California Adopts New Privacy Requirements for Online Products, Services, or Features Likely to Be Accessed by Children

Governor Gavin Newsom recently signed into law the California Age-Appropriate Design Code Act (the Act).  In an effort to strengthen the effects of the California Privacy Rights Act of 2020 (CPRA), the Act imposes several new requirements on businesses offering online products, services, or features (collectively referred to as products) that are “likely to be accessed by children.”  The Act will go into effect on July 1, 2024.

Scope of the Act

The Act only imposes requirements upon businesses offering online products or services that are “likely to be accessed by children” (a covered business).  The Act delineates several indicators to determine whether it is reasonable to expect that the product would be accessed by children.  Those indicators are whether the online product is:

• Directed towards children, as defined by the federal Children’s Online Privacy Protection Act;
• Determined to be routinely accessed by a significant number of children;
• Marketing to children;
• Using design elements that are known to be of interest to children; or
• Reaching an audience significantly composed of children.

If the product falls within these indicators, it is subject to the Act’s requirements and enforcement procedures.

Prioritizing the Impact on Children over Commercial Interests

The Act specifically requires that, when a conflict arises between commercial interests and the best interests of children, covered businesses should prioritize the privacy, safety and well-being of children.  As part of this prioritization, the Act requires businesses to estimate the age of children using the product, configure all default privacy settings to offer a high level of privacy, and use privacy terms of services in clear language suited to the age of the children likely to access the product.

The Act also prohibits businesses from taking certain actions regarding children’s personal information, such as using the information for any reason other than the reason for which the information was collected; collecting, selling, or retaining information that is not necessary to provide the product; or collecting a child’s precise geolocation information without clear notification to the child.

Requiring a Data Protection Impact Assessment

The Act requires each covered business to complete a Data Protection Impact Assessment (DPIA) for any of their online products likely to be accessed by children.  A DPIA must identify the purpose of the product, how the product uses children’s personal information, and the risks of material detriment to children that may arise from the business’s data management practices.  Specifically, the DPIA must address whether the design of the product could harm children, lead to children experiencing or being targeted by harmful contacts, permit children to witness harmful conduct, or allow children to be party to a harmful contact.  The DPIA must also address whether children could be harmed by the algorithms or targeted advertising systems used on the product.  Businesses must assess how the product is designed to increase or extend use and whether it collects or processes sensitive personal information of children.

Covered businesses must create a timed plan to mitigate risks of material detriment before children access the online product.

Enforcement of the Act

Any business that violates the Act is subject to an injunction or civil penalty from the State of California.  If a business negligently violates the Act, it is penalized $2,500 per each affected child.  If the business intentionally violates the Act, it is penalized $7,500 per each affected child.  Enforcement of the Act is wholly within the power of the Attorney General of California.  The law explicitly prohibits a private right of action.

The Act establishes the California Children’s Data Protection Working Group, which will report to the legislature regarding best practices for implementation of the Act.

The Act raises many questions regarding the audience of online products, services, or features, and a business’s duty to children.  If you would like to read the full text of the proposed Act, it can be accessed here. 

For more information about the Act or privacy laws in general, please contact John Landolfi, Chris Ingram, Chris LaRocco, Gretchen Rutz, or your Vorys attorney.