On August 30, 2022, the California legislature passed the California Age-Appropriate Design Code Act (the Act). Modeled after the UK's Age-Appropriate Design Code, California's act drastically changes the landscape of online privacy and content availability for minors in California. The Act goes beyond the current federal protections of the Children's Online Privacy Protection Act (COPPA) and could impose onerous new requirements on companies that were and were not previously covered by COPPA. These requirements include, among other things, estimating the ages of minors using the company's online services; conducting detailed Data Protection Impact Assessments (DPIAs) for new and existing products; significantly restricting the collection, use, and sharing of minors' personal information; and configuring default privacy settings to a "high level of privacy." If the bill is signed into law by Governor Newsom, the Act would come into effect July 1, 2024.
Scope
The Act applies to all "businesses" that provide an online service, product, or feature "likely to be accessed by children," but defines children to include any "consumers" under the age of 18, departing from COPPA's scope of children under the age of 13 and the California Consumer Privacy Act's (CCPA's) scope of under the age of 16. The Act borrows the definitions of "business," "consumer," and other terms not specifically defined in the Act from the CCPA.
Under the Act, the definition of "likely to be accessed by children" means it is "reasonable to expect" that the service, product, or feature would be accessed by children (i.e., minors), taking into consideration several "indicators," including whether the online service, product, or feature:
As written, the California Attorney General (AG) could potentially take the position that these requirements apply broadly to any business covered by the CCPA that is used by California residents under the age of 18.
Data Protection Impact Assessments
Under the Act, businesses must conduct DPIAs prior to the release of any online services, products, or features that are likely to be accessed by minors. These assessments must identify material risks to minors, such as exposure to harmful content, targeting or exploitation by harmful contacts, and the potentially harmful impact of algorithms. Any material risks related to the business's data management practices identified in the DPIA must be documented and mitigated before the online service, product, or feature is accessed by minors. Businesses are required to provide these assessments to the California AG upon written request. Businesses must conduct DPIAs for existing services, products, and features by July 1, 2024, and any new services, products, and features after July 1, 2024.
Restrictions on Use and Collection of Minors' Personal Information
The Act contains many restrictions on how businesses can use and collect minors' personal information (as broadly defined by the CCPA). Covered businesses are prohibited from using a minor's personal information in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a minor. Businesses also cannot profile minors by default unless they implement adequate safeguards, show that the profiling is necessary to provide the product or service, or show that the "profiling is in the best interests of children." Other prohibitions include collecting, selling, or sharing the precise geolocation of minors by default; using minors' personal information for reasons apart from why it was collected; and collecting, selling, or sharing personal information that is not necessary to provide the product or service that is used by minors. Some of these restrictions do not apply if the business can show that the activities are in the best interests of minors.
Other Requirements
Enforcement
The California AG will have the authority to bring civil actions to enforce the Act, resulting in penalties of up to $2500 per affected minor for each negligent violation and up to $7500 per affected minor for each intentional violation. Any collected penalties will be deposited into the Consumer Privacy Fund created by the CCPA. Businesses will have the opportunity to cure alleged violations within 90 days of the AG issuing written notice, but this opportunity is provided only for businesses that are already in "substantial compliance" with the sections of the Act related to DPIAs. Also, the Act explicitly states that it does not include a private right of action.
Criticisms, Potential Impacts, and Open Questions
The Act has already generated criticism for its potentially far-reaching impacts on businesses and online accessibility for minors, and it leaves many open questions for how it could be interpreted. Some criticisms, potential impacts, and open questions include:
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and will monitor opinions issued by the California AG, revisions to the Act, and litigation and enforcement pursuant to the Act in order to assist clients with compliance with this potential new law. For more information, please contact Tracy Shapiro, Eddie Holman, Roger Li, or another member of the firm's privacy and cybersecurity practice.