California Children's Privacy and Online Safety Bill Becomes Law: What Does It Mean for Businesses? – Lexology

Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
General Summary
AB 2273, also known as the California Age-Appropriate Design Code Act (ADCA), was signed into law on September 15 and will become effective on July 1, 2024. The ADCA will impose new requirements and prohibitions on a broad range of businesses beyond those that are included in the Children’s Online Privacy and Protection Act (COPPA), with the aim of better protecting children’s privacy and online safety.
In brief, the ADCA, which is modeled after the U.K.’s Age Appropriate Design Code that came into force in September 2020, will require businesses to:
The ADCA will prohibit businesses from:
The California Attorney General will have the authority to adopt regulations, which will likely be based on recommendations from child privacy experts who are members of the ADCA’s newly established Children’s Data Protection Working Group, and enforce the violations of the ADCA through civil penalties.
Key provisions of the ADCA are discussed below.
Who Does the ADCA Apply To?
As written, the ADCA is very broad and could impact many general audience websites that would not otherwise be covered by COPPA. This is not only because the ADCA will raise the age for which children’s privacy protections exist from under the age of 13 to under the age of 18 but also because the law is triggered when a “business” (as defined by the California Consumer Privacy Act (CCPA)) provides an online service that is “likely to be accessed” by minors. This can be distinguished from the current standard in the United States under COPPA, which is triggered by an online platform’s collection of personal information from children. Under the ADCA, an online product or service will be considered “likely to be accessed” by children when it meets any of the following criteria:
There is some ambiguity surrounding what is meant by some of the indicators of whether an online service is “likely to be accessed” by children (listed above). For example, it is unclear how many children must access a site in order for the site to be considered “routinely accessed by a significant number of children,” as the term “significant” is not defined under the ADCA. Depending on how the ADCA is interpreted, it would potentially apply to a wide range of online products, like video conferencing services, online games and social media sites that were previously thought to be geared toward a general audience if those products and services have an audience that includes a notable number of kids (and there’s nothing that explicitly states that a significant number of children is greater than 50%). Hopefully, the definition of “significant” will be clarified in future regulations promulgated by the California Attorney General.
DPIA Requirement
The ADCA would require companies to complete a DPIA for new and existing online products and services and biennially review all DPIAs as long as these online products and services are likely to be accessed by children.
The ADCA DPIA requirement is prescriptive. Specifically, the DPIA must identify the purpose of the online product or service, how it uses children’s personal information, and the risks of material detriment to children that arise from the business’s data management practices, by analyzing whether the online product or service could do any of the following:
The DPIA must consider whether and how system design features are used to increase, sustain or extend children’s use of the online product or service, as well as whether, how and for what purpose the online product or service collects or processes children’s sensitive personal information. “Harmful” and “potentially harmful” are not defined by the ADCA, which also makes those terms ripe for definition by the California Attorney General through regulation.
If the DPIA identifies any risks to children as defined by the ADCA, businesses must create a plan for modifying the online product or service to mitigate or eliminate the risk. While the identified harms do not need to be immediately mitigated or eliminated, businesses must create the plan prior to the online service or product going live.
It is worth noting that the DPIA requirement here is much broader than the requirement under the California Privacy Rights Act (CPRA), which only requires businesses to conduct DPIAs in limited circumstances, such as where processing activities present a “significant risk” to privacy and security (rather than requiring a DPIA for all online services and products that are likely to be accessed by children). Under the CPRA, there are no products, features or activities that are automatically in scope for a DPIA. Furthermore, the CPRA’s DPIA evaluation requirements are not as prescriptive (although this topic may be further addressed by forthcoming regulations from the California attorney general). The CPRA currently requires DPIAs to:
With respect to reporting, under the CPRA, businesses will be required to submit DPIAs to the California Privacy Protection Agency on a regular basis, whereas ADCA DPIAs must be made available to the attorney general within five business days of receipt of a written request.
