Although you are likely breathing a sigh of relief after just finishing compliance efforts for the California Privacy Rights Act (“CPRA”), don’t relax just yet. California has another new privacy law going into effect on July 1, 2024: The California Age-Appropriate Design Code Act (“CAADCA”). The new law is aimed at enhancing privacy, data, and safety protections for children and teens who use online platforms. Businesses subject to the CPRA should review the requirements of CAADCA closely to determine how their data protection measures should be updated, as the new law expands upon existing laws geared towards minors, such as California’s Parent’s Accountability and Child Protection Act and the federal Children’s Online Privacy Protection Act (“COPPA”).
Businesses Subject to CAADCA
CAADCA defines “business” the same way as CPRA.[1] But, CAADCA only applies to businesses that provide online services, products, or features that are “likely to be accessed by children” who are under age 18. Still, this is a very broad scope, and much broader, for example, than COPPA, which is limited to operators of websites “directed to children” under 13, or with “actual knowledge” that a website is collecting personal information of children under 13. CAADCA therefore expands both the age range (by 5 years) and the types of businesses and websites subject to regulation, since many online services, products, or features may be “likely to be accessed by children” under 18 even if they are not specifically directed at children or with actual knowledge of access by children. Whether a website is “likely to be accessed by children” will be determined based on various factors, including whether it is directed to children, routinely accessed by a significant number of children, has advertisements marketed to children, has design elements that are known to be of interest to children (i.e., games, cartoons, music, and celebrities who appeal to children), and has a significant audience that is determined to be children.
Affirmative Requirements of Covered Businesses
CAADCA requires covered businesses to implement the following affirmative actions:
- Perform a Data Protection Impact Assessment. Covered businesses must complete a Data Protection Impact Assessment (“DPIA”) before publicly launching a new online service, product, or feature that is “likely to be accessed by children.” The DPIA must include detailed information about a business’s online service, product, or feature, including its purpose, how it uses children’s personal information, and how it could harm children through its algorithms, design features, and targeted ads. The DPIA is confidential and exempt from public disclosure. Each business must retain documentation of the DPIA for as long as it provides the online service, product, or feature to children and provide a copy to the Attorney General upon request.
- Provide privacy by default. Covered businesses must configure all default privacy settings offered by the online service, product, or feature to offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interest of children.
- Provide a privacy policy and terms. Covered businesses must provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of the children that are likely to access their online service, product, or feature.
- Allow children to exercise privacy rights. Covered businesses must provide prominent, accessible, and responsive tools to help children or their parents/guardians exercise their privacy rights and report concerns.
- Identify tracking signals. Covered businesses must provide an obvious signal to a child when the child is being monitored or tracked by the online service, product, or feature.
Restrictions on Covered Businesses
CAADCA also prohibits covered businesses from engaging in the following actions:
- Using a child’s personal information in a way that is “materially detrimental to the physical health, mental health, or well-being of a child.”
- Collecting, selling, sharing, or retaining the personal information of children for any reason other than a reason for which the personal information was collected, unless the business can demonstrate a compelling reason that aligns with the best interests of children.
- Collecting, selling, or sharing any precise geolocation information of children, unless it is strictly necessary for the business to provide the service, product, or feature and only for a limited time.
- Using dark patterns, which are online experiences designed to encourage children to provide too much personal information.
- Profiling children, though this prohibition is subject to certain exceptions.
- Using personal information to estimate the age of a child for any other purpose or retaining that personal information longer than necessary to estimate age.
Enforcement of CAADCA
There is no private right of action under CAADCA, but the law authorizes the Attorney General to seek an injunction or civil penalty against any business that violates its provisions. The Attorney General can hold violators liable for a civil penalty of up to $7,500 per affected child. The new law gives companies an opportunity to cure any alleged violation within 90 days so that they can avoid these penalties.
Next Steps for California Businesses
While CAADCA does not go into effect until July 1, 2024, it is vital that California businesses take steps to ensure their compliance with the new law in advance of the effective date. These steps may include the following:
- Assess whether your business is subject to CAADCA. Determine if your business’s online products, services, or features are “likely to be accessed by children” under age 18 as defined under the new law.
- Start to prepare a Data Protection Impact Assessment. Familiarize yourself with the requirements of the DPIA and strategize how your business would perform such an assessment. For an online product, service, or feature that was launched before July 1, 2024, a DPIA must be completed by July 1, 2024. After that, a DPIA must be completed before launching any new online service, product, or feature that is “likely to be accessed by children.”
- Provide data privacy information in appropriate language for children. Revise your privacy information, terms of service, policies, and community standards so that they are accessible to the age group of children who are likely to access your online service, product, or feature.
- Start planning changes your business will need to make to ensure compliance. Businesses should consider how they can redesign their products, including those that have launched and those in development, to mitigate the risk of harm to children. For example, businesses will need to adjust their default privacy settings to accommodate a high level of privacy by default. A service, product, or feature should also provide an obvious signal to a child when their online activity is monitored or their location is tracked.
- Ensure that your business is not engaging in any prohibited activities. As described above, CAADCA imposes certain limitations on how and for what purpose a covered business may collect, sell, share, or retain a child’s personal information.
[1] The CPRA defines a “business” as any for-profit entity operating in California that collects personal information of California residents and satisfies one of three requirements: (i) the company has annual gross revenues of more than $25 million; (ii) the company buys, sells, or shares personal information of at least 100,000 California residents; or (iii) the company derives at least 50% of its annual revenues from selling or sharing California residents’ personal information.