United States: Casting A Wide Net On Privacy: California's Age-Appropriate Design Code Act And Implications For Businesses And Covered Entities

Kelley Hostman, Wilson Elser law clerk, participated in writing this article. 

Recently, the world witnessed another win for the protection of children's personal information in the online world. On September 15, 2022, California's Age-Appropriate Design Code Act (CA AADC) was signed into law by Governor Newsom. California's AADC mirrors a UK law that prompted changes by big tech companies but did not drastically alter the online landscape. Much like the UK's Age-Appropriate Design Code (UK AADC), California's legislation focuses on protecting children online by imposing heightened obligations on businesses with online products, services and features that are “likely to be accessed by a child.”

Background and Requirements

Differing from an existing federal framework under the Children's Online Privacy Protection Act of 1998 (COPPA), the CA AADC defines children as all children under the age of 18 years and applies to entities providing services “likely to be accessed by children.”¹ COPPA provides protection to children age 13 years and under and applies to entities that have products and services directly aimed toward children.²

The CA AADC heightens privacy protections by requiring a “high level of privacy” setting as default, and provides that children must be notified of parental monitoring.³ COPPA provides no such provision. Similarly, the CA AADC provides that the collection, sale, retention or sharing of children's personal information must be necessary to provide the child a good or service, whereas COPPA allows covered entities to collect personal information, conditional on parental consent and notice to the child.⁴ Covered entities must come into compliance with AADC provisions no later than July 1, 2024.⁵

To be in compliance with the AADC, businesses should consider these specific requirements:⁶

Affirmative Requirements

• Data Protection Impact Assessments (DPIAs): Businesses must complete DPIAs for products, services or features likely to be accessed by children. DPIAs must identify the purpose of the service and describe the use of any personal information.
• Default to High-Level Privacy Settings (or use age estimation): Businesses must ensure default privacy settings to “offer a high level of privacy” for products, services and features likely to be accessed by children.
• Age Estimation: Businesses shall either apply heightened privacy and data security settings to all consumers or estimate the age of child users.
• Age-Appropriate Language: Businesses must format privacy information, terms of service, policies and relevant community standards in child-friendly language.
• Notice of Parental Monitoring: Businesses must notify children when they are being monitored or tracked via parental monitoring services. 

DPIA Requirements

Before making an online product, service or feature available to the public, covered businesses must conduct a DPIA that must identify the purpose of the product or service, how it will use children's PI, and any risks of “material detriment” to children. 

DPIAs are required to analyze whether the online service, product or feature could:⁷

• Harm or potentially harm children (i.e., exposure to harmful or potentially harmful content)
• Lead to children being targeted by harmful contacts on the platform
• Permit children to witness, participate in or be subject to harmful or potentially harmful conduct
• Allow children to be a party to or be exploited by a harmful contact on the platform
• Harm children via algorithms on the platform
• Extend, increase or sustain the use of the product, service or feature by use of system design features (e.g., automated playing of media)
• Expand the purpose for which children's PI is used or processed.

Personal Information (PI) Restrictions ⁸

• Businesses cannot do the following:
  • Use children's PI for any reason other than the reason for which it was collected, unless there is a “compelling reason” that the use is in the best interest of the child
  • Use children's PI in any way that is “materially detrimental” to the child
  • Collect, share or retain children's PI, unless it is necessary to provide a product, service or feature
  • Collect geolocation of children, unless it is “strictly necessary” to provide a product, service or feature
  • Use dark patterns (i.e., manipulative design features that can encourage children to disclose data beyond what is necessary)
  • Use data collected to approximate age for any purpose other than age estimation. 

• Profiling of children:⁹
  • Businesses may not use any form of automated processing of children's PI to analyze or predict their interests, behavior, location, etc. 

