On August 30, 2022, the California legislature passed the California Age-Appropriate Design Code Act (the Act). Modeled after the UK’s Age-Appropriate Design Code, California’s act drastically changes the landscape of online privacy and content availability for minors in California. The Act goes beyond the current federal protections of the Children’s Online Privacy Protection Act (COPPA) and could impose onerous new requirements on companies that were and were not previously covered by COPPA. These requirements include, among other things, estimating the ages of minors using the company’s online services; conducting detailed Data Protection Impact Assessments (DPIAs) for new and existing products; significantly restricting the collection, use, and sharing of minors’ personal information; and configuring default privacy settings to a “high level of privacy.” If the bill is signed into law by Governor Newsom, the Act would come into effect July 1, 2024.
The Act applies to all “businesses” that provide an online service, product, or feature “likely to be accessed by children,” but defines children to include any “consumers” under the age of 18, departing from COPPA’s scope of children under the age of 13 and the California Consumer Privacy Act’s (CCPA’s) scope of under the age of 16. The Act borrows the definitions of “business,” “consumer,” and other terms not specifically defined in the Act from the CCPA.
Under the Act, the definition of “likely to be accessed by children” means it is “reasonable to expect” that the service, product, or feature would be accessed by children (i.e., minors), taking into consideration several “indicators,” including whether the online service, product, or feature:
- is “directed to children” as defined by COPPA;
- is routinely accessed by a “significant number of children,” based on “competent and reliable evidence regarding audience composition”;
- contains “advertisements marketed to children”;
- is “substantially similar” to businesses that are routinely accessed by a significant number of children;
- “has design elements that are known to be of interest to children”; and
- has an audience with a “significant amount” of children, based on internal company research.
As written, the California Attorney General (AG) could potentially take the position that these requirements apply broadly to any business covered by the CCPA that is used by California residents under the age of 18.
Data Protection Impact Assessments
Under the Act, businesses must conduct DPIAs prior to the release of any online services, products, or features that are likely to be accessed by minors. These assessments must identify material risks to minors, such as exposure to harmful content, targeting or exploitation by harmful contacts, and the potentially harmful impact of algorithms. Any material risks related to the business’s data management practices identified in the DPIA must be documented and mitigated before the online service, product, or feature is accessed by minors. Businesses are required to provide these assessments to the California AG upon written request. Businesses must conduct DPIAs for existing services, products, and features by July 1, 2024, and any new services, products, and features after July 1, 2024.
Restrictions on Use and Collection of Minors’ Personal Information
The Act contains many restrictions on how businesses can use and collect minors’ personal information (as broadly defined by the CCPA). Covered businesses are prohibited from using a minor’s personal information in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a minor. Businesses also cannot profile minors by default unless they implement adequate safeguards, show that the profiling is necessary to provide the product or service, or show that the “profiling is in the best interests of children.” Other prohibitions include collecting, selling, or sharing the precise geolocation of minors by default; using minors’ personal information for reasons apart from why it was collected; and collecting, selling, or sharing personal information that is not necessary to provide the product or service that is used by minors. Some of these restrictions do not apply if the business can show that the activities are in the best interests of minors.
- Age Estimation: The Act requires all covered businesses to estimate the age of minor users “with a reasonable level of certainty.” If a business chooses not to estimate ages, it can instead apply the same privacy protections for minors to all of its users.
- High Default Privacy Settings: The Act requires that default settings for minors be set to a “high level of privacy,” unless the business can show that doing otherwise is in the “best interests of children.”
- Monitoring and Tracking Signals: The Act requires covered businesses to provide clear signals to minor users if their location or online activity is being tracked or monitored by a parent or any other consumer.
- Privacy Disclosures and Tools: The Act requires covered businesses to provide any privacy disclosures in “clear language suited to the age of children likely to access that online service, product, or feature.” Businesses must also provide tools that help minors exercise their privacy rights.
- Data Protection Working Group: The Act establishes the California Children’s Data Protection Working Group, which will deliver a report to the California Legislature with best practice recommendations for implementing the Act. The group will address issues such as “(a)ssessing and mitigating risks to children that arise from the use of an online service, product, or feature;” “(e)nsuring that age assurance methods used by businesses … are proportionate to the risks that arise from the data management practices of the business;” and “(e)valuating and prioritizing the best interests of children.”
The California AG will have the authority to bring civil actions to enforce the Act, resulting in penalties of up to $2500 per affected minor for each negligent violation and up to $7500 per affected minor for each intentional violation. Any collected penalties will be deposited into the Consumer Privacy Fund created by the CCPA. Businesses will have the opportunity to cure alleged violations within 90 days of the AG issuing written notice, but this opportunity is provided only for businesses that are already in “substantial compliance” with the sections of the Act related to DPIAs. Also, the Act explicitly states that it does not include a private right of action.
Criticisms, Potential Impacts, and Open Questions
The Act has already generated criticism for its potentially far-reaching impacts on businesses and online accessibility for minors, and it leaves many open questions for how it could be interpreted. Some criticisms, potential impacts, and open questions include:
- whether the Act violates the First Amendment by imposing restrictions on content accessible to minors;
- whether any part of the Act is preempted by COPPA;
- whether the Act will functionally require businesses to verify the identity and age of users in a manner more robust than implementing an age gate, which may, paradoxically, result in less consumer privacy, as consumers would not be able to use many internet services without creating an account and verifying their identity; and also,
- the Act contains an ambiguous requirement for businesses to enforce their terms of service, policies, and community standards. Interpreted literally, companies may violate the Act if they fail to enforce every instance of a user violating their community standards or terms of service, regardless of whether the company is aware of the violation.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and will monitor opinions issued by the California AG, revisions to the Act, and litigation and enforcement pursuant to the Act in order to assist clients with compliance with this potential new law. For more information, please contact Tracy Shapiro, Eddie Holman, Roger Li, or another member of the firm’s privacy and cybersecurity practice.