California Legislature Passed the Age-Appropriate Design Code Act
6 September 2022
The California legislature has recently passed unanimously by both the State Senate and Assembly the California Age-Appropriate Design Code (Assembly Bill 2273, “the Bill“). Once entered into force, the law will impose new requirements on businesses that provide online services, products or features, that are “likely to be accessed by children”, as further detailed below.
The Bill states, that as children nowadays spend more time in interacting with the online world, the impact of the design of online products and services on children’s well-being has become a focus of significant concern. Therefore, online products and services should adopt data protection regimes appropriate for children of the ages likely to access those products and services. For the purpose of this law – and differently from the federal act on children’s personal data protection (the Children’s Online Privacy Protection Act, “COPPA“) – children are defined as individuals under the age of 18.
The Bill further clarifies, that the proposed law was modelled on the UK’s age appropriate design code (see our related update here), and that the California Children’s Data Protection Working Group, which will be responsible for providing best practices and recommendations related to the law, should take into account the guidance provided by the UK regulator.
The law would apply to any business that provides an online service, product or feature likely to be accessed by children. The Bill defines indicators of whether an online service, product, or feature is “likely to be accessed by” children:
1. It is directed to children as this term defined by the COPPA, which means:
-
- a commercial website or online service targeted to children; or
- portion of a commercial website or online service that is targeted to children.
2. It is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children, or an online service, product, or feature that is substantially similar or the same as one routinely accessed by a significant number of children.
3. It has advertisements marketed to children.
4. Internal company research determines that a significant amount of the audience of the online service, product, or feature consists of children.
5. It has design elements that are known to be of interest to children, including games, cartoons, music and celebrities who appeal to children.
The new law would impose several requirements on covered businesses, including:
- A completion of a Data Protection Impact Assessment (“DPIA“) before a new online service, product or feature likely to be accessed by children is offered to the public. The DPIA shall address, inter alia, the following (as applicable):
- Whether its design could harm children, including by exposing them to harmful or potentially harmful content.
- Whether and how the online product, service or feature uses system design features to increase, sustain or extend use of the online product, service or feature by children, including the automatic playing of media, rewards for time spent, and notifications.
- The risk of harm from content, contacts, conduct, algorithms, and targeted advertising used.
- The collection and processing of sensitive personal data of children.
- Documenting any “risk of material detriment to children” that arises from the DPIA conducted by the business and creating a mitigation plan before making the online service, product or feature available to children.
- Upon receiving a written request from the California Attorney General, the covered business should provide the DPIAs completed by the business within three business days.
- Configuring all default privacy settings provided to children by the online service to settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children.
- Providing any privacy information, terms of service, policies, and community standards “concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.”
- To the extent applicable, a covered business should provide an obvious signal to the child when the child is being monitored or tracked by the child’s parent or guardian.
- A covered business shall not use the personal information of a child in a way that the business knows, or has a reason to know, is materially detrimental to the physical health, mental health or well-being of a child.
- A covered business should not use dark patterns (i.e. practices essentially design tricks made to steer users toward a specific choice) to lead or encourage children to provide personal information beyond what is reasonably excepted to provide to the online service, product or feature.
The new law is still subject to California’s’ Governor’s signature, and if signed as expected, it will enter into force on 1 July 2024. Under the law, the California Attorney General will have exclusive jurisdiction to enforce violations through civil action. Fines for violations could be significant, ranging from $2,500 per affected child for negligent violations, and up to $7,500 per affected child for intentional violations.
The enforcement provisions offer an incentive for businesses to develop and implement a robust DPIA and mitigation plan process, as businesses that have achieved “substantial compliance” with assessment and mitigation plan requirements would have a 90-day grace period to cure, without penalty, any violations identified by the California Attorney General.
This new development demonstrates the focus of the state of California towards data protection and privacy, addressing one of the most concerning issues, children privacy online. Relevant businesses should examine their data flows and assess the law’s applicability to them, as well as the required adjustments of their policies and procedures.
Feel free to contact us if you have any questions regarding the new law and its potential effects on your company’s compliance efforts.