Finally, businesses should consider engaging a third party to conduct their DPIAs under the ADCA so that the DPIAs could be considered privileged work product. Because the ADCA DPIAs focus on identifying potential harms to children, those DPIAs may contain sensitive business information that would potentially be used against a company in litigation. Therefore, businesses may want to take proactive steps to protect their DPIAs from disclosure during litigation. Note, however, that the ADCA does provide businesses with some protection in matters involving the Attorney General. The ADCA expressly states that disclosure of information in DPIAs to the California Attorney General does not constitute waiver of privilege or work product protection.
Age Estimation Requirement
For online products and services likely to be accessed by children, a business must be able to estimate the age of child users with a reasonable level of certainty appropriate and a level of assurances proportionate to the risks that arise from the data management practices of the business. If the business is unable to reasonably estimate the age of child users, the business must apply the privacy and data protections afforded to children to all users. Because treating all users as children may significantly hamper the ability of users to access the online product or service and the ability of the online product or service to collect information from users, this essentially may require businesses to implement some form of age verification or age gate for all end users.
Prohibition on Automated Profiling
Automated profiling is prohibited unless “appropriate safeguards” have been implemented and the profiling is either necessary to provide the service or “in the best interest of children.” “Profiling” is defined broadly as “any form of automated processing of personal information that uses personal information to evaluate certain aspects relating to a natural person, including analyzing or predicting aspects concerning a natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” While other privacy laws—in particular, state student privacy laws—may prohibit the creation of profiles for use in connection with behavioral advertising, the ADCA’s definition of “profiling” is much broader than behavioral advertising profiles and can include profiles that are created for any purpose.
Geolocation Requirements
The ADCA also strictly regulates the collection and use of geolocation information. Under the ADCA, the collection, sharing or selling of precise geolocation information by default is prohibited unless it is “strictly necessary” and only for a limited time. In addition, the ADCA requires businesses to provide an “obvious signal” to the child when the child’s activity or location is being tracked by a third party (e.g., parent or guardian). The fact that the child or the child’s parent has previously agreed to the collection of this information does not relieve the business of the obligation to comply with this requirement. Businesses that are only collecting geolocation information or tracking activity in the background will need to consider how they will communicate this signal to end users. Note that the U.K.’s Age Appropriate Design Code contains a similar requirement to provide an obvious sign to the child when they are being monitored and recommends a “lit-up icon.”
Dark Patterns
Under the ADCA, businesses cannot use dark patterns or other techniques to (i) encourage children to provide additional personal information beyond what is reasonably expected for the online product or service; (ii) forgo privacy protection measures; or (iii) take any action that the business knows, or has reason to know, is materially detrimental to the child’s physical health, mental health or well-being. This can be distinguished from the CCPA/CPRA’s prohibition of dark patterns, which focuses on making sure consumers can make their own informed choices without having to navigate misleading interfaces and design features. The ADCA’s prohibition of dark patterns is much broader because it is tied to a child’s best interest and well-being.
Penalties under the ADCA can be severe. Any violation of the ADCA is subject to an injunction and liable for a civil penalty of up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation, if the violation is not cured within a 90-day period. While the penalties are limited to each child, it is possible that there may be multiple violations per child, which could greatly increase the number of penalties imposed on businesses. The ADCA does not include a private right of action. The California Attorney General has exclusive jurisdiction to enforce the law.
What Does the ADCA Mean for Businesses?
The breadth of the ADCA may sweep in many online services and products that are now considered outside the scope of children’s privacy laws. These may include children’s websites that do not collect personal information; websites directed toward teens; and general audience sites that are routinely accessed by a significant number of children. In addition, the ADCA’s requirements for compliance are much broader than those of any children’s privacy laws or other California privacy laws because the ADCA focuses not only on the use and collection of personal information but also on how the design of the online product or service may harm a child. Because of the breadth of the ADCA, even though businesses have almost two years until the law is effective, they should consider determining how this law may affect their business as soon as possible
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research


Leave a Comment