Last week, the California Legislature passed Assembly Bill 2273:  the California Age-Appropriate Design Code Act (“CAADCA”).  CAADCA is an online safety bill, which contains unique privacy requirements to protect minors under the age of 18.

Covered Businesses:  Covered businesses under the bill include any “business,” as defined by the California Consumer Privacy Act, “that provides an online service, product, or feature likely to be accessed by children.”  This means that if your company conducts business in California and (a) has an annual gross revenue of more than $25 million; or (b) alone or in combination, buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of more than 50,000 consumers, households, or devices; or (c) derives 50% or more of its annual revenue from selling consumers’ personal information, then you will need to evaluate whether your products or services must also address CAADCA requirements.

Products and Services At Issue:  CAADCA regulates digital products, services, and features; it expressly exempts the delivery or use of “physical” products.  CAADCA also exempts health care providers governed by HIPAA, broadband internet access services, and telecommunications services.  CAADCA identifies the following indicators of whether an online service, product, or feature is likely to be accessed by children, and in turn, shall be subject to regulation:

  • The product, service, or feature is directed to children as defined by the Children’s Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq. (“COPPA”);
  • When based on competent and reliable evidence regarding audience composition, the company determines that the product, service, or feature will be routinely accessed by a significant number of children, or is substantially similar to a product, service, or feature already routinely accessed by a significant number of children;
  • The product, service, or feature has advertisements marketed to children; or
  • Internal company research determines that a significant amount of the audience of the online service, product, or feature consists of children.

Requirements:  Covered businesses are required to include privacy-by-default settings, data protection impact assessments within five business days upon request by the California Attorney General, and standards to assess whether services are likely to be accessed by minors.  In practice, companies will need to estimate the age of child users with a “reasonable level of certainty,” appropriate to the potential risks unless providing the same privacy and data protections appropriate to children to all users.

Data protection impact assessment. In addition, all products and services subject to CAADCA will need to be evaluated under a data protection impact assessment that considers (a) the collection and processing of sensitive personal data (as defined under CCPA); (b) the risk of harm from content, contracts, conduct, algorithms, and targeted advertising; and (c) features that increase use, such as rewards, auto-play media, and notifications.  Any “risk of material detriment to children” identified in the data protection impact assessment will require a specific plan with targeted deadlines to mitigate or eliminate risk before children are able to access the product or service.

Privacy by default.  Covered businesses must be sure to configure all default privacy settings provided to children to a high level of privacy unless a compelling reason exists for a different setting being in the best interests of children.  Further, if the service, product, or feature allows parental tracking or child monitoring (for either online activity or location), the child must receive an “obvious signal” that monitoring is taking place.

Privacy policy and terms of use.  Businesses will also be required to craft provisions in the privacy policy and terms of use associated with the product or service in a way that “concisely, prominently, and use[s] clear language suited to the age of children likely to access that online service, product or feature.”

Prohibitions.  Under CAADCA, covered businesses will be prohibited from selling, sharing, or retaining a child’s personal information unless it is necessary to provide the online service product, or feature for which a child is ”actively and knowingly engaged.”  Further, businesses will be unable to use a child’s personal information in any way the company knows or should know will be “materially detrimental” to the physical or mental health and well-being of the child.  Profiling children (using automated processing of personal information to draw insights to predict preferences, behaviors, location, and interests) can only be done as a default if the covered business has employed appropriate safeguards and such profiling is necessary to provide the service and that profiling is limited to what the child is actively using.

Enforcement:  CAADCA will be enforced exclusively by the California Attorney General through civil action.  No private right of action is available.  Fines range from $2,500 per affected child for negligent violations, all the way up to $7,500 per affected child for intentional violations.  However, a 90-day grace period to cure, without penalty, is afforded to companies that develop and implement a robust data protection impact assessment plan and have achieved substantial compliance with it.

CAADCA, if signed by Governor Newsom, will dramatically alter the landscape for children’s privacy in a way not seen since the Children’s Online Privacy Protection Act went into effect in 2000.  As with any significant privacy legislation, preparing ahead of time is essential.  Businesses should evaluate the extent to which CAADCA may apply to their services, and begin planning how best to adapt to the new set of regulations.

Taft’s Privacy and Data Security attorneys will continue to monitor this and other developments relating to CAADCA.  For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.