Covered Entities

California's AADC legislation broadens the scope of children's online privacy protections, expanding on the existing federal COPPA legislation. Within the AADC legislation, the “likely to be accessed by children” standard has implications for businesses providing online products and services that children may regularly visit, such as social media apps, sites for video calling and online messaging. These services, although not technically “directed” at children, will have compliance obligations under the statutory langue of the Act. Note that law applies to “businesses” as defined by the California Consumer Privacy Act. ¹⁰

In assessing if a business online product, service or feature is “likely to be accessed by children,” and therefore considered a covered entity, it is important to examine the following: ¹¹

• Whether the product or service is directed toward children
• Whether the product or service is regularly accessed by a significant number of children
• Whether the product or service advertises toward children
• Whether the product or service is substantially similar to one that already is routinely accessed by children
• Whether it contains design elements typically of interest to children (e.g., cartoons, games). 

Enforcements and Penalties

Although the CA AADC does not provide individuals a private right to action, the Act does allow the state Attorney General enforcement authority through injunctions and civil penalties. Any business that violates the Act may be liable up to $2,500 per affected child for each negligent action, and up to $7,500 for each willful or intentional action.¹² Per the Act, penalties recovered from businesses in violation of the Act's requirements will be put toward a Consumer Privacy Fund. ¹³

Appraisals and Implications of AADC

Key provisions in the new legislation include an age estimation requirement and prohibitions on collecting personal information from children. Questions have arisen as to how enforcement of the age estimation requirement will materialize. Critics have raised concerns that the new requirements may become burdensome to web browsing, including questions as to whether the provision will require that websites and apps require facial scans or identification uploads to verify or prove user age. 

Along with this, critics contend that requiring verification of this type may counteract efforts to prohibit the collection of children's PI. Supporters argue that the Act's language gives rise to no express requirement for use of facial scans or other invasive means by which to verify age. The statute directs online businesses to “estimate the age of child users with a reasonable level of certainty appropriate to the risks or apply protections to all consumers.” It should be noted that there has been no age verification enterprise in the UK following the UK's AADC. 

Questions remain as to whether the AADC will be preempted by the current draft of the American Data Privacy and Protection Act or other federal privacy bills aimed at protecting children that are currently in the hands of Congress. Nonetheless, online businesses offering products, services or features likely to be accessed by children should waste no time in creating a compliance plan to meet the Act's requirements by 2024. 

Other questions regarding the implementation and interpretations of relevant statutory language are to be anticipated. What is meant by the “compelling reasons” for use of children's personal information? What specifically constitutes “material detriment” or a “reasonable level of certainty”? The answers to these questions are likely to have a significant and resounding effect on legal issues related to data privacy. 

Risk Mitigation Tactics and Compliance for Covered Entities

Keeping in mind the requirements of the AADC, we have compiled a checklist for businesses putting together a compliance plan:

• Identify consumer and audience base, and the protections already in place for privacy protection.
• Ensure privacy protection language is child friendly and easily understood by children.
• Consult with parents and children, if possible, and gain feedback on their understanding of your privacy policies.
• Ensure optional data collection is switched off by default, and minimize geolocation data by turning automatic location off, where possible.
• Prepare for the implementation and implications of stricter privacy settings going forward.
• Use the UK AADC as a model for guidance on insights regarding compliance. 
  
  

Conclusion

Whether a triumph for children's online privacy rights or a quagmire for online business interests – or both – the CA AADC will undoubtedly have major implications in the legal sphere. The CA AADC statutory language is broad, therefore legal questions and implications surrounding the Act have the potential to be vast and far-reaching. Businesses would be well advised to begin planning now to ensure they are best able to comply with the provisions of the Act come 2024.  

Footnotes

1 Cal. Civ. Code § 1798.99.30(a)(4).

2 15 U.S.C. §§ 6501–6506.

3 Cal. Civ. Code § 1798.99.31 (a)(6), (8).

4  Id.  at (b)(3–4).

5 Id. at (d).

6 Id. at (a).

7 Id.

8 Id.  at (b)(1), (3–8).

9 Id.  at (b)(2).

10 The law applies to “businesses” as defined by the California Consumer Privacy Act – a for-profit organization that does business in California and meets any of three criteria: (1) Has an annual gross revenue of more than $25 million; (2) Alone or in combination, buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of more than 50,000 consumers, households, or devices; or (3) Derives 50% or more of its annual revenues from selling consumers' personal information.

11 Id. at (a)(1)(B).

12 Cal. Civ. Code § 1798.99.31 (a).

13 Id. at (b).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.