School is in session and companies are preparing for the slew of new data privacy laws taking effect through 2023 into 2024 but California piled on more homework for those companies handling data of minors. On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”).[1] Modeled from UK’s Age-Appropriate Design Code, the Act imposes novel legal obligations on entities that provide “an online service, product, or feature likely to be accessed by children.” The obligations stem from the common belief that “children are particularly vulnerable from negotiating perspective with respect to their privacy rights.” [2]
The effective date of the Act is July 1, 2024, but companies should consider addressing this statute soon. The Act requires significant work and may require an entire company to examine its practices. Additionally, similar to EU’s General Data Protection Regulation’s effect on domestic law, the Act may force other states to implement similar legislation. For example, last Friday, New York introduced its own bill similar to the Act in protection of minors and their data.[3]
The four major (but not all) components of the Act, include:
(a) Scope. The Act widens the scope for entities that conduct business in California and individuals subject to minor-data regulations. The Act covers entities offering online products, services, or features “likely to be accessed” by children, which will encompass other entities not previously subject to the federal fundamental minor-data statute, Children’s Online Privacy Protection Act (“COPPA”).[4] This “likely to be accessed” standard includes the types of services, products, or features covered under COPPA and the broader types of services or products that are known (or should be known) by the company to attract children.[5] For example, this “likely to be accessed by children” is met when a company’s internal research reveals a significant amount of the audience of the service, product or feature is children.[6]
Additionally, the Act governs “children,” defined as a consumer (a California resident) under the age of 18, [7] while COPPA defines the term as individuals under the age of 13.[8]
(b) Data Protection Impact Assessments (“DPIA”). The California legislature expects companies to do its DPIA homework and will conduct pop quizzes to ensure it. The Act requires entities to complete a DPIA before offering to the public any service, product or feature “likely to be accessed by children.”[9] The Act lists several questions that the DPIA must address, primarily focusing on any potential harm to the child.[10] If the DPIA identifies any risk of “material detrimental” to children arising the “data management practices” of the company, it must create a “timed plan” to mitigate or eliminate the risk before access by the child.[11]
California Attorney General can request the company to provide a list of the DPIAs, which must be delivered within three days thereof, or can request the production of the DPIAs, which must be delivered within five days thereof.[12] And, regardless of these requests, a company must review all its DPIAs biennially. [13]
(c) Dark Patterns and Geolocation Location. The California legislature has followed the trend of the Federal Trade Commission in its scrutiny over these two hot button data privacy issues, the collection of geolocation data and the use of dark patterns.
The Act prohibits the collection, sale or sharing of any precise geolocation of children “by default” unless it is strictly necessary for providing the service, product or feature and the retention is limited to what is necessary for the provision of those services, product or feature.[14] Also, the business must provide an “obvious sign” to the child that precise geolocation information is being collected during the duration of the collection.[15]
Additionally, the Act prohibits the use of “dark patterns to lead or encourage children:”
- “to provide personal information beyond what is reasonably expected to provide that online service, product, or feature;
- to forego privacy protections, or;
- to take any action that the business knows, or has reason to know, is materially detrimental to the child’s physical health, mental health, or well-being.”[16]
(d) Age Estimate and Default Protections. In line with the legislative intent, the Act recognizes the vulnerability of children and institutes protection across the different age groups and through designation of high “default” privacy measures. The Act requires the business to “estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business.”[17] If not, the business can apply privacy and data protections afforded to children to all consumers.[18]
A business must configure “all default privacy settings provided to children by the online service, product, or feature to settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children.”[19] The Act also prohibits any profiling by default unless the demonstration of appropriate safeguards and the demonstration of (i) the profiling as necessary only with respect the service, product or feature with which “the child is actively and knowingly engaged” or (ii) “a compelling reason that profiling is in the best interests of the children.”[20]
Takeaways
- Do Your DPIA Homework. While businesses do not need to comply with this Act right now, businesses should consider addressing compliance with this Act in first quarter or second quarter of 2023. Next year will fly by given the new comprehensive data privacy laws; the turnaround times to provide California Attorney General DPIA information is tight; and the Act contemplates the DPIA as compliant with other laws requiring similar assessments, such as Connecticut Data Privacy Act and Virginia Consumer Data Protection Act. [21]
- Costly Failing Grade. Although the Act does not create a private right of action, California AG can assess per child affected a $2,500 penalty for each negligent violation of the Act and a $7,500 penalty for each intentional violation of the Act.[22]
- Don’t Sleep During Announcements. This Act is quite vague but there are numerous sources (direct and indirect) that should aid in a company’s preparation. First, the Act formed the California Children’s Data Protection Working Group, which must deliver a report to the California legislature on the implementation of this Act.[23] Second, FTC and other governmental authorities may tackle certain data privacy topics like “dark patterns” over the year. Third, UK will continue to interpret its Age Code statute and the California legislature may rely on those interpretations.
- Act Your Age…Which Is… The Act broadens the definition of children (under 18 years old) and the types of services, products, and features subject to regulation (likely to be accessed). Given the requirements surrounding default protections and estimates for age group, businesses must consider whether it will institute a form of age verification to provide; otherwise, it may need to enhance its data privacy protections to all its consumers.
California’s true intention of the Act is obvious: “Hey [Insert social media platforms], Leave those Kids Alone.” However, the overarching application of the Act will force businesses large and small to add compliance with this Act as another brick in their wall of data privacy compliance work.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s The Firewall Blog e-mail updates, please click here. For information regarding our Blog, please contact our Blog editors: Dante Stella and Jennifer Torrez
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2022 Dykema Gossett PLLC.
[1] Cal. Civ. Code §§ 1798.99.28 – 1798.99.40.
[2] Assem. Bill 2273, 2021-2022 Reg. Sess. (Cal. 2022) § 1.
[3] 2022 NY Senate-Assembly Bill 09563.
[4] Cal. Civ. Code § 1798.99.31.
[5] Id. §1798.99.30(b)(4).
[6] Id. §1798.99.30(b)(4)(F).
[7] Id. §1798.99.30(b)(1); 1798.140 (g).
[8] 15 U.S.C. § 6501(1).
[9] Cal. Civ. Code §1798.99.31(a)(1)(A).
[10] Id. §1798.99.31(a)(1)(B).
[11] Id. §1798.99.31(a)(2).
[12] Id. §1798.99.31(a)(2).
[13] Id. §1798.99.31(a)(1)(A).
[14] Id. §1798.99.31(b)(5).
[15] Id. §1798.99.31(b)(6).
[16] Id. §1798.99.31(b)(7).
[17] Id. §1798.99.31(a)(5).
[18] Id.
[19] Cal. Civ. Code § 1798.99.31(a)(6).
[20] Id. § 1798.99.31(b)(2)
[21] Id. § 1798.99.33(a).
[22] Id. § 1798.99.35(a), (d).
[23] Id. § 1798.99.32.