaluate ways to leverage the California Data Protection Agency’s expertise long-term – long-term development of privacy policies affecting privacy, rights and impact the safety of children online. The Attorney General is tasked with enforcing the law and can seek an injunction or civil penalty against any company that violates its provisions. Violators may be subject to a penalty of up to $2,500 per affected child for each negligent violation and up to $7,500 per affected child for each intentional violation; However, companies can be given a 90-day grace period if they have “substantially met” the law’s rating and mitigation requirements.
The law will come into force on July 1, 2024.
Buckley LLP provides premier enforcement, litigation, compliance, regulatory and transactional services to financial services institutions and leading early-stage fintech and technology companies, as well as venture capital and private equity funds, investment firms, and corporate and individual clients around the world.
Learn more at Buckleyfirm.com and subscribe to our InfoBytes newsletter to get the latest news, events and developments affecting the financial services industry delivered to your inbox each week.