California Age-Appropriate Design Code Act is Law

We anticipated this was coming, so not really a surprise, but it is now law. Governor Newsom signed the California Age-Appropriate Design Code Act into law.

The law regulates business that provide an online service likely to be accessed by children.

One option, of course, is to ban kids from using a company’s web site. That is more likely to happen for sites that don’t cater to kids or make money from kids. It is likely that there will be a significant number of these. It is certainly a first line of defense.

First, here are the criteria that decide if a site is likely to be accessed by a significant number of kids:

  • It is “directed to children,” as defined by the federal Children’s Online Privacy Protection Act (“COPPA”);
  • It is determined to be routinely accessed by a significant number of children (based on competent and reliable evidence regarding audience composition);
  • It has advertisements marketed to children;
  • It is substantially similar to, or the same as, an online service, product, or feature routinely accessed by a significant number of children;
  • It has design elements that are known to be of interest to children (including, but not limited to, games, cartoons, music, and celebrities who appeal to children); or
  • A significant amount of the audience of the online service, product, or feature is determined, based on internal company research, to be children.

More importantly, unlike COPPA, which defines a child as under 13, this law defines a child as anyone under 18.

That includes a lot of high school students. If they are legally banned from accessing any number of websites because those sites don’t want to comply with these requirements, that will have a negative impact. I could see a news site decide that kids don’t earn them enough money or that it will cost them too much money to comply, so they require that kids certify that they are over 18. We have already seen this with GDPR, so companies are likely to do the same here.

Likely some of these kids will lie about their age. After all, kids create fake IDs to buy booze and cigarettes, so why not this.

So what does this law now require and now prohibit? Here is a partial list.

Requirements

  • Configure all default privacy settings offered by the online service, product or feature to those that offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children;
  • Concisely and prominently provide privacy information, terms of service, policies and community standards, using clear language suited to the age of the children likely to access the online service, product or feature;
  • Before any new online service, product or feature that is likely to be accessed by children is offered to the public, complete a Data Protection Impact Assessment (“DPIA”), and, upon written request, provide the DPIA to the California Attorney General;
  • Estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the business’s data management practices, or apply the privacy and data protections afforded to children to all consumers;
  • If the online service, product or feature allows the child’s parent, guardian or any other consumer to monitor the child’s online activity or track the child’s location, provide an obvious signal to the child when the child is being monitored or tracked;
  • Enforce published terms, policies and community standards established by the business, including, but not limited to, privacy policies and those concerning children; and
  • Provide prominent, accessible and responsive tools to help children (or their parents/guardians) to exercise their privacy rights and report concerns.

Prohibited/Restricted Activities

  • Covered businesses are prohibited from using a child’s personal information:
    • for any reason other than a reason for which the personal information was collected, unless the business can demonstrate a compelling reason that use of the personal information is in the “best interests of children;” or
    •  in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.

The Act also places restrictions on the profiling of children, use of dark patterns, and the collection, sale or sharing of children’s personal information, in particular, with respect to geolocation data.

The act also creates a working group to study best practices for implementing the law, but it does not set a timeline for creating those recommendations.

Finally, fines are up to $2,500 per affected kid or $7,500 for willful violations. The good news for businesses is that only the AG can enforce this, so expect limited enforcement.

Remember, this law applies whether you are located in California or not; it matters where the kids are located.

Credit: National Law Review

Leave a Reply

Your email address will not be published. Required fields are marked *